Abstract: Methods, systems, and apparatus are described providing networking engines. Specifically, the present specification relates to a method for implementing software containers implementing network engines that may be configured to act in a zero-knowledge environment. In such implementations, all information pertaining to the network engine associated with a user that is stored in the container is solely that of a user unless explicitly shared by the user. In some implementations, the containers may be configured to participate in a publish-and-subscribe network in order to share information. In addition, the containers may be provisioned with controls so that global operators may comply with local privacy rules.

Abstract: A node comprising, a processor executing a first operating system, a peripheral port connected to a peripheral device, a system control processor executing a second operating system, where the system control processor is configured to perform a method for metering usage of the peripheral device by the first operating system, the method that includes obtaining utilization data from a peripheral device, and sending the utilization data to a remote authentication server, where the first operating system cannot access the system control processor.

Abstract: Computer implemented systems and methods are provided for an automatic teller machine. In some embodiments, an automatic teller machine may comprise a touch-sensitive display, one or more memory devices storing instructions, and one or more processors. The one or more processors may be configured to receive authentication data associated with a user, retrieve user profile information based on the authentication data, determine user interface attributes based on the user profile information; and generate an automatic teller machine interface based on the user profile information.

Abstract: In some examples, a computing device may determine a replication criteria for replication of user information and/or resource information between a first computing site and a second computing site. The computing device may perform the replication between the first computing site and the second computing site based on the replication criteria. Further, the computing device may determine at least one of a user correspondence or a resource correspondence between the first computing site and the second computing site based on performing the replication. The computing device may replicate permission information between the first computing site and the second computing site based at least on the user correspondence and/or the resource correspondence.

Abstract: Systems, devices, and methods for managing operation of data processing systems are disclosed. To manage operation of the data processing systems, onboarding processes may be performed to conform the operation of the data processing systems to meet the expectations of owners of the data processing systems. During onboarding, keys usable to verify subsequently issued commands may be obtained by the data processing systems. The data processing systems may perform verifications processes for issued commands that rely on a root of trust established with the keys rather than identifies of entities that may issue the commands for command verification.

Abstract: In some implementations, a system may receive interaction request data indicating a request by a first user to perform a requested interaction via a user account, wherein the first user is associated with the user account. The interaction request data may indicate a first user identifier and first user biometric authentication data associated with the first user. The system may identify a second user identifier associated with a second user associated with the user account. If the system determines that an authorization condition is satisfied, the system may transmit, to a second user device associated with the second user, a second user authentication. The system may receive, from the second user device, second user biometric authentication data associated with the second user. The system may authorize the requested interaction based on receiving the second user biometric authentication data within a time threshold after a request time associated with the request.

Abstract: Privileged access is managed by receiving a request for privileged access to a device connected to a network, determining a risk level associated with the request based on a duration of the privileged access, a device identifier, a first user identifier, and a requested privilege level included in the request, identifying a second user to control authorization of the device based on the risk level, and scheduling, in response to receiving authorization from the second user, a process to modify an entry in a permissions database to associate the first user identifier and the device identifier with the requested privilege level for the duration.

Abstract: The present application describes a technique for enhancing an electronic version of a maintenance manual or procedure with an interactive workflow, and presenting the enhanced electronic document using mobile computing devices that can be operated easily hands-free. The workflow primarily consists of a set of interactive checklist items that a maintenance specialist can mark complete via a spoken command. The enhanced electronic documents are additionally associated with supplemental multimedia content, presented contextually based on the currently selected and active checklist item. Furthermore, the document viewing application provides for integrated reporting functionality, enabling a maintenance specialist to capture relevant information during the maintenance procedure, for subsequent use in generating and submitting a report either electronically or via hard copy.

Abstract: In a method of group creation for a pair of an unmanned aerial vehicle (UAV) and an unmanned aerial vehicle-controller (UAV-C) in a service enabler architecture layer (SEAL) architecture, the pair of UAV and UAV-C is determined by an unmanned aerial system application enabler (UAE) server in the SEAL architecture. A group creation request for the pair of UAV and UAV-C is transmitted by the UAE server to a SEAL group management (GM) server of the SEAL architecture. A first response message is received by the UAE server from the SEAL GM server for the group creation request. A group including the pair of the UAV and the UAV-C is created for quality-of-service (QoS) management. The group creation request includes an identity of an UAE client corresponding to the pair of UAV and UAV-C, an identity of the UAV, and an identity of the UAV-C.

Abstract: Aspects of the disclosure relate to malware detection at endpoint devices. A computing platform may send rule information to a browser extension including a set of rules defining reportable behavior of network traffic associated with a website. Subsequently, the computing platform may receive report information including an identification of a loaded web page associated with the website that exhibits the reportable behavior defined by at least one rule of the set of rules and an indication of which rules of the set of rules have been met. Based on receiving the report information, the computing platform may assign a risk score for the identified loaded web page. Thereafter, the computing platform may determine that the risk score is above a predetermined threshold, and in response, the computing platform may send commands to the browser extension directing the browser extension to close the identified loaded web page.

Abstract: A data storage device comprising a non-volatile storage medium configured to store user data, a data port configured to receive and transmit data between a host computer system and the data storage device, and a controller. The controller is configured to receive, via the data port, a write command comprising a read restriction indication, receive, via the data port, data and write the data to an address of the non-volatile storage medium. The controller is further configured to determine an occurrence of a read restriction event, and in response to the occurrence of the read restriction event and in response to the read restriction indication, erase the data from the address of the non-volatile storage medium.

Abstract: A card reader and a controller thereof, and a method are provided. The card reader includes a storage device and the controller, wherein the controller is coupled to the storage device. The storage device is configured to store specific identification data of a specific memory device. The controller is configured to receive identification data of the external memory device plugged into the card reader, and determine whether the external memory device is the specific memory device according to the identification data and the specific identification data, to generate a determination result. More particularly, the controller may control whether to open permission of at least one function according to the determination result.

Abstract: The subject technology performs a transaction locally at a computing node. The subject technology determines that the transaction has been completed. The subject technology determines a set of immutable attributes from the completed transaction. The subject technology generates an aggregate identifier based on the set of immutable attributes. The subject technology publishes the generated aggregate ID. The subject technology stores the published aggregate ID to an external storage location.

Abstract: A voucher management system receives, from a computing device manufacturer system, an ownership voucher that transfers ownership of a computing device from the computing device manufacturer system to the voucher management system, and a hardware attestation certificate for the computing device, and associates them with the computing device in a voucher management database. When the voucher management system determines that the ownership of the computing device should be transferred to an end user system, it automatically generates second ownership transfer data by signing an end user system public key with a voucher management system private key, provides the second ownership transfer data in the ownership voucher in order to transfer ownership of the computing device from the voucher management system to the end user system, and provides the ownership voucher and the hardware attestation certificate to the end user system.

Abstract: A system on a chip including a first-port controller for a first development port configured to receive a first development tool and a second-port controller for a second development port configured to receive a second development tool. The system on a chip further including a central controller in communication with the first-port controller, the second-port controller, and a security subsystem. The central controller being configured to manage authentication exchanges between the security subsystem and the first development tool and authentication exchanges between the security subsystem and the second development tool.

Abstract: A system and method for implementing a plugin control mechanism. A disclosed method includes: launching an application; injecting additional functionality into the application; and utilizing the additional functionality to: detect a file processing call; evaluate the file processing call against to a set of rules to determine whether the file processing call involves execution of an extension file; and call an operating system (OS) application control function in response to determining the file processing call involves execution of the extension file, wherein the OS application control function is configured to conditionally prevent execution of the extension file.

Abstract: Malicious homoglyphic domain name (MHDN) detection and associated cyber security applications are described. A domain name may be received that may be a potential MHDN. Homoglyphic domain name detection may be performed by, for example, generating a normalized character string corresponding to the input domain name by applying one or more normalization operations to the input domain name, wherein the one or more normalization operations may be configured to reduce homoglyphic characteristics in the input domain name; and generating a plurality of segmentations of the normalized character string, wherein generating each segmentation, of the plurality of segmentations, may comprise segmenting the normalized character string into a respective plurality of segments, and wherein each segmentation may comprise a different plurality of segments. A segmentation may be selected based on cost values corresponding to each respective segmentation determined using a cost function.

Abstract: A computer device, including at least a processor and a memory, can be configured to control process components on a computer device. An agent can intercept a request to instantiate a new process component. The request can originate on the computing device from an instance of a particular process component amongst a set of process components. The agent can determine whether to permit the intercepted request by validating the relationship using a policy with rules as well as and determining a trusted owner is among the set of identified owners. The agent can permit the intercepted if the determination is to permit the intercepted request.

Abstract: Systems, devices, media, and methods are presented for dynamic presentation and management of messages within a graphical user interface by presenting content icons, monitoring consumption status of the presented content represented by the content icons, transferring a content item from a first set of content to a second set of content, and causing presentation of the content item as part of the second set of content.

Abstract: An untrusted orchestrator function subsystem inventory and verification system includes an untrusted orchestrator device, an operating system, a BIOS, and a management device. In response to presentation by the untrusted orchestrator device of a function subsystem to the operating system during runtime, the operating system generates a function subsystem detection alert that identifies the function subsystem. In response to the function subsystem detection alert, the BIOS generates and transmits a BIOS inventory update. The management device receives the BIOS inventory update, and determines whether the operating system is authorized to use the function subsystem at least in part based on the BIOS inventory update. If so, the management device allows the operating system to utilize the function subsystem while, if not, the management device prevents the operating system from utilizing the function subsystem.

Abstract: A role-based access control method and system provide for receiving a request to provide an access to a resource, identifying a plurality of permissions associated with the request, authorizing the request including determining the plurality of permissions are granted for the identity, generating a serialized token to represent the plurality of permissions, and passing the serialized token to the first service to perform the providing of the access to the resource.

Abstract: Systems and methods for providing collaboration rooms with dynamic tenancy and role-based security are disclosed herein. An example method includes establishing a digital collaboration room for an entity, generating a token for a first user, receiving a request to perform an action on a portion of the data, performing a hierarchical permissions analysis to determine if the first user has permission to perform the action and access the portion of the data and determine if the user currently has permission to enter the digital collaboration room. The method includes retrieving the portion of the data from the database for the digital collaboration room and allowing the first user to perform the action when the user currently has permission to enter the digital collaboration room and the user has permission to perform the action and access the portion of the data.

Abstract: Aspects of the present disclosure include a tokenless, network-attached, multi-factor authentication software based electronic access control logon system and methods of use thereof, and may provide equivalent in security to a Public Key Infrastructure smart card system. The logon system may allow tokenless, but authorized, entities to access secure systems, with the secure logon system not requiring placement of individual or organization identifying information on a physical object that may be removed from a restricted location. Aspects of the present disclosure may include maintaining user credentials within individually encrypted credential bins within a Credential Hardware Security Module (HSM) that is securely accessible by authorized endpoints in a distributed network.

Abstract: Context driven user interfaces for storage systems including receiving, from a user account, a request to access a system interface for a system; identifying at least one critical system characteristic that describes a current aspect of the system; reconfiguring the system interface based on the at least one critical system characteristic; and presenting the reconfigured system interface to a user of the user account.

Abstract: In embodiments, a system includes a first and a second processing unit, a memory, and a firewall device. The first processing unit operates in a secure mode and generates memory access requests having a secure level. The second processing unit operates in a non-secure mode and generates memory access requests having a non-secure level. The memory includes a first memory area that can be shared between the first and second processing units. The firewall device includes a first firewall circuit with a first configuration authorizing access to the first memory area in the presence of a secure or non-secure level access request. The firewall circuit includes a second configuration prohibiting access to the first memory area in the presence of a secure level access request and authorizing access to the first memory area only in the presence of a non-secure level access request.

Abstract: A modular interface system having a modular SPE-based bus system with an SPE-based twin-core line and a plurality of SPE-based connectors, wherein a plurality of modules, each of which has an SPE-based connector, can be electrically and mechanically coupled to the SPE-based bus system by means of the SPE-based connectors.

Abstract: A system on chip (SoC) is designed to include a protective moat allowing the external interfaces of the SoC to act as security enforcers. Data is prevented from being delivered to non-trusted devices. Data may leave only to friendly devices that are able to protect the data at its respective security class. Code is prevented from accessing data or jumping to addresses which the code is not authorized to process or jump to. According to an embodiment, both data and code are stored encrypted in corresponding classes, each class having a different encryption key. An n-by-n matrix defines the way security classes may mix, specifically when two different security classes are used. This provides for securing data-data, code-code and data-code interactions. During configuration, processor context switching and secure communication, a trusted execution environment (TEE) is used. The classification rules matrix is programmable under the TEE.

Abstract: Systems and methods described herein provide for novel configuration features for setting up a user device automatically to connect to a network and register the user device to a user account. A mapping of user devices to cryptographic keys for the user devices may be maintained by a computer system. The computer system may receive information that specifies network information and user account information for a particular user device. A mapping of the network information and user account information to the particular user device may be generated. A machine-readable code that includes the network information for connecting the particular user device to the network and a token that includes credentials for the user account information may be generated and transmitted to a assistant configuration device.

Abstract: Embodiments of the present disclosure provide systems and methods for using secure schemas to address inconsistencies between standard RBAC rules and the use of inherited grants. A secure schema may be defined that transfers ownership of an object created in the secure schema to a role that owns the secure schema. An inherited grant may be attached to the secure schema, where the inherited grant specifies a permission on a first type of object in the secure schema and a grant of the permission to the role that owns the secure schema. When objects are created in the secure schema, ownership of each of the set of objects is transferred to the role that owns the secure schema to authorize the role that owns the secure schema to manage grants to the set of objects on the secure schema.

Abstract: A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

Abstract: Systems and methods are provided for processing requests to perform a stored procedure. A document chart is created having a unique identifier that corresponds to the stored procedure name. The document chart, being specific to the stored procedure, is populated with records that are associated with potential calls of the stored procedure. Each record comprises a key parameter and an output value, wherein the key parameter corresponds to a key that is generated based on the input parameters associated with the stored procedure call. The output value is communicated to the requesting client device without having to call the stored procedure on the targeted server.

Abstract: Systems and methods are provided for operation of a media device in an obfuscated entry mode. A method for entry of personal information on a media device may include receiving a request from an external device to enter personal information. An interface screen is generated, including a first section including a plurality of characters, and a second section including directional buttons and a select button. Manipulation of the directional buttons and/or the select button causes selection of characters from the first section of the interface screen to be entered into the personal information entry field displayed by the media device in an obfuscated manner.

Abstract: Embodiments of this disclosure provide a terminal capability identifier operation method and a communications device. The operation method includes: performing a first operation related to terminal capability identifier, where the first operation related to terminal capability identifier includes at least one of the following: deleting or suspending a terminal capability identifier; changing a first-type terminal capability identifier in a terminal context to a second-type terminal capability identifier; or transmitting operation information of terminal capability identifier.

Abstract: Systems and methods are described that use software diversification techniques to improve the security of mobile applications. Embodiments of the disclosed systems and methods may, among other things, facilitate secure application distribution through deployment of diverse of applications in an application distribution channel. Software diversification consistent with certain disclosed embodiments may mitigate large-scale automated circumvention of security protections by presenting attacking malware moving and/or otherwise unpredictable diverse targets.

Abstract: Disclosed are data storage and verification methods and a device executable in a trusted execution environment. The data storage method comprises: encrypting, using a first key, user data and version information of the user data to generate first ciphertext, and storing the first ciphertext into a general storage space (S310); generating verification information of the user data (S320); and storing the version information and the verification information into a secure storage space (S330). The present disclosure effectively prevents version rollback of user data.

Abstract: A system includes a processing unit, a memory configured to store at least one first group of instructions and one second group of instructions for execution by the processing unit, the processing unit being configured to sequentially extract from the memory instructions of the first group and instructions of the second group for their execution. The system also includes a controller including a first auxiliary memory configured to store a protection criterion, a comparator configured to compare the storage address of each extracted instruction with the protection criterion, and a control circuit configured to, in response to the storage address meeting the protection criterion, trigger a protection mechanism including at least one prohibition for the processing unit to execute again at least one portion of the instructions of the first group, during the execution of the instructions of the second group.

Abstract: A storage device configured for hardware verification is disclosed. The storage device comprises a first hardware component comprising a connector and a first verification logic. The first validation logic is configured to detect a criterion and generate a first signal via the connector in response to detecting the criterion. The storage device also comprises a second hardware component coupled to the first hardware component via the connector. The second hardware component comprises a second validation logic, where the second validation logic is configured to monitor and receive the first signal via the connector. In response to receiving the first signal, the second validation logic is configured to compare the received first signal to an expected signal and generate a result. The storage device is configured to take an action in response to the result.

Abstract: Methods and systems for performing a computational operation on a server host using a secure enclave are provided. Exemplary methods include: receiving an encrypted service request from a client host, the client host encrypting a service request to produce the encrypted service request using a shared secret, the service request specifying the computational operation; decrypting, in a secure enclave that is established by a secure environment, the encrypted service request using the shared secret to produce a decrypted service request; performing the computational operation, in the secure enclave, using the decrypted service request to generate a service result; encrypting, in the secure enclave, the service result using the shared secret to create an encrypted service result; and providing the encrypted service result to the client host, the client host decrypting the encrypted service result using the shared secret.

Abstract: Ad-hoc network comprising a configurator device and a plurality of nodes, wherein each node is an electronic device, wherein each node is connected by a communication connection with at least one of the other nodes and/or with the configurator device, wherein each node can be in different states comprising at least a non-commissioned state (NC), a commissioned state and a trust ring member state (TR) wherein a first node of the plurality of nodes being in the non-commissioned state (NC) is configured to send an non-commissioned advertisement message to the configurator device comprising an identifier of the first node, wherein the configurator device is configured to send an automated commissioning initialization (ACI) message to the first node containing a token, wherein the token is encrypted by a symmetric network key, wherein the first node is configured to send out a commissioning request message containing the received encrypted token, wherein the first node is configured to change its state, when it re

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. The data model also supports a cloud “least privilege and access” framework. Least privilege is a set of minimum permissions that are associated to a given identity; least access is a minimal set of persons that need to have access to given piece data. The framework maps an identity to one or more actions collected in cloud audit logs, and dynamically-build a compete view of an identity's effective permissions. The resulting least privilege and access policies are then applied natively to a given cloud environment to manage access.

Abstract: Systems and methods are provided that include: accessing implicit authentication data from a possession factor associated with an authorized user; at the possession factor or at an authentication platform: generating a possession confidence level using the implicit authentication data, the possession confidence level being one of a plurality of possession confidence levels, the possession confidence level indicating a likelihood that the possession factor is possessed by the authorized user; identifying, among a plurality of varying authentication requirements, an authentication requirement for the transaction based on the possession confidence level, the authentication requirement defines a process or action to prove authority to perform the transaction or a process or action to prove an identity of a user attempting to perform the transaction; and implementing the authentication requirement for the transaction.

Abstract: A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

Abstract: Some embodiments of the present disclosure relate to a system that may include a replaceable module and a user device. The replaceable module may include an element and a one-wire authentication element in parallel with the element. The user device may be configured for operable coupling with the replaceable module. The user device may include a power source configured to provide power to the element, an authentication unit configured to perform a verification process for verifying authenticity of the replaceable module, and a signal conditioning unit arranged in a communication path between the one-wire authentication element and the authentication unit.

Abstract: Methods, systems, and devices for virtualized authentication device are described. A virtual device (such as a virtual machine) may be permitted to access secured data within a memory device by an authentication process. The memory device may generate cryptographic keys in portions of the memory device and assign the cryptographic keys to the virtual machines. The virtual machine may use an authentication process using the cryptographic keys to access the secure data in the memory device. The authentication process may include authenticating the identity of the virtual machine and the code operating on the virtual machine based upon comparing cryptographic keys received from the virtual machines to the assigned cryptographic keys in the partitions of the memory device. Once both the identity of the virtual machine is authenticated, the virtual machine may be permitted to access the secure data in the memory device.

Abstract: The present disclosure enables proxied device ownership for a secondary processing system by providing a chassis housing a plurality of devices, a secondary processing system, and a central processing system that includes an integrated switch device that is coupled to each of the plurality of devices and the secondary processing system. The central processing system enter a Basic Input/Output System (BIOS) mode in which the central processing system provides a BIOS that is configured to execute instructions and, using the BIOS, receives a transaction that was generated by the secondary processing system and that is directed to a first device that is include in the plurality of devices, and executes the transaction on the first device.

Abstract: A trusted orchestrator function subsystem inventory and verification system includes an OS, a BIOS, a management device, and a trusted orchestrator device. In response to presentation of a function subsystem to the OS during runtime, the OS generates a function subsystem detection alert that identifies the function subsystem. In response to the function subsystem detection alert, the BIOS generates and provides a BIOS inventory update that identifies the function subsystem. The management device receives the BIOS inventory update and, in response, forwards the BIOS inventory update. The trusted orchestrator device receives the BIOS inventory update and, in response, determine whether the function subsystem identified in the BIOS inventory update is included in a trusted function subsystem inventory.

Abstract: Case management systems and techniques are disclosed. In various embodiments, a definition is received that associates a descendant case role alias with a first case node at a first hierarchical level of a hierarchical data model, the definition further associating a permission with the descendant case role alias and referencing a referenced case role associated with a second case node at a second hierarchical level of the hierarchical data model. The definition is used to extend the permission to a user assigned to the referenced case role with respect to a case instance comprising the hierarchical data model.

Abstract: An embodiment discloses a method for controlling a vehicle virtualization structure-based device including the steps of receiving a request for use of a device from at least one container among a plurality of containers; and determining the use of the device according to a type of the device and a type of the container that transmits the request for use.

Abstract: In accordance with one or more embodiments, authorization and/or authentication protects against unauthorized use of devices and/or features. Devices managing authorization and/or authentication may be connected to communications services, such as the internet or a social network. A user using the communication services may configure a system to authenticate and/or authorize a future action. An authorizer may authorize and/or authenticate by responding via one or more devices and/or social networks to allow an individual to perform an action on a device, as a way of controlling what actions can be taken and who they can be taken by.

Abstract: A method and associated circuits protect data stored in a secure data circuit of a telecommunication device equipped with a near-field communication (NFC) router, a microcontroller, and the secure data circuit. In the method, each message received with the NFC router is parsed to retrieve a communication pipe identifier and an instruction code. The communication pipe identifier and the instruction code are compared to corresponding information in a filter table. Instruction codes of particular messages that attempt to modify a communication pipe by reassigning one end of the communication pipe from the port of the NFC router to a different circuit are acted upon. These messages are blocked from reaching the secure data circuit when the instruction code is not authorized in the filter table, and these messages are permitted when the instruction code is authorized in the filter table.