Abstract: Systems and methods are provided for a computer-implemented method of implementing an on-demand computing network environment. A network specification is received from a user. Resources from one or more resource providers are provisioned. The on-demand computing network is configured, where configuring comprises assigning a first provisioned resource as an interior device and assigning one or more second provisioned resources as rim devices.

Abstract: Embodiments of the present disclosure leverage near field communication (NFC) technology to provide dynamic and interactive monitoring of an environment. NFC devices may be used to check items in and out of a storage facility, obtain readings from instruments or other machinery present in the environment (e.g., to perform tests on the items, etc.), track movement of users and items within the environment, and to prompt users with information about the environment, such as information about the instruments or machinery currency being used to perform operations with respect to one or more items checked out to the user. Additionally, the NFC device may be used to configure the instruments with appropriate settings for the particular item(s) for which the instrument is currently being used or for other purposes.

Abstract: Secure user authentication is provided by leveraging the use of quantum keys, steganography and random user keys/passcodes. Random user passcodes limit both the entity's control over the user and potential exposure of the passcode to wrongdoers. From a security standpoint, use of quantum keys and quantum communication channels heightens security during transmission of keys, such that if a wrongdoer would attempt to hack the transmission, the quantum sequence would break, which would not only prevent the hack but also result in remedial actions, such as preventing the authentication-requiring event, providing alerts and the like. Further, use of steganography also heightens security by preventing exposure to the keys during transmission and/or while the authentication process is occurring on the display of the user's mobile device.

Abstract: Methods, systems, and devices for memory write access control are described. In some examples, memory systems may include storage that is access-protected (e.g., write access protected). To enable access to the protected storage, a server node may communicate a command to the memory system that is signed with a private key that is inaccessible to the memory system. They memory system may verify the command using a public key and may enable access to the protected storage. Access commands associated with the protected storage may be processed until access to the protected storage is disabled.

Abstract: The system provides a voice command recommendation to a user to avoid a non-voice command. The system determines a command that is expected to be received, and generates a voice command recommendation that corresponds to the predicted command. The predicted command can be based on the user's behavior, a plurality of users' behavior, environmental circumstances such as a phone call ring, or a combination thereof. The system may access one or more databases to determine the predicted command. The voice command recommendation may include a displayed notification that describes the recommended voice command, and exemplary voice inputs that are recognized. The system also activates an audio interface, such as a microphone, that is configured to receive a voice input. If the system receives a recognizable voice input at the audio interface that corresponds to the recommendation, the system performs the predicted command in response to receiving the voice input.

Abstract: A system for identifying trusted machines for Machine-to-Machine (M2M) validation receives a query message from a first trusted computing device, requesting whether an unrecognized computing device is in a list of trusted devices associated with a second trusted computing device. The system determines whether the unrecognized computing device is in the list of trusted devices by determining whether an identification associated with the unrecognized computing device is among the list of trusted devices. In response to determining that the unrecognized computing device is in the list of trusted devices, the system sends a response message to the first trusted computing device, indicating that the unrecognized computing device is in the list of trusted devices.

Abstract: The present disclosure relates to methods for “cookieless” tracking across a wide range of websites and mobile applications. The methods do not involve the use of cookies or code on individual webs pages, and associated web or other servers and may be achieved through use of a single URL for tracking a user across multiple websites. Methods of enhanced tracking of user activity without requiring tracking pixels are also described herein.

Abstract: A method of modifying encryption of a storage system includes: receiving an instruction to rekey data on a storage system, wherein the instruction identifies first encryption information and second encryption information; determining that the instruction is authorized; decrypting, by a processing device of a storage system controller, the data using a current key included in the first encryption information to generate decrypted data; and encrypting, by the processing device of the storage system controller, the decrypted data using the second encryption information to generate encrypted data.

Abstract: The cloud hybrid application storage management system spans local data center and cloud-based storage and provides a unified view of content and administration throughout an enterprise. The system manages synchronization of storage locations, ensuring that files are replicated, uniquely identified, and protected against corruption. The system ingests digital media assets and creates instances of the assets with their own identification and rights and houses the identification and relationships in a CAR (Central Asset Registry). The system tracks the different instances of the assets in multiple storage locations using the CAR, which is a central asset registry that ties together disparate digital asset management repository systems (DAMs) and cloud-based storage archives in which the instances reside. While the invention treats and manages multiple files/instances independently, the CAR identifies them as related to each other.

Abstract: The disclosed computer-implemented method for protecting user data privacy against the use of fake first-party domains by hidden web trackers may include (i) identifying a group of subdomains associated with one or more websites, (ii) comparing an Internet Protocol (IP) address range for each of the subdomains, (iii) determining, based on the comparison, that an IP address range for a target subdomain is potentially utilized by a hidden web tracker as a fake first-party subdomain in the websites, (iv) detecting similarities between any scripts loaded by websites associated with the target subdomain and any functions performed by the scripts, and (v) perform a security action that protects against utilizing fake domains for evading web browser tracking protection by identifying the target subdomain as the fake first-party subdomain based on the detected similarities. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The technology discloses processing incoming access requests of packets through cloud-based components that perform (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization, including a packet and stream router conveying each incoming access request of packets through all of components (a)-(d) that apply, at least until one of the components sets a restrictive state on at least one object corresponding to the incoming access request or until all of the components that apply have passed the incoming access request.

Abstract: Datasource processors may communicate with an artificial intelligence (AI) engine in order to generate, in parallel, object summaries from datasource objects received from datasources. Each object summary may include an object identifier, one or more local entities, and a mapping from each of the one or more local entities to one or more attributes. A global entity resolver may augment the object summaries by mapping each of the local entities to a global entity. Policy engines may evaluate, in parallel, the object summaries with respect to a security and/or privacy policy. If a security and/or privacy violation is recognized, a remediation measure may be applied in connection with the datasource object for which the security and/or privacy violation exists.

Abstract: Aspects of the disclosure relate to enabling playing of content at an autonomous vehicle. For example, a request to transport a user on a trip may be received. The autonomous vehicle may be assigned to the trip. Whether the user has enabled a content feature may be determined. In response to determining that the user has enabled the content feature a request for a device identifier is sent to the autonomous vehicle. The device identifier generated at the autonomous vehicle is received. The received device identifier may be sent to a content-enabling computing system including one or more processors in order to enable the user to play content from the client computing device at the autonomous vehicle during the trip.

Abstract: A method for key derivation for non-3GPP access. The method includes determining a particular non-3GPP access type, wherein the particular non-3GPP access type is one of N different particular non-3GPP access types (N>1), and each one of the N particular non-3GPP access types is associated with a unique access type distinguisher value. The method also includes generating (s604) a first access network key using a key derivation function and the unique access type distinguisher value with which the determined particular non-3GPP access type is associated, thereby generating a first access network key for the particular non-3GPP access type.

Abstract: A wearable electronic device includes a watch body including a touch-sensitive display configured to receive a first input and a first wireless circuit configured to receive a wireless input signal. The wearable electronic device further includes a band coupled to the watch body and configured to attach the watch body to a user and a wireless module coupled to the band and including an input device configured to receive a second input and a second wireless circuit configured to transmit the wireless input signal to the first wireless circuit in response to receiving the second input.

Abstract: A system obtains a use condition for restricting use of an application in a first client device of a first user. The system obtains a use status of the application in the first client device. Responsive to the use status not satisfying the use condition, the system sends a notification to a second client device of a second user different from the first user, and/or restricts the use of the application in the first client device.

Abstract: A system having an off-premises proxy server residing in a cloud computing environment and backend servers residing in an enterprise computing environment are provided. Requests received by the off-premises proxy server for access to a first, non-publicly accessible backend server are routed to a tunnel server which stores the request and waits to be polled by a tunnel agent connected to the first backend server. When the tunnel server is polled, the request is forwarded through an HTTP tunnel to the tunnel agent, which forwards it to the backend server for processing. Responsive information is returned to the tunnel agent, which forwards it through the HTTP tunnel to the tunnel server and returned through the off-premises proxy server to the remote application. Requests for access to a first, publicly accessible backend server are routed by the off-premises proxy server directly to the backend server for processing and return of responsive information.

Abstract: Systems and methods for detecting a rogue network device at a physical layer include monitoring physical layer characteristics of a wired link at both a first network device and a second network device; determining whether there are detectable variances in the physical layer characteristics; and detecting a rogue network device inserted on the link based on the detectable variances.

Abstract: Techniques are disclosed relate to systems, methods, and non-transitory computer readable media for implementing a browser extension for cyber threat intelligence and response. One system to perform operations comprising: receiving, in a sandbox of a browser by a browser extension, a selection of at least one particular indicator of compromise of the at least one of the indicator of compromise of at least scanned part of a web page; displaying one or more orchestrated responses; receiving a selection of at least one particular orchestrated response of the one or more orchestrated responses; transmitting the selected at least one particular orchestrated response to the cloud-based enrichment and analysis of cybersecurity threat intelligence system; receiving a response including a result of the at least one particular orchestrated response; and displaying the result of the at least one particular orchestrated response.

Abstract: One example method includes receiving, by a backup appliance, a request concerning a dataset, performing, by the backup appliance, an inquiry to determine if end-to-end encryption is enabled for a volume of a target storage array, receiving, by the backup appliance, confirmation from the storage array that end-to-end encryption is enabled for the volume, and based on the confirmation that end-to-end encryption is enabled for the volume, storing the dataset in the volume without performing encryption, compression, or deduplication, of the dataset prior to storage of the dataset in the volume.

Abstract: A method of operating a terminal device in a wireless telecommunications system comprising the terminal device and a plurality of network access nodes, wherein the method comprises: establishing first wake-up signalling configuration information for a first network access node covering a current location for the terminal device, wherein the first wake-up signalling configuration information comprises an indication of a first wake-up signalling format to be transmitted by the first network access node in advance of transmitting a paging message to indicate the terminal device should seek to decode the paging message, and an indication of an associated first wake-up signalling validity period for the first wake-up signalling format; monitoring for signalling transmitted by one of the plurality of network access nodes in accordance with the first wake-up signalling format during the first wake-up signalling validity period, and seeking to decode a subsequent paging message if wake-up signalling in accordance wit

Abstract: Systems, methods, and computer-readable media are disclosed for extracting data from web applications. An exemplary embodiment includes monitoring web traffic between a client terminal and a server, the web traffic corresponding to a user's interaction with a web browser to send a request for data, such as a web page, from the client terminal to the server. A data log is created reflecting the monitored web traffic, and processed to extract the request for data. A command is generated for accessing the server based on the request for the data that was extracted from the data log. When the generated command is executed, it downloads the data from the server to the client terminal. Some embodiments are able to specify a pattern to search for in the downloaded web page, search the downloaded data for the pattern to identify data of interest and provide the identified data to a user.

Abstract: Disclosed is a system and method for providing secure access control to an electronic network or device. By limiting the ability of a single administrator to act unilaterally without the agreement and/or notification of further system administrators, the data integrity and security of stored data, such as email accounts, may be enhanced and risk of compromise ameliorated. By permitting multiple administrators acting in a concert of action to access stored data, such as without notification of the email account holder, potential misconduct by email account holders may be audited.

Abstract: An access manager determines whether access will be granted to a guarded species or space utilizing a controller including a digital processor with a memory for storing an ID library and a transducer block coupled with the processor for accessing a plurality of different ID types and an access control block coupled with the processor for granting or denying access.

Abstract: A host may use address translation to convert virtual addresses to physical addresses for endpoints, which may then submit memory access requests for physical addresses. The host may incorporate the physical address and a signature of the physical address generated using a private key into a translated address field of a response to a translation request. An endpoint may treat the combination as a translated address by storing it in an entry of a translation cache, and accessing the entry for inclusion in a memory access request. The host may generate a signature of the translated address from the request using the private key, with the result being compared to the signature from the request. The memory access request may be verified when the compared values match, and the memory access may be performed using the translated address.

Abstract: In one embodiment, a method comprises: monitoring, by a first security agent executed within a network device, for real-time detection of a cyber threat in the network device, the network device configured for secure communications in a secure peer-to-peer data network, the monitoring including detecting a detected cyber threat; communicating by the first security agent with at least one notified agent about the detected cyber threat, the at least one notified agent one of a second security agent executed within the network device, or a corresponding first security agent in a second network device having a two-way trusted relationship with the network device in the secure peer-to-peer data network; and executing, by the first security agent, a corrective action to at least mitigate the cyber threat based on the communicating with the at least one notified agent of the detected cyber threat.

Abstract: Described is a secure, electronic, submission process providing and enabling applicants to initiate requests to desirous requestors seeking such submissions based on authenticated and trusted identities and/or credentials or which could be authenticated securely through other defined processes. SafeCase is an innovative process for convenience, ease and security in application submissions for anyone and everyone through an electronic interface that has been built innovatively on the strong foundations of Identity Management, giving irrevocable and irrefutable trust on the Identity and/or credentials and/or the purpose that an applicant is applying for or wishes to achieve. SafeCase is an end-to-end secure and transparent interface, wherein the applicant (i.e. the Candidate) utilizes his/her Authenticated Credential(s) or Identity(ies) to submit an application. The applicant remains updated in real time on the status of the submitted application till its final disposal.

Abstract: The techniques herein provide for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure describes a method of providing integrity protection for traffic on the overlay network.

Abstract: Systems and methods for rules-based automated penetration testing and regression to certify release candidates against known patterns that inject vulnerabilities are disclosed.

Abstract: A system and method for securely training a model comprises including the algorithms of the model into a training module, and communicating the training module from a vendor computer system to a customer computer system. The training module is operated on the customer's computer system using the data from the customer, and a trained training module is achieved after operating the training module on the customer's computer system. The trained training module is used to initialize at least one additional module, which is communicated from the customer's computer system to the vendor's computer system, is used to score observations.

Abstract: Disclosed is a multi-signature security account control system. The present invention comprises a multi-signature security account in which at least three participating accounts have management authority, wherein the participating accounts are a first participating account corresponding to a user terminal, a second participating account corresponding to an HSM management server, and a third participating account corresponding to an exchange server, and the HSM management server may control the authority of the multi-signature security account to be controlled by using signature information provided from at least two of the participating accounts.

Abstract: States of storage nodes in a storage cluster may be transitioned from a secured state to an unsecured state. When all the storage nodes are in the secured state, a first reboot of the storage nodes is initiated. The first reboot may involve the storage nodes rebooting from the secured state into an intermediate state. During the first reboot: storage nodes that have rebooted into the intermediate state are allowed to rejoin the distributed storage cluster, and storage nodes in the unsecured state are not allowed to join the distributed storage cluster. When all the storage nodes are in the intermediate state, a second reboot of the storage nodes may be initiated. The second reboot may involve rebooting the storage nodes from the intermediate state into the unsecured state. During the second reboot, storage nodes that have rebooted into the unsecured state are allowed to rejoin the storage cluster.

Abstract: Systems and methods are provided for implementing stand-in network identities. One example computer-implemented method includes receiving, from a communication device associated with a user, an on-behalf-of (OBO) request from the user to share permission data with a relying party and, in response to the OBO request, generating a permission request for the permission data and transmitting the permission request to the communication device associated with the user. The method also includes receiving, from the communication device associated with the user, consent from the user to share the permission data with the relying party. The method then includes identifying, in a data structure, an OBO permission for the user with respect to the PII and in response to identifying the OBO permission for the user, transmitting the permission data identified in the OBO request to the relying party.

Abstract: A method for authenticating a software based on a blockchain implemented in an electronic device. The method includes obtaining a first identification code and a first hash value of a first software; generating a first authentication code; writing the first identification code, the first hash value, and the first authentication code into a blockchain; obtaining a second identification code of a second software to be identified and calculating a second hash value of the second software; determining whether the second hash value of the second software is the same as the first hash value; if the second hash value is the same as the first hash value, generating a second authentication code; determine whether the second authentication code is the same as the first authentication code; and if so determining that the second software is copyrighted.

Abstract: Techniques are disclosed relating to multi-factor authentication for data security. In some embodiments, a computer system receives, from a user device, a database operation request that specifies a set of query data, where the computer system supports multiple different security levels requiring different subsets of a set of authentication factors supported by a known device of a user of the user device. Various devices may determine current contextual information for the database operation request, where the contextual information indicates the set of query data. In some embodiments, the computer system selects, based on the current contextual information, a security level from the multiple different security levels. In some embodiments, the computer system revokes, based on the selected security level, access privileges of the user for accessing a database corresponding to the database operation request.

Abstract: Task permissions for software services can be set in a distributed computing environment according to some examples described herein. In one example, a system can determine software services that are included in software products deployable to a user account of a distributed computing environment. The system can determine task permissions to be set in the user account for allowing the software services to execute tasks in the distributed computing environment. The system can generate a list of task permissions by consolidating the task permissions based on predefined rules. The system can then transmit an output indicating the list of task permissions for causing the user account to be configured based on the list of task permissions, to permit the software services to execute the tasks in the distributed computing environment.

Abstract: The invention provides systems, methods and computer program products for securing electronic transactions and users of electronic transaction services from phishing attacks by malicious attackers and fraudsters. A terminal device receives a first data communication comprising an OTP associated with a requested electronic transaction, and identifies a validity period associated with the OTP. The terminal device responds to detection of a second data communication between the terminal device and a remote entity during the identified validity period, by extracting content from the second data communication. The extracted content is analyzed and a risk decision is generated based on output of the analysis of the extracted content. The risk decision determines whether the remote entity comprises, or is controlled by, a malicious attacker.

Abstract: A system includes a memory, an application TEE instance, an escrow TEE instance, and a server. The server is configured to receive a request to start the application TEE instance and launch the escrow TEE instance provisioned with a secret. The secret is initially accessible from a first location until the escrow TEE instance is provisioned and accessibility to the secret in the first location is restricted after provisioning the escrow TEE instance with the secret. The escrow TEE instance is configured to obtain a cryptographic measurement associated with the application TEE instance, validate the application TEE instance, and provide the secret from a second location to the application TEE instance.

Abstract: A speech interface device is configured to receive response data from a remote speech processing system for responding to user speech. This response data may be enhanced with information such as a remote ASR result(s) and a remote NLU result(s). The response data from the remote speech processing system may include one or more cacheable status indicators associated with the NLU result(s) and/or remote directive data, which indicate whether the remote NLU result(s) and/or the remote directive data are individually cacheable. A caching component of the speech interface device allows for caching at least some of this cacheable remote speech processing information, and using the cached information locally on the speech interface device when responding to user speech in the future. This allows for responding to user speech, even when the speech interface device is unable to communicate with a remote speech processing system over a wide area network.

Abstract: Provided is a technique for performing statistical processing such as processing for obtaining parameters of logistic regression analysis faster than before. A secure statistical processing system includes a cross tabulation table computing device 2 that performs secure computation on a cross tabulation table in which frequencies are in plain texts while keeping each record concealed; and a statistical processing device 3 that performs predetermined statistical processing using the cross tabulation table in which frequencies are in plain texts. The cross tabulation table computing device 2 may include a plurality of secure computation devices 221, . . . , 22N that perform secure computation on a cross tabulation table in which frequencies are fragments subjected to secret sharing while keeping each record concealed, and a management device 21 that restores the fragments to compute the cross tabulation table in which frequencies are in plain texts.

Abstract: A processing device initializes a memory device in an unauthenticated state in which the memory device is unable to execute one or more restricted commands. The processing device accesses a security capsule that is digitally signed using a private key. The processing device transitions the memory device to an authenticated state based on verifying that the security capsule is validly signed. The processing device uses a public key corresponding to the private key to verify the security capsule is validly signed. While in the authenticated state, the memory device is able to execute the one or more restricted commands.

Abstract: Provided is a hybrid trusted execution environment based android security framework, an android device equipped with the same and a method of executing a trusted service in the android device. The hybrid trusted execution environment based android security framework includes a hardware resource that comprises a rich execution environment (REE) where an android operating system (OS) runs, and a secure container which implements a virtualized trusted execution environment (VTEE) that processes a security task in the rich execution environment (REE) when an application running on the rich execution environment requests the security task.

Abstract: Systems and methods provide for provisioning a dynamic intent-based firewall. A network controller can generate a master route table for network segments reachable from edge network devices managed by the controller. The controller can receive zone definition information mapping the network segments into zones and Zone-based Firewall (ZFW) policies to apply to traffic between a source and destination zone specified by each ZFW policy. The controller can evaluate a ZFW policy to determine first edge network devices that can reach first network segments mapped to the source zone specified by the ZFW policy, second edge network devices that can reach second network segments mapped to the destination zone specified by the ZFW policy, and routing information (from the route table) between the first network segments, the first and second edge network devices, and the second network segments. The controller can transmit the routing information to the edge network devices.

Abstract: A user of a device is authenticated after providing a pass code or other data confirming the user can access data on the device. While the user uses the device, behaviometric data is recorded which includes measures of how the user uses the device. Additional data, however, can only be accessed with a biometric and/or second authentication after collecting at least some behaviometric data, in embodiments of the disclosed technology. Depending on how close of a match the behaviometric data received is to previously recorded behaviometric data for the particular user, a threshold minimum is set for the biometric match in order to grant stepped up authentication and authorization to view the additional data. In this manner, a legitimate user often requires less time to authenticate compared to the prior art and a fraudulent user is rejected from access to sensitive data more accurately.

Abstract: This disclosure provides methods, devices and systems that facilitate mobility of wireless communication devices configured for multi-link operation (MLO). Particular aspects more specifically relate to facilitating fast basic service set (BSS) transitions by wireless communication devices that support MLO. For example, some aspects provide support for station (STA) multi-link device (MLD) roaming between access point (AP) MLDs, from an AP MLD to a non-MLO AP, or from a non-MLO AP to an AP MLD. In some aspects, a STA MLD may be configured to use a medium access control (MAC) service access point address (MAC-SAP address) of the AP MLD when re-associating or communicating with a legacy AP or with an AP MLD. In such aspects, the MAC-SAP address may be used by all STAs of the non-AP MLD for fast BSS transitions.

Abstract: A system on chip includes a memory, a main processor that runs an operating system, and first Intellectual Properties (IPs) that perform respective processing operations. The main processor operates to copy target firmware to the memory using a firmware loader, using a hypervisor, block access of the main processor and the first IPs to the target firmware before verification of the target firmware, and using the hypervisor, grant access to the target firmware by a target IP among the first IPs that corresponds to the target firmware after the verification of the target firmware.

Abstract: Techniques are described for controlling data and resource access. For example, methods and systems can facilitate controlled token distribution across systems and token processing in a manner so as to limit access to and to protect data that includes access codes.

Abstract: A method for performing service authorization for private networks based on an enhanced PLMN identifier. The method includes receiving an attach request from a user equipment device (UE) via a private network, where the attach request includes an international mobile subscriber identity value (IMSI). The method further includes determining, based on the IMSI, an organization identifier and a token associated with the private network, where the token is included in an enhanced PLMN for granting the UE access to resources in the private network. The method further includes sending the token to the UE and a network proxy within the private network.

Abstract: Apparatus and methods for repeater/extender operation of a wireless-enabled device, including for extending the range or coverage in a wireless network subject to poor signal propagation or obstructions. In one embodiment, the apparatus and methods leverage use of a CPE (consumer premises equipment) configured as a 5G mmWave extender to extend RF signals from one or more base stations (e.g., a NodeB) to one or more other premises. In one variant, the CPE includes (i) a internal unit configured to provide 5G and Wi-Fi services to local UE, as well as other standard CPE functions; (ii) a donor apparatus configured to receive/transmit 5G signals to/from the one or more base stations; and (iii) a service apparatus configured to radiate 5G signals to UE/CPE with weak or no NodeB connectivity. The CPE is configured to create and dynamically update a weighted beam matrix used to select beams.

Abstract: A method for reducing violence within crowded venues is provided. The method includes reading license plates of vehicles passing into entry ports of a parking area, and capturing facial images of persons seeking admission to the venue. A computer compares such license plates to a database of vehicle license plates associated with persons with past histories of violence. A computer also compares captured facial images to a database of facial data for persons with past violent histories. Upon detecting a match, the computer creates an alert presented to law enforcement officers to facilitate detention of such persons for investigation. Information recorded on entry tickets is scanned and saved together with the facial image of the ticket holder. If a violent act occurs, cameras within the venue capture facial images of participants. The computer matches such participants to stored identifying data to assist in the identification and apprehension of such persons.