Abstract: A method for authenticating a software based on a blockchain implemented in an electronic device. The method includes obtaining a first identification code and a first hash value of a first software; generating a first authentication code; writing the first identification code, the first hash value, and the first authentication code into a blockchain; obtaining a second identification code of a second software to be identified and calculating a second hash value of the second software; determining whether the second hash value of the second software is the same as the first hash value; if the second hash value is the same as the first hash value, generating a second authentication code; determine whether the second authentication code is the same as the first authentication code; and if so determining that the second software is copyrighted.

Abstract: A system includes a memory, an application TEE instance, an escrow TEE instance, and a server. The server is configured to receive a request to start the application TEE instance and launch the escrow TEE instance provisioned with a secret. The secret is initially accessible from a first location until the escrow TEE instance is provisioned and accessibility to the secret in the first location is restricted after provisioning the escrow TEE instance with the secret. The escrow TEE instance is configured to obtain a cryptographic measurement associated with the application TEE instance, validate the application TEE instance, and provide the secret from a second location to the application TEE instance.

Abstract: The invention provides systems, methods and computer program products for securing electronic transactions and users of electronic transaction services from phishing attacks by malicious attackers and fraudsters. A terminal device receives a first data communication comprising an OTP associated with a requested electronic transaction, and identifies a validity period associated with the OTP. The terminal device responds to detection of a second data communication between the terminal device and a remote entity during the identified validity period, by extracting content from the second data communication. The extracted content is analyzed and a risk decision is generated based on output of the analysis of the extracted content. The risk decision determines whether the remote entity comprises, or is controlled by, a malicious attacker.

Abstract: A speech interface device is configured to receive response data from a remote speech processing system for responding to user speech. This response data may be enhanced with information such as a remote ASR result(s) and a remote NLU result(s). The response data from the remote speech processing system may include one or more cacheable status indicators associated with the NLU result(s) and/or remote directive data, which indicate whether the remote NLU result(s) and/or the remote directive data are individually cacheable. A caching component of the speech interface device allows for caching at least some of this cacheable remote speech processing information, and using the cached information locally on the speech interface device when responding to user speech in the future. This allows for responding to user speech, even when the speech interface device is unable to communicate with a remote speech processing system over a wide area network.

Abstract: Provided is a technique for performing statistical processing such as processing for obtaining parameters of logistic regression analysis faster than before. A secure statistical processing system includes a cross tabulation table computing device 2 that performs secure computation on a cross tabulation table in which frequencies are in plain texts while keeping each record concealed; and a statistical processing device 3 that performs predetermined statistical processing using the cross tabulation table in which frequencies are in plain texts. The cross tabulation table computing device 2 may include a plurality of secure computation devices 221, . . . , 22N that perform secure computation on a cross tabulation table in which frequencies are fragments subjected to secret sharing while keeping each record concealed, and a management device 21 that restores the fragments to compute the cross tabulation table in which frequencies are in plain texts.

Abstract: A processing device initializes a memory device in an unauthenticated state in which the memory device is unable to execute one or more restricted commands. The processing device accesses a security capsule that is digitally signed using a private key. The processing device transitions the memory device to an authenticated state based on verifying that the security capsule is validly signed. The processing device uses a public key corresponding to the private key to verify the security capsule is validly signed. While in the authenticated state, the memory device is able to execute the one or more restricted commands.

Abstract: Provided is a hybrid trusted execution environment based android security framework, an android device equipped with the same and a method of executing a trusted service in the android device. The hybrid trusted execution environment based android security framework includes a hardware resource that comprises a rich execution environment (REE) where an android operating system (OS) runs, and a secure container which implements a virtualized trusted execution environment (VTEE) that processes a security task in the rich execution environment (REE) when an application running on the rich execution environment requests the security task.

Abstract: Systems and methods provide for provisioning a dynamic intent-based firewall. A network controller can generate a master route table for network segments reachable from edge network devices managed by the controller. The controller can receive zone definition information mapping the network segments into zones and Zone-based Firewall (ZFW) policies to apply to traffic between a source and destination zone specified by each ZFW policy. The controller can evaluate a ZFW policy to determine first edge network devices that can reach first network segments mapped to the source zone specified by the ZFW policy, second edge network devices that can reach second network segments mapped to the destination zone specified by the ZFW policy, and routing information (from the route table) between the first network segments, the first and second edge network devices, and the second network segments. The controller can transmit the routing information to the edge network devices.

Abstract: A user of a device is authenticated after providing a pass code or other data confirming the user can access data on the device. While the user uses the device, behaviometric data is recorded which includes measures of how the user uses the device. Additional data, however, can only be accessed with a biometric and/or second authentication after collecting at least some behaviometric data, in embodiments of the disclosed technology. Depending on how close of a match the behaviometric data received is to previously recorded behaviometric data for the particular user, a threshold minimum is set for the biometric match in order to grant stepped up authentication and authorization to view the additional data. In this manner, a legitimate user often requires less time to authenticate compared to the prior art and a fraudulent user is rejected from access to sensitive data more accurately.

Abstract: This disclosure provides methods, devices and systems that facilitate mobility of wireless communication devices configured for multi-link operation (MLO). Particular aspects more specifically relate to facilitating fast basic service set (BSS) transitions by wireless communication devices that support MLO. For example, some aspects provide support for station (STA) multi-link device (MLD) roaming between access point (AP) MLDs, from an AP MLD to a non-MLO AP, or from a non-MLO AP to an AP MLD. In some aspects, a STA MLD may be configured to use a medium access control (MAC) service access point address (MAC-SAP address) of the AP MLD when re-associating or communicating with a legacy AP or with an AP MLD. In such aspects, the MAC-SAP address may be used by all STAs of the non-AP MLD for fast BSS transitions.

Abstract: A system on chip includes a memory, a main processor that runs an operating system, and first Intellectual Properties (IPs) that perform respective processing operations. The main processor operates to copy target firmware to the memory using a firmware loader, using a hypervisor, block access of the main processor and the first IPs to the target firmware before verification of the target firmware, and using the hypervisor, grant access to the target firmware by a target IP among the first IPs that corresponds to the target firmware after the verification of the target firmware.

Abstract: Techniques are described for controlling data and resource access. For example, methods and systems can facilitate controlled token distribution across systems and token processing in a manner so as to limit access to and to protect data that includes access codes.

Abstract: A method for performing service authorization for private networks based on an enhanced PLMN identifier. The method includes receiving an attach request from a user equipment device (UE) via a private network, where the attach request includes an international mobile subscriber identity value (IMSI). The method further includes determining, based on the IMSI, an organization identifier and a token associated with the private network, where the token is included in an enhanced PLMN for granting the UE access to resources in the private network. The method further includes sending the token to the UE and a network proxy within the private network.

Abstract: Apparatus and methods for repeater/extender operation of a wireless-enabled device, including for extending the range or coverage in a wireless network subject to poor signal propagation or obstructions. In one embodiment, the apparatus and methods leverage use of a CPE (consumer premises equipment) configured as a 5G mmWave extender to extend RF signals from one or more base stations (e.g., a NodeB) to one or more other premises. In one variant, the CPE includes (i) a internal unit configured to provide 5G and Wi-Fi services to local UE, as well as other standard CPE functions; (ii) a donor apparatus configured to receive/transmit 5G signals to/from the one or more base stations; and (iii) a service apparatus configured to radiate 5G signals to UE/CPE with weak or no NodeB connectivity. The CPE is configured to create and dynamically update a weighted beam matrix used to select beams.

Abstract: Tamper-proofing and secure identity validation techniques in a transaction processing system and secure electronic payment techniques are disclosed. A tamper-proof transaction processing device is provided and comprises at least two different strength adhesives to secure parts of the device together and a housing comprising at least a first and second protective layer. An electronic component comprising a secure element chip storing unique information relating to the chip is located between the first and second protective layer in the housing. In another aspect, a transaction processing system includes a payment instrument that is configured to approve only negative value and/or zero value transaction requests. Another aspect provides an identity card checking system and method where the identity card is brought into proximity of a data processing device and identity information is displayed on the screen of the data processing device for the period of time while the card is in proximity.

Abstract: Techniques are described for using ATSC 3.0 to augment in-stadium (including in-arena) video feeds. In addition to a central stadium large screen view, spectators can use their mobile devices or view wall-mounted TVs around the stadium to receive in-stadium special feeds broadcast using ATSC 3.0, but not necessarily broadcast beyond the stadium and its environs.

Abstract: A method for reducing violence within crowded venues is provided. The method includes reading license plates of vehicles passing into entry ports of a parking area, and capturing facial images of persons seeking admission to the venue. A computer compares such license plates to a database of vehicle license plates associated with persons with past histories of violence. A computer also compares captured facial images to a database of facial data for persons with past violent histories. Upon detecting a match, the computer creates an alert presented to law enforcement officers to facilitate detention of such persons for investigation. Information recorded on entry tickets is scanned and saved together with the facial image of the ticket holder. If a violent act occurs, cameras within the venue capture facial images of participants. The computer matches such participants to stored identifying data to assist in the identification and apprehension of such persons.

Abstract: Techniques to handle calls to web services via a service proxy are disclosed herein. In one embodiment, a technique includes an intermediate server receiving a request from a client device to the web service at a target server. In response to receiving the request, the intermediate server can authenticate the received request from the client device and upon successful authentication of the received request, forward the request to the targeted server and invoking the web service to process the forwarded request because the intermediate server is authenticated with the target server. The technique can also include receiving, at the intermediate server, data from the target server that represents execution results of the request by the web service at the target server. Upon receiving the data, the intermediate server can then forward to the client device, the data representing execution results of the request by the web service at the target server.

Abstract: Authentication systems and methods can selectively authenticate a request to access a resource data store storing access rights associated with a user device. The systems and methods can scalably execute challenges workflows as part of the authentication process. For example, a request to access one or more access rights stored in the data store can be received from the user device. The user device can be authenticated using challenge workflows selected based on a device identifier of the user device. The selected challenge workflows can be executed to determine whether or not to grant access to the access rights stored in the resource data store.

Abstract: Device and method for reporting power-on self-test (POST) codes of a computing device via a standard external memory card interface. A BIOS of the personal computing device is programmed to configure, during a power-on sequence, multiple signal connections of the standard external memory card interface for conveyance of general purpose input and output signals. When a complementary memory signal conversion device is detected in the memory card interface during the power-on sequence, the BIOS may initiate transmission of a serial data signal containing POST codes related to any detected startup errors.

Abstract: There are provided systems and methods for managing network vulnerability scanning to avoid interference and disruption of network operations. In one form, the system includes: a network of computing devices; a network vulnerability scanner for evaluating insecurity and vulnerability of the network; a network traffic monitor for measuring the volume of network traffic at a certain time; and a scanning scheduler that includes scanning blackout events limiting operation of the scanner. Each blackout event includes an event name, a country or region for the blackout, a blackout start time and end time, and a blackout type that may include a level of the blackout and an authorization required for the network scan to proceed. In the system, a control circuit controls operation of the scanner; interrupts, delays, or cancels a network scan when the network traffic exceeds a certain threshold; and enforces blackout events according to the scanning scheduler.

Abstract: Disclosed embodiments include methods, systems, and computer-readable media configured to, for example, provide payment tokens for conducting transactions, as well as reprovisioning tokens, on wearable devices without Bluetooth® or other network connectivity beyond NFC radio.

Abstract: Systems and methods for remote management of software on private networks are generally described. In various examples, a cluster of compute instances are deployed by a cloud compute service provider. A first compute pod may be deployed among the cluster of compute instances. The first compute pod may be configured to execute a secure shell daemon (SSHD) network proxy. The first compute pod may be configured to open ports to allow access to the cluster of compute instances by an authorized administrative user. In some examples, a connection may be established between a first computing device executing a secure shell (SSH) process and the SSHD network proxy of the first compute pod. Data may be sent from the first computing device to at least one compute instance of the cluster of compute instances using the connection.

Abstract: A system for one-click two-factor includes a processor and a non-transitory, tangible, computer-readable storage medium having instructions stored thereon that, in response to execution by the processor, cause the processor to perform operations including: (i) receiving an access request from a user, the access request including a first authentication factor; (ii) generating a second authentication factor and a hyperlink that includes the second authentication factor; (iii) providing the hyperlink that includes the second authentication factor to a client device associated with the user; (iv) automatically receiving the second authentication factor in response to selection of the hyperlink by the user; and (v) verifying the first authentication factor and the second authentication factor to authenticate the identity of the user.

Abstract: Systems and methods for digitally encrypting sensitive, self-executing, digital content are provided. A method may include storing the digital content in an encrypted digital vault and generating a first password and a second password which together may unlock the digital vault. The method may include storing the first password on a first encrypted distributed ledger and the second password on a second encrypted distributed ledger. The method may include automatically updating the passwords periodically and storing the updated passwords as new entries on the distributed ledgers. When a document from a predetermined list of documents is digitally scanned and authenticated, the method may include unlocking access to the first password on the first distributed ledger for the designated entity. When the digital vault is unlocked with the first and the second passwords, the digital content may self-execute.

Abstract: A method for monitoring the loneliness state of a subject includes receiving proximity information for a plurality of user devices and then generating a loneliness decision for subjects who use the devices based on the proximity information. In one case, the proximity information may be projected onto a lower dimensional space, distance values corresponding to the proximity information may be compared, and the user devices may be ranked based on the comparison. A user may then be determined to be lonely based on the ranking of the user devices. In other cases, clustering techniques may be applied relative to one or more centroids. Distances may then be calculated and compared for purposes of generating a loneliness decision. In other cases, resource information may be taken into consideration with distance information for generating a loneliness decision.

Abstract: Exemplary embodiments provide for rate limiting access to data endpoints which includes a processor configured to monitor network traffic between one or more devices on a first network and a second network. The processor may receive a first data endpoint request from one of the one or more devices and compare the first data endpoint request to a ledger of one or more data endpoints. The ledger may have a rate limit associated with the one or more data endpoints which defines a threshold number of requests allowed for the one or more data endpoints. In response to the first data endpoint request matching one or more of the data endpoints on the ledger, the processor may block the first data endpoint request when the data endpoint request exceeds the threshold number of requests allowed for the matching data endpoint on the ledger.

Abstract: Methods and systems for detecting an electronic intrusion are described. The system receives a notification, over a network, from a first application server that is hosting a first electronic service that is hosting a first user account. The notification reports the detection of a user activity associated with the first user account. The first user account is monitored for user activity. Next, the system may identify the notification reporting the detection of the user activity associated with the first user account as a possible electronic intrusion into the first account.

Abstract: A computer-implemented method of detecting clipboard listener applications that includes placing, by a clipboard listener-detector application, a content reference, such as a Uniform Resource Identifier (URI), on a device clipboard; receiving, by the clipboard listener-detector application, at least one request from one or more clipboard listener applications for data based on the content URI; identifying the one or more clipboard listener applications from which said at least one request was received; and outputting an identity of each of the one or more identified clipboard listener applications.

Abstract: A solution is proposed for deploying software programs. A corresponding method comprises calculating a program security indicator of each software program according to corresponding component security indicators of software components being used by the software program. A computing system (or more) is selected for deploying the software program according to a comparison between the program security indicator and corresponding system security indicators of a plurality of available computing systems. A computer program and a computer program product for performing the method are also proposed. Moreover, a corresponding system is proposed.

Abstract: A method and system for authenticating a device is provided. A noisy response is received from a physically unclonable function for a challenge. An error code is generated for correcting the noisy first response. An expected response is generated from the noisy first response and the error code. The expected response and corresponding first helper data is store. The helper data includes the first challenge and the error code. The helper data is provided to a device in response to an authentication request from the device, the first device including the physically unclonable function.

Abstract: Presented herein are techniques to provide for the ability to utilize 3GPP-generated Session Keys that can be generated via a primary authentication or a secondary authentication process for a user equipment (UE) via a private wireless wide area (WWA) access network in which the keys can be leveraged to facilitate connection of the UE to a wireless local area (WLA) access network. In one example, a method may include obtaining a request to authenticate a UE for connection to a WWA access network; determining that the UE is capable of a Fast Transition (FT) capability; authenticating the UE for connection to the WWA access in which, based on the FT capability, the authenticating includes generating a root security key for the UE; and upon determining that the UE is attempting to access the WLA access network, providing the root security key for the UE to the WLA access network.

Abstract: Disclosed is a unified security system of cloud-based components configured for (a) packet-level and (b) protocol-level access control and traffic inspection, (c) threat detection and (d) activity contextualization. Packet-level inspects and classifies headers in requests or responses, sets a first restrictive state or passes the request or response. Protocol-level performs deep packet inspection for malicious signatures then sets a second state or passes. Threat detection, when the request or response is an HTTP/S stream, classifies as directed to a threat destination or not, then sets a third state or passes the request or response and activity contextualization, when the request is an HTTP/S stream seeking access to a cloud-based application, recognizes, processes and classifies content-containing activity as compromising or not, then sets a fourth state or passes.

Abstract: An information processing system configured to perform setting for an image processing apparatus based on setting edited by an application configured to operate on an information processing apparatus, wherein the system includes a startup unit that acquires a status of the image processing apparatus, downloads setting information for the image processing apparatus, determines whether or not to start up the application, and controls the startup of the application based on results of the determination, wherein the determination is performed based on the status before the setting information download has begun.

Abstract: A method of detecting anomalous user behavior in a cloud environment includes receiving a vector that comprises counts of actions taken by the user during a current time interval; determining whether an action count in the vector is greater than a global mean; building a scale table by combining new action skills that are above a threshold and original action skills if below the threshold; and identifying outliers when the action count is greater than the global mean multiplied by a corresponding action scale from the scale table.

Abstract: Examples for detecting a compromised device are described. A set of threat detection rules can instruct an application on the client device how to detect whether the client device is compromised. The rules can be updated dynamically and without updating the application that is performing the compromise detection. The rules can be encoded in an interpreted scripting language and executed by a runtime environment that is embedded within the application.

Abstract: Disclosed are a gas detection intelligence training system and an operating method thereof. The gas detection intelligence training system includes a mixing gas measuring device that collects an environmental gas from a surrounding environment, generates a mixing gas based on the collected environmental gas and a target gas, senses the mixing gas by using a first sensor array and a second sensor array under a first sensing condition and a second sensing condition, respectively, and generates measurement data based on the sensed results of the first sensor array and the second sensor array, and a detection intelligence training device including a processor that generates an ensemble prediction model based on the measurement data.

Abstract: Authenticating a host computer and NVDIMM pair using lookup tables for a challenge/response exchange between the pair of devices. The NVDIMM is challenged by the host computer for which a response associated with the physically unclonable function of a NVDIMM component is provided. The NVDIMM challenges the host computer for which a response associated with the physically unclonable function of a host computer component is provided. Additional security stores a modified response associated with run-time physically unclonable functions associated with the host computer and NVDIMM pair for use in future challenge/response exchanges.

Abstract: A method includes receiving registration information regarding a telematics unit and a respective control system for a plurality of equipment pieces; receiving a seed from a control system of a first equipment piece via a telematics unit of the first equipment piece based on receiving a telematics session request by the control system of the first equipment piece; authenticating the telematics unit and the control system of the first equipment piece based on information included with the seed and the registration information; generating a first encrypted key and a second encrypted key based on the authentication; providing the first key to the telematics unit for the first equipment piece; and providing the second encrypted key to the control system of the first equipment piece via the telematics unit of the first equipment piece to establish a data communication channel.

Abstract: Embodiments provide a system and method for extracting configuration-related information for reasoning about the security and functionality of a composed system. During operation, the system determines, by a computing device, information sources associated with hardware and software components of a system, wherein the information sources include at least specification sheets, standard operating procedures, user manuals, and vulnerability databases. The system selects a set of categories of vulnerabilities in a vulnerability database, and ingests the information sources to obtain data in a normalized format. The system extracts, from the ingested information sources, configuration information, vulnerability information, dependency information, and functionality requirements to create a model for the system.

Abstract: Methods and apparatus to protect sensitive information on media processing devices are disclosed. An example media processing device includes a processing engine configured to process a media processing instruction received at the media processing device, wherein the media processing instruction includes a command and data to cause a component of the media processing device to perform a function; and a data protector configured to determine whether the command is a data protection command; and when the command is the data protection command, modify the function to provide protection to the data.

Abstract: A system performs mobile biometric identification system enrollment using a known biometric. The system receives a digital representation of a first biometric for a person. Prior to using the digital representation of the first biometric to identify the person, the system compares a received digital representation of a second biometric for the person to known biometric data for the person. When the digital representation of the first biometric has been thus verified, the system is operative to identify the person using the digital representation of the first biometric.

Abstract: In an example embodiment, A PICNEEC is provided. It includes one or more Virtual Customized Rules Enforcer (VCRE) instances, each VCRE instance corresponding to a group of mobile devices and defining a set of policies personalized for the group of mobile devices. Each VCRE is configured to, upon receiving a data packet communicated between a packet-based network and a mobile device in the corresponding group via a radio network, execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet. Each VCRE instance is controlled independently of one another via direct accessing of the VCRE instance by a different customer of the mobile network provider.

Abstract: Systems and methods for detecting the presence of a body in a network without fiducial elements, using signal absorption, and signal forward and reflected backscatter of RF waves caused by the presence of a biological mass in a communications network.

Abstract: A facility management system comprises a server, a biometric identification unit, and a processing circuit. The server is configured to store a list of registered users, and biometric information and access rights pertaining to each registered users. The biometric identification unit is associated with the building equipment. The biometric identification unit is enabled to facilitate a user desiring access to the associated building equipment to scan at least one biometric parameter, and subsequent to scanning of the biometric parameter the biometric identification unit is configured to generate a scanned biometric information.

Abstract: A system for providing default content enhanced with supplemental content includes processing hardware and a memory storing a software code. The processing hardware executes the software code to receive a content stream including multiple video frames, a first video frame of the multiple video frames including first default content, first supplemental content, and first encoded metadata, and to decode the first encoded metadata of the first video frame to produce first decoded metadata. The processing hardware further executes the software code to select, using the first decoded metadata, at least a first portion of the first supplemental content for use in enhancing the first default content, transfer, using the first decoded metadata, the selected first portion of the first supplemental content to one or more predetermined locations in the first default content to produce an enhanced first video content, and output the enhanced first video content to a display device.

Abstract: Provided is a mobile phone authentication method using implicit authentication, the method including the steps of: by a server, receiving behavior data and environment information data from a user terminal when a user checks an authentication number for authentication of a mobile phone user; by the server, detecting a start point of a behavior of the user for checking the authentication number by performing peak detection in the received behavior data, and storing behavior data from the detected start point; and by the server, extracting feature data from the received environment information data and learning the extracted feature data to build a learning model.

Abstract: Disclosed embodiments may include a method that includes receiving first identifying information associated with a first user from a computing device; determining a score based on the first identifying information; determining whether the score is less than a threshold; pseudo-randomly generate and transmit a one-time use number to the computing device when the score is less than the threshold. When the score is greater than or equal to the threshold, the method may include transmitting, to the computing device, second instructions prompting the first user to provide second identifying information. Responsive to receiving the second identifying information of the first user, the method may include determining that the second identifying information matches stored second identifying information. Responsive to the second identifying information matching stored second identifying information, the method may include pseudo-randomly generate and transmit the one-time use number to the computing device.

Abstract: A security system generates a digital signature for a small cell of a wireless network and assigns the digital signature to the small cell for connecting to the wireless network. The digital signature can be generated based on a connectivity schedule for the small cell. When the security system obtains a connection request from the small cell to connect to the wireless network, the security system compares an instance of the digital signature included in the connection request with an expected digital signature and compares the point in time when the connection request was communicated with an expected time indicated in the connectivity schedule. The security system detects an anomaly when the instance of the digital signature deviates from the expected digital signature or the point in time deviates from the expected time, and causes performance of an action based on a type or degree of the anomaly.

Abstract: The system provides a voice command recommendation to a user to avoid a non-voice command. The system determines a command that is expected to be received, and generates a voice command recommendation that corresponds to the predicted command. The predicted command can be based on the user's behavior, a plurality of users' behavior, environmental circumstances such as a phone call ring, or a combination thereof. The system may access one or more databases to determine the predicted command. The voice command recommendation may include a displayed notification that describes the recommended voice command, and exemplary voice inputs that are recognized. The system also activates an audio interface, such as a microphone, that is configured to receive a voice input. If the system receives a recognizable voice input at the audio interface that corresponds to the recommendation, the system performs the predicted command in response to receiving the voice input.