Abstract: A storage device including: a bridge board to receive a first command; an authenticator to receive user information; and a memory device to receive the first command from the bridge board, the memory device includes a memory controller which determines a status of the memory device, provides status information including the determined status of the memory device to the bridge board, determines the status of the memory device as an unlocked status or a locked status, the bridge board includes a transceiver which communicates with the host through an interface, a register which stores interface information, and a bridge board controller which generates a first response to the first command in a format corresponding to the interface using the interface information, and provides the first response to a host, the first response includes a status bit which inhibits or allows a write operation with respect to the memory device.

Abstract: A method and a device for canceling an uplink transmission are provided. The method includes: when receiving an uplink transmission cancelation indication, determining a first starting time, where the first starting time is a starting time of a reference time region; and determining, based on the first starting time, a target time region for canceling the uplink transmission.

Abstract: Various example embodiments of a reliable firewall are presented herein. Various example embodiments of a reliable firewall may be configured to provide a single, stateful firewall spanning multiple routers. Various example embodiments of a reliable firewall spanning multiple routers may be configured to provide a reliable firewall configured to protect high-availability network services, network services using multipath routing, or the like, as well as various combinations thereof. Various example embodiments of a reliable firewall spanning multiple routers may be configured to provide a reliable firewall by supporting synchronization of firewall synchronization information (e.g., firewall policy information, firewall session state information, or the like, as well as various combinations thereof) across the multiple routers.

Abstract: A retail environment having retail terminals with data entry point devices selectively encrypts input received by the data entry point devices and passes the encrypted data to a security module. The selective encryption is based on whether or not sensitive or confidential information, such as a personal identification number (PIN) associated with a debit card, is being input. To prevent hacking of the software of the retail terminal, content destined for display on the retail terminal is authenticated prior to display. In this manner, the retail terminal may be assured that confidential information is input only when desired, and thus may be encrypted only as needed.

Abstract: A payment system for a transaction between a user and a merchant includes establishing user account and merchant accounts with an mCreds processing agent, loading consumer credit into a consumer account of a user computing device associated with a permanent identifier, identifying a desired transaction by the user on a computer server; accessing a merchant account, authenticating the user by comparing a provided user credential provided by the user with the user credential present in the database, authenticating the user computing device by comparing a provided user device identifier with the permanent user device identifier present in the database, and processing a debit to the user mCreds account and a credit to the merchant mobile credit account.

Abstract: In an approach for an access control system, a processor verifies an identity of a user in specified time intervals based on a first device associated with the user. A processor sends a validation token to a cloud-based system and updates a record associated with the user in the cloud-based system. A processor, in response to an attempt to access a secure area, transmits the validation token to a second device. A processor verifies the validation token by the second device with the cloud-based system.

Abstract: A service system includes a server that provides a service as a cloud service, and a device that receives the service, wherein a terminal device that is operated by a contract administrator sends identification information of the contract administrator and information related to a contract of the service, to the server, and wherein the server includes a user information storage unit that specifies a role associated with the identification information of the contract administrator, a communication unit that receives the identification information of the contract administrator and the information related to the contract, and an information registration unit that registers the identification information of the contract administrator, contract identification information generated based on the contract, and an operation privilege related to the contract based on the role specified in the user information storage unit, in association with each other, in a contract operation privilege information storage.

Abstract: Embodiments concern a dynamic authorization framework. Security Classification Process (SCP) is the process of classifying raw data, information extracted from raw data, content or code from security-value perspective. Security Achievability Determination Process (SADP) is a process based on a SV/SC that has been assigned, the RHE may determine the Security Requirements and how the security requirements may be achieved. During the Security Achievability Listing Process (SALP), the RHE uploads onto the Resource Listing Entity (RLE) the URI of the resource, the SAM associated with the resource and optionally a digital certificate associated with the resource. During the SAM Assessment Process (SAMAP) process, a Client evaluates the security mechanisms that must be carried out in order to meet the SAM that was provided as part of the Discovery Process (DP). Based on the SAM obtained from the RLE, the Client may initiate a Security Achievability Enabling Process (SAEP).

Abstract: A method for secure proxying using trusted execution environment (TEE) technology includes performing, using a TEE running on a proxy, an attestation with a TEE running on a client. The TEE running on the proxy receives from the TEE running on the client a request to fetch data from a remote server. The TEE running on the proxy fetches the data specified in the request from the remote server. The TEE running on the proxy forwards to the TEE running on the client the data fetched from the remote server.

Abstract: This disclosure describes techniques for determining whether a transaction may be finalized with a user that exits a facility. To do so, the inventory management system may first determine whether the inventory management is to resolve any events prior to finalizing the transaction. In some instances, the inventory management system may refrain from finalizing a transaction with a user that exits the facility if the user is associated with a low-confidence result/event, if the user remains a candidate user for an unresolved event, or if a global-blocking event is in place at the time of the user's exit. In some instances, meanwhile, the transaction with a user may be finalized upon the user's exit of the facility if the user is associated with high-confidence events/results, is not associated with any low-confidence events/results, is not a candidate user for an unresolved event, and if no global-blocking event is in place at the time of exit.

Abstract: A speech interface device is configured to receive response data from a remote speech processing system for responding to user speech. This response data may be enhanced with information such as a remote ASR result(s) and a remote NLU result(s). The response data from the remote speech processing system may include one or more cacheable status indicators associated with the NLU result(s) and/or remote directive data, which indicate whether the remote NLU result(s) and/or the remote directive data are individually cacheable. A caching component of the speech interface device allows for caching at least some of this cacheable remote speech processing information, and using the cached information locally on the speech interface device when responding to user speech in the future. This allows for responding to user speech, even when the speech interface device is unable to communicate with a remote speech processing system over a wide area network.

Abstract: A method for protecting information from databases includes a web application firewall and a database activity monitor. According to one aspect, a web gateway receives a request from a client device and provides the request to an application server to query a database. The web gateway receives sensitive data information describing requested data output by the database. The sensitive data information may include, for example, hints for detecting a type or structure of sensitive data output by the database. Additionally, the web gateway receives response data from the application server. The web gateway identifies sensitive data within the response data based on the sensitive data information. The web gateway protects the sensitive data to be provided to the client device using one or more data protection operations, which may include alerts, blocking policies, masking, or anomaly detection using machine learning algorithms.

Abstract: Disclosed herein are exemplary systems and methods for garbage collection and/or deletion in a document database. The methods may include, for each change in a first change set, determining whether a first characteristic of the change is superseded by a second characteristic of a corresponding change in a second change set. The change of the first change set and the change of the second change set can pertain to a document attribute. The method may include determining whether the first change set is redundant with the second change set if each change of the first change set is superseded by a corresponding change of the second change set, and eliminating the first change set from the document database when the first change set is redundant with second change set.

Abstract: Systems and methods associated with sharing encrypted account details with a trusted party are disclosed. In one embodiment, an exemplary method may comprise hosting an online service accessed by a plurality of user accounts each configured for concurrent access sessions, establishing a first authenticated access session for a first user account between the online service and a first device associated with a first user, receiving a login request associated with the first user account to establish a second authenticated access session between the online service and a second device associated with a second user, transmitting, to the first device, a notification of the login request including a GUI element and a request to authenticate the login request, and establishing the second authenticated access session between the online service and the second device of the second user based on authentication of the second user via the GUI element.

Abstract: A logic circuitry package for a replaceable print apparatus component comprises an interface to communicate with a print apparatus logic circuit, and at least one logic circuit. The logic circuit may be configured to identify, from a command stream received from the print apparatus, parameters including a class parameter, and/or identify, from the command stream, a read request, and output, via the interface, a count value in response to a read request, the count value based on identified received parameters.

Abstract: An authorization level is set at enrollment. The authorization level can be determined based on user identity and a class of authentication. The class of authentication can be associated with strength of authentication related to a channel employed to enroll a user for access to products or services. Authorization level can also be determined based on initiation information regarding the user, a device of the user, or both. Access to the products or services can be selectively controlled based on the authorization level.

Abstract: Systems and methods for detecting the presence of a body in a network without fiducial elements, using signal absorption, and signal forward and reflected backscatter of radio frequency (RF) waves caused by the presence of a biological mass in a communications network.

Abstract: A management apparatus, a management system, a server system, a remote device management system, and a data deletion request method. The management apparatus acquires apparatus identification information for identifying a processing apparatus storing device event data indicating content of an event executed by a device to be managed from one or more processing apparatuses that process the device event data and requests deletion of the device event data to the processing apparatus identified by the acquired apparatus identification information in response to a device event data deletion request.

Abstract: Authenticating computing entities. A method includes at an identity provider, providing a first access token to an entity for use by the entity in obtaining resources from a resource provider. The method further includes, at the identity provider, receiving response information from the entity. The response information from the entity is provided to the entity from the resource provider as a result of the resource provider enforcing policy at the resource provider. At the identity provider, a second access token is provided to the entity. The second access token is provided based on the response information, such that the second access token can be used by the entity to obtain the resources from the resource provider.

Abstract: A client-side system detects a current location of a client device and a cloud interaction metric. The geographic area around the location of the client device is divided into grid sections. The client-side system identifies a pre-defined reference location corresponding to the grid section that the client device location resides in. The pre-defined reference location, corresponding to that grid section, and the cloud interaction metric are provided to a remote server computing system.

Abstract: An integrated circuit including: a plurality of physically unclonable function (PUF) cells each configured to generate a cell signal having a unique value; a selector configured to output a first signal obtained by not inverting a cell signal output by a PUF cell selected from the plurality PUF cells and a second signal obtained by inverting the cell signal; and a key generator configured to generate a security key in response to the first signal or the second signal, wherein the selector includes a first conversion circuit configured to generate the first signal and a second conversion circuit having the same structure as the first conversion circuit and configured to generate the second signal.

Abstract: Lateral movement between networked computers is detected, and automatically and efficiently assessed by a detection tool to distinguish innocent activity from cyberattacks. By correlating log data about logins and network traffic, the detection tool produces network node sets corresponding to individual movements. If a chain can be built from node sets matching an event sequence pattern that tends to be used by attackers, then the detection tool reports the chain as an illicit lateral movement candidate. Detection patterns define illicitness grounds such as consistency of data transfer sizes, shortness of login intervals, use of suspect protocols, chain scope, and the presence or use of administrator credentials. Detection responses may then isolate computers, inspect them for malware or tampering, obtain forensic images for analysis, tighten exfiltration filtering, and otherwise mitigate against ongoing or future cyberattacks.

Abstract: A method of operating a terminal device in a wireless telecommunications system comprising the terminal device and a plurality of network access nodes, wherein the method comprises: establishing first wake-up signalling configuration information for a first network access node covering a current location for the terminal device, wherein the first wake-up signalling configuration information comprises an indication of a first wake-up signalling format to be transmitted by the first network access node in advance of transmitting a paging message to indicate the terminal device should seek to decode the paging message, and an indication of an associated first wake-up signalling validity period for the first wake-up signalling format.

Abstract: In a verification terminal for verifying properness of an information item composed of a data string, a storage unit stores an own-terminal information item comprised of a data string, and a verification value generation unit generates a hash value of the own-terminal information item stored in the storage unit as an own-terminal hash value. A verification value acquisition unit communicates with at least one other verification terminal that should store an other-terminal information item t to thereby acquire a hash value of the other-terminal information item from the at least one other verification terminal as an other-terminal hash value. The other-terminal information item is conditioned to be identical to the own-terminal information item. A verification execution unit verifies properness of the own-terminal information item in accordance with whether the own-terminal hash value is consistent with the other-terminal hash value.

Abstract: A secure programming system can receive a job control package having a security kernel and a target payload of content for programming into a pre-defined set of trusted devices. A device programmer can install a security kernel on the trusted devices and reboot the trusted devices using the security kernel to validate the proper operation of the security kernel. The target payload can then be securely installed on the trusted devices and validated.

Abstract: The present disclosure relates to an integrated circuit and a method of using the integrated circuit used to perform authentication using a challenge-response method. The challenge-response method includes an internal challenge generator, a physically unclonable function (PUF) block, and a response generator. The internal challenge generator is configured to receive a challenge, generate a plurality of internal challenges corresponding to the challenge, and generate at least one valid internal challenge among the plurality of internal challenges using screen information. The physically unclonable function (PUF) block is configured to generate a plurality of valid internal responses respectively changing according to the plurality of valid internal challenges. The response generator is configured to output a response generated using the plurality of valid internal responses.

Abstract: Systems and methods are provided for implementing stand-in network identities, whereby independent users are permitted to act on behalf of dependent users. One exemplary computer-implemented method includes receiving a request from an independent user to provision personal identifying information (PII) for a dependent user to a first communication device. The method then includes authenticating the dependent user at a second different communication device, receiving the PII from the dependent user in response to the authentication, and transmitting the PII to a secure data structure. The method further includes authenticating the independent user at the first communication device, retrieving the PII for the dependent user from the secure data structure in response to the authentication, and transmitting the PII to the first communication device, whereby the PII may be stored in a secure element at the first communication device for use by the independent user on behalf of the dependent user.

Abstract: An identity authenticator receives a first authentication credential from a first application at a first computing device. The identity authenticator then determines that the first authentication credential is associated with a second authentication credential for the first application at a second computing device based on a stored authentication identity. The identity authenticator then provides a stored execution state for the first application to the first computing device, wherein the stored execution state is associated, based on the stored authentication identity, with at least one of the first authentication credential or the second authentication credential.

Abstract: Method for secure execution of code, including (a) on a CPU, where opcodes for the same executable instructions differ from one memory page to another, depending on memory tag, loading original static instructions from executable module <0> into non-tagged executable memory pages; (b) beginning execution of original static instructions of process <0>; (c) invoking a CPU instruction to start process <i>, where i=1 initially, in process <0>, to create a new memory tag <i>, its set of randomized opcodes and to return memory tag <i> and new randomized set of opcodes to process <0>; (d) loading executable module <i> for process <i> in process <0>, and transforming executable code using new randomized opcodes from step (c); (e) in process <0>, allocating tagged memory with tag <i> to process <i>, loading memory with compiled executable code from step (d) into process <i>, and running compiled code from step (d).

Abstract: Authentication systems and methods can selectively authenticate a request to access a resource data store storing access rights associated with a user device. The systems and methods can scalably execute challenges workflows as part of the authentication process. For example, a request to access one or more access rights stored in the data store can be received from the user device. The user device can be authenticated using challenge workflows selected based on a device identifier of the user device. The selected challenge workflows can be executed to determine whether or not to grant access to the access rights stored in the resource data store.

Abstract: The present techniques generally relate to a system comprising: a data resource comprising: a device data log to store a device data record for device data of a first device; a permissions log to store a permissions record for one or more permissions associated with the device data; a consent log to store a consent record comprising a consent status for the one or more permissions; wherein the consent record, permissions record and device data record provide a verifiable data audit to determine whether a party is authorized to access the device data.

Abstract: Techniques may be used for restricted direct discovery in proximity services (ProSe). A ProSe function may receive from a discovery wireless transmit/receive unit (WTRU) a restricted ProSe Application identity (ID) of an application located at the discoverer WTRU requesting ProSe discovery. The ProSe function may derive a first and second ProSe codes for the discoveree WTRU and discoverer WTRU, and provide the ProSe codes to the discoverer and/or discoveree WTRUs. A ProSe application server may receive a revocation message from an announcing WTRU indicating a revoked WTRU. The ProSe application server may provide a ProSe discovery WTRU ID for the revoked WTRU to a ProSe Function. The ProSe function may instruct the announcing WTRU to stop announcing a ProSe code known by the revoked WTRU, and may provide a new ProSe code to at least one WTRU authorized to discover the announcing WTRU.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE) executing on a data compute node (DCN) that operates on a host computer in a public datacenter. The MFE implements a logical network that connects multiple DCNs within the public datacenter. The method receives a packet, directed to the DCN, that (i) has a first logical network source address and (ii) is encapsulated with a second source address associated with an underlying public datacenter network. The method determines whether the first logical network source address is a valid source address for the packet based on a mapping table that maps logical network addresses to underlying public datacenter network addresses. When the first source address is not a valid source address for the packet, the method drops the packet.

Abstract: Methods and apparatus for providing protected content to subscribers of a managed (e.g., MSO) network via a content source accessible via an internetwork such as the Internet. In one embodiment, a user accesses a programmer website, and requests content. The programmer determines whether the requesting user is permitted to access the content, and what rights or restrictions are associated with the user. This includes authenticating the user as a subscriber of the MSO, and determining the subscriber's subscription level. In another embodiment, a user's account with the MSO and programmer may be federated, thus a given user will have MSO-specific information regarding its identity (such as login information, GUID, etc.) and/or information regarding subscription level and service details, stored at the programmer. Messages received from the MSO representing permission for the user to access content may also be stored at the programmer site for later reference.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive one or more incoming requests from a client during an application session, inject one or more synthetic requests into the application session independently of the incoming requests to transmit the synthetic requests to the cloud application, and receive one or more responses to the synthetic requests from the cloud application.

Abstract: The disclosed computer-implemented method for producing access control list caches including effective information access permissions across disparate storage devices may include (i) receiving, at a computing device, an instruction to prepare an access control list (ACL) cache and (ii) performing a security action. The security action may include (A) recursively parsing, at the computing device, at least one respective ACL for information stored on at least two disparate storage devices, (B) identifying, at each step of recursion, each direct user and each indirect user having information access permissions in at least one of the respective ACLs, (C) determining, for each unique user in the respective ACLs, per-control point effective permissions, and (D) storing the per-control point effective information access permissions in the ACL cache. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to generating composite user identities in a distributed computing system. According to one embodiment, an example method generally includes transmitting, to a plurality of identity providers, a request for user identity information. A service provider receives, from a subset of the plurality of identity providers, the user identity information and selects a subset of the received user identity information to be used in verifying an identity of a user based, at least in part, on a reputation score associated with each identity provider in the subset of identity providers. The service provider generates a composite user identity based on the selected subset of the received user identity information. The service provider takes one or more actions to enable use of a service based on the generated composite user identity.

Abstract: A global cloud network quality measurement method may include generating an Internet protocol (IP) list of open web servers having at least one externally open port for each country; collecting packet data through communication with each of the open web servers based on the IP list; and analyzing a network quality with respect to at least one of a region, an Internet service provider (ISP), and an autonomous system number (ASN) based on the collected packet data.

Abstract: Systems and methods are provided for secure access to data actions. In one embodiment, secondary device data is associated with a user profile, such that the secondary device data may be subsequently used to authenticate a user associated with the user profile.

Abstract: A computing device is described that is coupled to a set of web application layer attack detectors (ADs), which are coupled between clients and web application servers. The ADs apply security rules to traffic between clients and servers and send alert packages to the computing device in response to triggering one or more security rules, which identify web application layer attacks. The computing device automatically generates attribute identifier-value pairs based on alert packages and uses the attribute identifier-value pairs along with collection rule templates to generate collection rules, which are used to inspect traffic for additional analysis. The ADs apply the collection rules to traffic and send collection packages to the computing device in response to triggering one or more collection rules.

Abstract: In accordance with a first aspect of the present disclosure, a method is conceived for enabling a biometric template in an authentication token, the method comprising: capturing, by a biometric sensor comprised in the authentication token, at least one biometric sample; creating, by a processing unit comprised in the authentication token, a biometric template from the at least one biometric sample and storing said biometric template in the authentication token; verifying, at a terminal device, said biometric template; verifying, by the terminal device, an identity of a user; enabling, by the terminal device, said biometric template if the biometric template and the identity of the user have been verified. In addition, a corresponding computer program, authentication token and terminal device are provided.

Abstract: A monitoring system in which a mounting device of a moving body and a monitoring center device are connected via a communication network, wherein the mounting device includes a photographing unit configured to photograph a passenger, and a feature transmission unit configured to transmit feature data of the passenger, and the monitoring center device includes a monitoring processing unit which determines whether the feature data is recorded in a database and performs monitoring processing on the basis of a result of the determination.

Abstract: A power tool system includes a power tool configured to receive an input power via a cable from a power source. The power tool system also includes a communications system disposed within the power tool. The communications system includes communications circuitry configured to receive operating information related to the power tool. The power tool system includes a retrofit tag removably coupled to an external surface of a housing of the power tool. The retrofit tag is configured to wirelessly couple with the communications system to receive at least a portion of the operating information with a first wireless communication mode. The retrofit tag is configured to transmit at least a portion of the operating information with a second wireless communication mode. The first wireless communication mode is different than the second wireless communication mode.

Abstract: The present disclosure relates to implementations of computing systems. Specifically, the disclosure describes implementations of physically unclonable functions (PUFs) that use ternary states for implementing security systems.

Abstract: A method for detecting web tracking services during browsing activity performed by clients having associated client identifiers includes the steps of extracting key-value pairs contained into navigation data, looking for one-to-one correspondence between said client identifiers and the values contained in said keys and selecting the keys for which at least a client-value one-to-one correspondence for at least a predetermined number of clients is observed, the keys identifying the associated services as services performing tracking activities.

Abstract: Systems, methods, and computer program products providing network security leveraging analytics and physical separation between computer systems and a network to prevent threats from infecting network devices. A specialized pluggable dongle like security device is inserted between ports of computer system(s) connecting to the network and port(s) of network hardware facilitating connections between the computer system and computer network. The security device uses a combination of onboard analytics and cloud-based analytic services to detect incoming threats from network traffic and whether to allow network traffic to pass through the security device and/or prevent network traffic from entering the computer system.

Abstract: A display control unit causes a projector display unit to display host-specifying information based on a first host address of a first IP address allocated to a projector. A communication establishment unit specifies, when the host-specifying information is inputted via an input unit, a third IP address based on the inputted host-specifying information and a second network address of a second IP address allocated to a communication terminal. The communication establishment unit executes communication establishment processing to establish communication between the projector and the communication terminal, using the third IP address.

Abstract: A method and system including receiving a main input stream for a compressed file at an application server, wherein the main input stream includes two or more file streams; extracting a file-type extension from each file stream input stream; determining the file-type extension is supported; determining, for each file stream with the supported file-type extension, a signature for the file stream with the supported file-type extension is valid; determining, for each valid file stream, a size of the file is less than a threshold level; and storing the valid file stream on a storage device when the size of the file is less than the threshold level. Numerous other aspects are provided.

Abstract: A virtual storage system and a method of storing and sharing electronic documents within a virtual storage system that includes at least one processor that processes a plurality of electronic documents, receives from the user computing device, a request for sharing an electronic document of the plurality of electronic documents, and input information including one or more of the following: access information that includes authentication information for secured access by the recipient and expiration information corresponding to the recipient's access to the electronic document; or download information that includes a number of times the electronic document is to be downloaded by the recipient and expiration information corresponding to the recipient's downloading the electronic document, and creates at least one share link corresponding to the electronic document based on the input information, for sharing the electronic document with a recipient.

Abstract: A system and method for selecting a target device out of a larger group of candidate devices for rendering a response from a virtual assistant to an end-user is disclosed. The system determines that a same trigger phrase included in an utterance has been received by multiple devices that are in proximity to one another at around the same time. These candidate devices can collect attention data, such as user gaze toward a device, to select the device that was most likely the intended recipient of the utterance. The system is configured to control the virtual assistant to render a response solely via the selected device.