Abstract: An authorization level is set at enrollment. The authorization level can be determined based on user identity and a class of authentication. The class of authentication can be associated with strength of authentication related to a channel employed to enroll a user for access to products or services. Authorization level can also be determined based on initiation information regarding the user, a device of the user, or both. Access to the products or services can be selectively controlled based on the authorization level.

Abstract: Systems and methods for detecting the presence of a body in a network without fiducial elements, using signal absorption, and signal forward and reflected backscatter of radio frequency (RF) waves caused by the presence of a biological mass in a communications network.

Abstract: A management apparatus, a management system, a server system, a remote device management system, and a data deletion request method. The management apparatus acquires apparatus identification information for identifying a processing apparatus storing device event data indicating content of an event executed by a device to be managed from one or more processing apparatuses that process the device event data and requests deletion of the device event data to the processing apparatus identified by the acquired apparatus identification information in response to a device event data deletion request.

Abstract: A client-side system detects a current location of a client device and a cloud interaction metric. The geographic area around the location of the client device is divided into grid sections. The client-side system identifies a pre-defined reference location corresponding to the grid section that the client device location resides in. The pre-defined reference location, corresponding to that grid section, and the cloud interaction metric are provided to a remote server computing system.

Abstract: Authenticating computing entities. A method includes at an identity provider, providing a first access token to an entity for use by the entity in obtaining resources from a resource provider. The method further includes, at the identity provider, receiving response information from the entity. The response information from the entity is provided to the entity from the resource provider as a result of the resource provider enforcing policy at the resource provider. At the identity provider, a second access token is provided to the entity. The second access token is provided based on the response information, such that the second access token can be used by the entity to obtain the resources from the resource provider.

Abstract: An integrated circuit including: a plurality of physically unclonable function (PUF) cells each configured to generate a cell signal having a unique value; a selector configured to output a first signal obtained by not inverting a cell signal output by a PUF cell selected from the plurality PUF cells and a second signal obtained by inverting the cell signal; and a key generator configured to generate a security key in response to the first signal or the second signal, wherein the selector includes a first conversion circuit configured to generate the first signal and a second conversion circuit having the same structure as the first conversion circuit and configured to generate the second signal.

Abstract: Lateral movement between networked computers is detected, and automatically and efficiently assessed by a detection tool to distinguish innocent activity from cyberattacks. By correlating log data about logins and network traffic, the detection tool produces network node sets corresponding to individual movements. If a chain can be built from node sets matching an event sequence pattern that tends to be used by attackers, then the detection tool reports the chain as an illicit lateral movement candidate. Detection patterns define illicitness grounds such as consistency of data transfer sizes, shortness of login intervals, use of suspect protocols, chain scope, and the presence or use of administrator credentials. Detection responses may then isolate computers, inspect them for malware or tampering, obtain forensic images for analysis, tighten exfiltration filtering, and otherwise mitigate against ongoing or future cyberattacks.

Abstract: A method of operating a terminal device in a wireless telecommunications system comprising the terminal device and a plurality of network access nodes, wherein the method comprises: establishing first wake-up signalling configuration information for a first network access node covering a current location for the terminal device, wherein the first wake-up signalling configuration information comprises an indication of a first wake-up signalling format to be transmitted by the first network access node in advance of transmitting a paging message to indicate the terminal device should seek to decode the paging message, and an indication of an associated first wake-up signalling validity period for the first wake-up signalling format.

Abstract: A secure programming system can receive a job control package having a security kernel and a target payload of content for programming into a pre-defined set of trusted devices. A device programmer can install a security kernel on the trusted devices and reboot the trusted devices using the security kernel to validate the proper operation of the security kernel. The target payload can then be securely installed on the trusted devices and validated.

Abstract: In a verification terminal for verifying properness of an information item composed of a data string, a storage unit stores an own-terminal information item comprised of a data string, and a verification value generation unit generates a hash value of the own-terminal information item stored in the storage unit as an own-terminal hash value. A verification value acquisition unit communicates with at least one other verification terminal that should store an other-terminal information item t to thereby acquire a hash value of the other-terminal information item from the at least one other verification terminal as an other-terminal hash value. The other-terminal information item is conditioned to be identical to the own-terminal information item. A verification execution unit verifies properness of the own-terminal information item in accordance with whether the own-terminal hash value is consistent with the other-terminal hash value.

Abstract: The present disclosure relates to an integrated circuit and a method of using the integrated circuit used to perform authentication using a challenge-response method. The challenge-response method includes an internal challenge generator, a physically unclonable function (PUF) block, and a response generator. The internal challenge generator is configured to receive a challenge, generate a plurality of internal challenges corresponding to the challenge, and generate at least one valid internal challenge among the plurality of internal challenges using screen information. The physically unclonable function (PUF) block is configured to generate a plurality of valid internal responses respectively changing according to the plurality of valid internal challenges. The response generator is configured to output a response generated using the plurality of valid internal responses.

Abstract: Systems and methods are provided for implementing stand-in network identities, whereby independent users are permitted to act on behalf of dependent users. One exemplary computer-implemented method includes receiving a request from an independent user to provision personal identifying information (PII) for a dependent user to a first communication device. The method then includes authenticating the dependent user at a second different communication device, receiving the PII from the dependent user in response to the authentication, and transmitting the PII to a secure data structure. The method further includes authenticating the independent user at the first communication device, retrieving the PII for the dependent user from the secure data structure in response to the authentication, and transmitting the PII to the first communication device, whereby the PII may be stored in a secure element at the first communication device for use by the independent user on behalf of the dependent user.

Abstract: An identity authenticator receives a first authentication credential from a first application at a first computing device. The identity authenticator then determines that the first authentication credential is associated with a second authentication credential for the first application at a second computing device based on a stored authentication identity. The identity authenticator then provides a stored execution state for the first application to the first computing device, wherein the stored execution state is associated, based on the stored authentication identity, with at least one of the first authentication credential or the second authentication credential.

Abstract: Method for secure execution of code, including (a) on a CPU, where opcodes for the same executable instructions differ from one memory page to another, depending on memory tag, loading original static instructions from executable module <0> into non-tagged executable memory pages; (b) beginning execution of original static instructions of process <0>; (c) invoking a CPU instruction to start process <i>, where i=1 initially, in process <0>, to create a new memory tag <i>, its set of randomized opcodes and to return memory tag <i> and new randomized set of opcodes to process <0>; (d) loading executable module <i> for process <i> in process <0>, and transforming executable code using new randomized opcodes from step (c); (e) in process <0>, allocating tagged memory with tag <i> to process <i>, loading memory with compiled executable code from step (d) into process <i>, and running compiled code from step (d).

Abstract: Authentication systems and methods can selectively authenticate a request to access a resource data store storing access rights associated with a user device. The systems and methods can scalably execute challenges workflows as part of the authentication process. For example, a request to access one or more access rights stored in the data store can be received from the user device. The user device can be authenticated using challenge workflows selected based on a device identifier of the user device. The selected challenge workflows can be executed to determine whether or not to grant access to the access rights stored in the resource data store.

Abstract: The present techniques generally relate to a system comprising: a data resource comprising: a device data log to store a device data record for device data of a first device; a permissions log to store a permissions record for one or more permissions associated with the device data; a consent log to store a consent record comprising a consent status for the one or more permissions; wherein the consent record, permissions record and device data record provide a verifiable data audit to determine whether a party is authorized to access the device data.

Abstract: Techniques may be used for restricted direct discovery in proximity services (ProSe). A ProSe function may receive from a discovery wireless transmit/receive unit (WTRU) a restricted ProSe Application identity (ID) of an application located at the discoverer WTRU requesting ProSe discovery. The ProSe function may derive a first and second ProSe codes for the discoveree WTRU and discoverer WTRU, and provide the ProSe codes to the discoverer and/or discoveree WTRUs. A ProSe application server may receive a revocation message from an announcing WTRU indicating a revoked WTRU. The ProSe application server may provide a ProSe discovery WTRU ID for the revoked WTRU to a ProSe Function. The ProSe function may instruct the announcing WTRU to stop announcing a ProSe code known by the revoked WTRU, and may provide a new ProSe code to at least one WTRU authorized to discover the announcing WTRU.

Abstract: Methods and apparatus for providing protected content to subscribers of a managed (e.g., MSO) network via a content source accessible via an internetwork such as the Internet. In one embodiment, a user accesses a programmer website, and requests content. The programmer determines whether the requesting user is permitted to access the content, and what rights or restrictions are associated with the user. This includes authenticating the user as a subscriber of the MSO, and determining the subscriber's subscription level. In another embodiment, a user's account with the MSO and programmer may be federated, thus a given user will have MSO-specific information regarding its identity (such as login information, GUID, etc.) and/or information regarding subscription level and service details, stored at the programmer. Messages received from the MSO representing permission for the user to access content may also be stored at the programmer site for later reference.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE) executing on a data compute node (DCN) that operates on a host computer in a public datacenter. The MFE implements a logical network that connects multiple DCNs within the public datacenter. The method receives a packet, directed to the DCN, that (i) has a first logical network source address and (ii) is encapsulated with a second source address associated with an underlying public datacenter network. The method determines whether the first logical network source address is a valid source address for the packet based on a mapping table that maps logical network addresses to underlying public datacenter network addresses. When the first source address is not a valid source address for the packet, the method drops the packet.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive one or more incoming requests from a client during an application session, inject one or more synthetic requests into the application session independently of the incoming requests to transmit the synthetic requests to the cloud application, and receive one or more responses to the synthetic requests from the cloud application.

Abstract: The disclosed computer-implemented method for producing access control list caches including effective information access permissions across disparate storage devices may include (i) receiving, at a computing device, an instruction to prepare an access control list (ACL) cache and (ii) performing a security action. The security action may include (A) recursively parsing, at the computing device, at least one respective ACL for information stored on at least two disparate storage devices, (B) identifying, at each step of recursion, each direct user and each indirect user having information access permissions in at least one of the respective ACLs, (C) determining, for each unique user in the respective ACLs, per-control point effective permissions, and (D) storing the per-control point effective information access permissions in the ACL cache. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present disclosure relates to generating composite user identities in a distributed computing system. According to one embodiment, an example method generally includes transmitting, to a plurality of identity providers, a request for user identity information. A service provider receives, from a subset of the plurality of identity providers, the user identity information and selects a subset of the received user identity information to be used in verifying an identity of a user based, at least in part, on a reputation score associated with each identity provider in the subset of identity providers. The service provider generates a composite user identity based on the selected subset of the received user identity information. The service provider takes one or more actions to enable use of a service based on the generated composite user identity.

Abstract: A computing device is described that is coupled to a set of web application layer attack detectors (ADs), which are coupled between clients and web application servers. The ADs apply security rules to traffic between clients and servers and send alert packages to the computing device in response to triggering one or more security rules, which identify web application layer attacks. The computing device automatically generates attribute identifier-value pairs based on alert packages and uses the attribute identifier-value pairs along with collection rule templates to generate collection rules, which are used to inspect traffic for additional analysis. The ADs apply the collection rules to traffic and send collection packages to the computing device in response to triggering one or more collection rules.

Abstract: Systems and methods are provided for secure access to data actions. In one embodiment, secondary device data is associated with a user profile, such that the secondary device data may be subsequently used to authenticate a user associated with the user profile.

Abstract: A global cloud network quality measurement method may include generating an Internet protocol (IP) list of open web servers having at least one externally open port for each country; collecting packet data through communication with each of the open web servers based on the IP list; and analyzing a network quality with respect to at least one of a region, an Internet service provider (ISP), and an autonomous system number (ASN) based on the collected packet data.

Abstract: A monitoring system in which a mounting device of a moving body and a monitoring center device are connected via a communication network, wherein the mounting device includes a photographing unit configured to photograph a passenger, and a feature transmission unit configured to transmit feature data of the passenger, and the monitoring center device includes a monitoring processing unit which determines whether the feature data is recorded in a database and performs monitoring processing on the basis of a result of the determination.

Abstract: In accordance with a first aspect of the present disclosure, a method is conceived for enabling a biometric template in an authentication token, the method comprising: capturing, by a biometric sensor comprised in the authentication token, at least one biometric sample; creating, by a processing unit comprised in the authentication token, a biometric template from the at least one biometric sample and storing said biometric template in the authentication token; verifying, at a terminal device, said biometric template; verifying, by the terminal device, an identity of a user; enabling, by the terminal device, said biometric template if the biometric template and the identity of the user have been verified. In addition, a corresponding computer program, authentication token and terminal device are provided.

Abstract: A power tool system includes a power tool configured to receive an input power via a cable from a power source. The power tool system also includes a communications system disposed within the power tool. The communications system includes communications circuitry configured to receive operating information related to the power tool. The power tool system includes a retrofit tag removably coupled to an external surface of a housing of the power tool. The retrofit tag is configured to wirelessly couple with the communications system to receive at least a portion of the operating information with a first wireless communication mode. The retrofit tag is configured to transmit at least a portion of the operating information with a second wireless communication mode. The first wireless communication mode is different than the second wireless communication mode.

Abstract: A method for detecting web tracking services during browsing activity performed by clients having associated client identifiers includes the steps of extracting key-value pairs contained into navigation data, looking for one-to-one correspondence between said client identifiers and the values contained in said keys and selecting the keys for which at least a client-value one-to-one correspondence for at least a predetermined number of clients is observed, the keys identifying the associated services as services performing tracking activities.

Abstract: The present disclosure relates to implementations of computing systems. Specifically, the disclosure describes implementations of physically unclonable functions (PUFs) that use ternary states for implementing security systems.

Abstract: Systems, methods, and computer program products providing network security leveraging analytics and physical separation between computer systems and a network to prevent threats from infecting network devices. A specialized pluggable dongle like security device is inserted between ports of computer system(s) connecting to the network and port(s) of network hardware facilitating connections between the computer system and computer network. The security device uses a combination of onboard analytics and cloud-based analytic services to detect incoming threats from network traffic and whether to allow network traffic to pass through the security device and/or prevent network traffic from entering the computer system.

Abstract: A display control unit causes a projector display unit to display host-specifying information based on a first host address of a first IP address allocated to a projector. A communication establishment unit specifies, when the host-specifying information is inputted via an input unit, a third IP address based on the inputted host-specifying information and a second network address of a second IP address allocated to a communication terminal. The communication establishment unit executes communication establishment processing to establish communication between the projector and the communication terminal, using the third IP address.

Abstract: A method and system including receiving a main input stream for a compressed file at an application server, wherein the main input stream includes two or more file streams; extracting a file-type extension from each file stream input stream; determining the file-type extension is supported; determining, for each file stream with the supported file-type extension, a signature for the file stream with the supported file-type extension is valid; determining, for each valid file stream, a size of the file is less than a threshold level; and storing the valid file stream on a storage device when the size of the file is less than the threshold level. Numerous other aspects are provided.

Abstract: A virtual storage system and a method of storing and sharing electronic documents within a virtual storage system that includes at least one processor that processes a plurality of electronic documents, receives from the user computing device, a request for sharing an electronic document of the plurality of electronic documents, and input information including one or more of the following: access information that includes authentication information for secured access by the recipient and expiration information corresponding to the recipient's access to the electronic document; or download information that includes a number of times the electronic document is to be downloaded by the recipient and expiration information corresponding to the recipient's downloading the electronic document, and creates at least one share link corresponding to the electronic document based on the input information, for sharing the electronic document with a recipient.

Abstract: Systems and methods for identity authentication based on liveness-verified biometric data that cannot be stolen/spoofed. In various embodiments, the disclosed systems and methods facilitate access to SaaS platforms, transactions, and/or physical assets via identity authentication based on comparison of liveness-verified biometric data (e.g., data that has been verified as derived from the correct actual live individual to avoid bad actors spoofing the data to gain access—in one embodiment, as one factor in a two factor authentication schema) to pre-verified identity data. Liveness-verified biometric data may, in various embodiments, be derived from facial features, fingerprints, voice recognition, DNA, etc. Generally, if the liveness and identity of the requesting individual cannot be verified, then the individual will not be permitted access.

Abstract: A system and method for selecting a target device out of a larger group of candidate devices for rendering a response from a virtual assistant to an end-user is disclosed. The system determines that a same trigger phrase included in an utterance has been received by multiple devices that are in proximity to one another at around the same time. These candidate devices can collect attention data, such as user gaze toward a device, to select the device that was most likely the intended recipient of the utterance. The system is configured to control the virtual assistant to render a response solely via the selected device.

Abstract: A method for utilizing a security service engine (SSE) to assess security vulnerabilities on a security gateway element (SGE) includes establishing a security configuration for a SGE corresponding to a provisioned security service policy definition and configuring a plurality of SGE security service managers hosted by a SSE on the SGE based on policies included in the security service policy definition. The method further includes executing, by the SSE, each of the plurality of SGE security service managers as a software based service in real time to enforce the policies of the security service policy definition on the SGE and remediating the security configuration of the SGE if one or more of the plurality of SGE security service managers detects a security vulnerability corresponding to the operation of the SGE.

Abstract: A method includes determining, based on login information corresponding to a plurality of login attempts, that a set of password spray criteria have been satisfied. The method also includes generating respective scoring patterns corresponding to one or more password lengths and based on the respective scoring patterns, generating a common digital signature for a set of common passwords. The method further includes generating a spray digital signature for a set of potential spray passwords based on the respective scoring patterns. Additionally, the method includes comparing the spray digital signature with the common digital signatures to determine a number of matching components between the spray digital signatures and the common digital signature. Based on the number of matching components, the method includes determining whether a password spray has been attempted.

Abstract: A method and system of protecting an artificial intelligence (AI) application are provided. Parameters of the AI application are identified. An assessment of a vulnerability of the AI application is performed, including: applying a combination of protection measures comprising two or more protection measures against at least two different attacks and at least one dataset, and determining whether the combination of protection measures is successful in defending the AI application. A target configuration of an AI model to protect the AI application is determined based on the assessed vulnerability of the AI application. An AI enhanced algorithm is determined to adjust the AI model to include a combination of most computationally efficient defenses based on the target configuration. The adjusted AI model is used to protect the AI application.

Abstract: An approach is provided that receives a login request from a selected user. The approach first authenticates the selected user using a unique user identifier and a password associated with the selected user. In response to a successful first authentication, the approach performs a second authentication of the selected user using a second factor authentication code that was included in the login request. The second authentication includes retrieval of an expected second factor authentication code using an index into a block of codes with the index and the block of codes both being associated with the selected user. The login request is allowed and the index is changed in response to the second factor authentication code matching the expected second factor authentication code. The login request is denied in response to the second factor authentication code failing to match the expected second factor authentication code.

Abstract: A monitoring device is configured to monitor a monitoring target device. The monitoring device includes a circuit information distribution program configured to distribute circuit information for programming a physically unclonable function (PUF) circuit to the monitoring target device; a transmission processing program configured to transmit a challenge value to the monitoring target device to which circuit information is distributed; a reception processing program configured to receive a response value corresponding to the challenge value of the PUF circuit programmed in the monitoring target device; and an authentication processing program configured to authenticate the monitoring target device based on input and output correspondence information of the PUF circuit programmed in the monitoring target device and the response value which has been received.

Abstract: A system and method for performing a task on a computing device based on access rights are described. In one aspect, an exemplary method comprises, gathering data characterizing a task by intercepting function calls used to perform the task, and sending a request to an operating system of the computing device to temporarily interrupt the called functions until access rights are determined, determining a threat level of the task based on the gathered data and task templates, generating a test based on the threat level and test generating rules and presenting the test to the user, analyzing results of the test and determining access rights of the task based on the results, and performing the task based on the access rights.

Abstract: Sensor-assisted location technology is disclosed. Primary location technologies, such as GPS, can be used to determine the current location (e.g., a location fix) of a location-enabled device. In some instances, the primary location technology may be unreliable and/or consume more power than an alternative location technology. Sensors, such as accelerometers, compasses, gyrometers, and the like, can be used to supplement and/or increase the accuracy of location data. For example, a location-enabled device can identify an area with unreliable GPS location data and use sensors to calculate a more accurate location. Areas identified may be crowd-sourced. Sensors can be used to identify errors in the location data provided by primary location technology. Sensors can be used to modify a sampling interval of the primary location technology. Sensor can be used to smooth motion on a user interface between sampling intervals of the primary location technology.

Abstract: A cloud-based server and a port monitor on a device provide authentication of a user to access print jobs on the server. An application may print or perform other operations from the cloud-based server to a printing device. The port monitor uploads data for a document to the cloud-based server. Once the data for the document is uploaded, a claim code is generated by the cloud-based server. The port monitor receives the claim code. The port monitor initiates the launch of a browser having a uniform resource locator (URL) address for the server along with the claim code. The user is authenticated using a login page and the claim code associated to the user to allow access to the document on the server.

Abstract: A method for providing a gift includes receiving a gift token creation request representative of a selection of a gift recipient and gift limitations from a first computing device. The method includes generating a tokenized PAN associated with a gift account and transmitting the tokenized PAN and gift limitations to a second computing device. The method includes detecting a transaction authorization request that is representative of an attempted transaction at a merchant POS device based on monitoring of transaction authorization data originating from a plurality of merchant POS devices. The transaction authorization request represents an attempted tokenized PAN, an attempted transaction amount and a merchant code. The method includes determining that the attempted tokenized PAN matches the tokenized PAN associated with the gift account.

Abstract: An architecture to allow the spatial separation of information sources, information processing, and information consumption using objects and tags, including in mobile/multi-access edge computing (MEC) communication environments, is disclosed. In an example, a request for information provided to a network entity (such as a MEC entity) results in the receipt of an object and a tag, as a device operates in an operational area of an information service. The object provides data for the information service, and the tag provides the metadata related to a context of the information service and the object from another entity, for another entity located within the operational area of the location service. The use of this object, including in the form of an application, data, or user object type, allows a transfer and use of data and context for the information service that is independent from the access network.

Abstract: Systems and methods for authenticating a user using an interactive voice response application. The method includes receiving data representing a spoken voice utterance corresponding to a user of an interactive voice response application. The method further includes processing the data representing the spoken voice utterance based on a length and a quality of the spoken voice utterance. The method also includes comparing the processed data representing the spoken voice utterance and a voiceprint associated with the user. The method further includes generating a security token in response to determining that the processed data representing the spoken voice utterance substantially matches the voiceprint associated with the user. The method also includes receiving the security token from the interactive voice application and validating the security token corresponding to the user in response to determining that the security token matches a security token generated by a server computing device.

Abstract: A computing system includes a server. The server is communicatively coupled to a data repository and is configured to store a data in the data repository. The server is further configured to create a server instance, wherein the server instance is associated with a user. The server is additionally configured to create a session based on an external entity requesting a resource from the server instance, and to execute a bot detection logic to determine if the external entity is a bot. If the external entity is a bot then the server is configured to perform a bot-based action, wherein the server is configured to provide for multi-instance support to a plurality of users.

Abstract: A method for managing personal data stored in a distributed system, in which the personal data are transmitted from a terminal device to at least one network node; and in which there is furnished to the user, by the distributed system, a user interface by way of which the personal data are to be managed in respective network nodes of the distributed system which manage the personal data; and in which management instructions furnished via the user interface, for managing the personal data within the distributed system, are transmitted via a predefined interface that is configured at least on the respective network nodes of the distributed system which manage the personal data.

Abstract: The present invention provides a file synchronization and centralization system and a file synchronization and centralization method, which forcibly transmit, to a central server, data corresponding to a synchronization condition, among data being operated or data having been operated, and deletes the transmitted data from a PC, thereby making it impossible to transfer the data (including files and documents) to the outside or completely blocking a route through which the data can be attacked by ransom ware. The file synchronization and centralization system includes a central server and a PC.