Abstract: A method for determining a user plane security algorithm, a system, and an apparatus. The method may include: a second device selects a non-null user plane confidentiality protection algorithm based on a security capability of a first device and a security capability of the second device in a case in which user plane confidentiality protection between the second device and the first device is enabled and control plane confidentiality protection between the second device and the first device is not enabled. The second device sends a first message to the first device. The first message includes first algorithm indication information indicating the user plane confidentiality protection algorithm. Therefore, the first device can obtain the non-null user plane confidentiality protection algorithm. Embodiments can be adopted to determine an effective user plane confidentiality protection algorithm, for confidentiality protecting user plane data.

Abstract: The present disclosure relates to a communication method and system for converging a 5th-Generation (5G) communication system for supporting higher data rates beyond a 4th-Generation (4G) system with a technology for Internet of Things (IoT). The present disclosure may be applied to intelligent services based on the 5G communication technology and the IoT-related technology, such as smart home, smart building, smart city, smart car, connected car, health care, digital education, smart retail, security and safety services. The present disclosure relates to a method for optimizing processing of application requests.

Abstract: Various embodiments relate generally to computer science, data science, application architecture, and computer data security. More specifically, techniques for credential and authentication management in scalable data networks is described, including, but not limited to, multiplexed data exchanges in a scalable data network. For example, a method may include receiving a subset of requests to access a data network. The requests each may originate from an associated computing device having a source identifier. The method also may include data to cause modification of data representing presentation of a hosted page via the data network, monitoring data traffic from the data network and managing actions initiated via a request based on the data traffic. Optionally, data traffic received via an aggregation port may be filtered to origination of a request associated with a source identifier.

Abstract: A method and apparatus for support of service continuity between stand-alone non-public network (SNPN) and public land mobile network (PLMN) is provided. A wireless device transmits, to an access and mobility management function (AMF) of a source network, a protocol data unit (PDU) session establishment request to establish a PDU session with the source network via a non-3GPP interworking function (N3IWF) of the source network. The PDU session establishment request includes information informing that data delivery is not available via the PDU session. The wireless device determines to move from the source network to a target network, and transmits, to a user plane function (UPF) of the source network, mobility information informing that the wireless device moves from the source network to the target network.

Abstract: An electronic device includes a biometric authentication device; a memory configured to store an application and one or more instructions; and at least one processor configured to execute the one or more instructions to: receive an input for executing the application; based on receiving the input for executing the application, begin launching the application by loading public content corresponding to the application; operate the biometric authentication device to perform a biometric authentication while the public content is loaded; and based on the biometric authentication device completing the biometric authentication, complete the launching of the application by loading the public content and dedicated content associated with the biometric authentication.

Abstract: A system is provided for integrating at least one portable computing device with a resuscitative medical device such as a defibrillator. The system may include a carrying case coupled to the resuscitative medical device. The carrying case may include a storage space for the at least one portable computing device and a wireless charging system for charging the at least one portable computing device. The system may be configured to enable secure data transfer between each of the devices, including data communication and data storage. A processor of the resuscitative medical device may be configured to activate the wireless charging system and charge the at least one portable computing device under certain circumstances. The processor may further be configured to prioritize or optimize charging and data transfer between the resuscitative medical device and each of multiple portable computing devices.

Abstract: A CFI system constituted of: at least one protection module, each comprising a respective allowable flow model associated with at least one of a plurality of portions of a process; and at least one process protection manager, arranged, responsive to a control flow instruction in one of the plurality of portions of the process, to: compare one or more parameters of the control flow instruction to the allowable flow model of the associated protection module; and responsive to an outcome of the comparison indicating that the compared parameters do not meet a respective parameter of the allowable flow model, generate a predetermined signal, wherein each protection module is implemented as a shared object, wherein each process protection manager is implemented as a shared object, and wherein the at least one protection module and the process protection manager are loaded into the process.

Abstract: Systems and methods of handling sessions between client devices and one or more server based on session classifications are provided. A device identifies a time series of security metrics corresponding to requests received during a session established by a client device to access a resource provided by one or more servers. The device generates security features from the time series of security metrics based on one or more time windows. The device classifies the session as one of anomalous or genuine using the security features generated from the time series of security metrics based on the one or more time windows. The device handles subsequent requests received during the session based on the classification of the session as the one of anomalous or genuine.

Abstract: Systems, devices, and methods are discussed for enhancing security in a container server environment.

Abstract: In computer-implemented methods and systems for secure storage and transmission of data in a distributed network environment, each piece of data is transformed in to multiple pieces of metadata for transmission and storage. Each piece of metadata is transmitted and stored on a different server, which is selected from separate pools of servers.

Abstract: An information processing device including multiple operation units operable for a user, comprises: a storage; and a hardware processor that: detects the user; detects the operation unit operated by a first user from among the multiple operation units when the first user is being detected; stores operation information in which operation unit is recorded in the storage; and reads the operation information in the storage and notifies a second user of the operation unit operated by the first user when the second user is detected.

Abstract: A sound-based method and system of performing an authentication of a person in order to permit access to a secured resource is disclosed. The system and method are configured to transmit an audio signal to a remotely located smart device. When the smart device produces the audio signal, a nearby computing device captures the audio signal and provides the captured audio data to an authentication platform. The audio data is compared to the transmitted audio signal. The system can determine whether there is a match between the captured audio data and the transmitted audio data. If there is a match, the system verifies an identity of the person and can further be configured to automatically grant the person access to one or more services, features, or information for which he or she is authorized.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: In one embodiment, a device, includes a network interface to receive a SYN packet from a client via a packet data network to establish a connection with a server, and a processor to run an express data path (XDP) to accelerate at least a part of a SYN cookie connection process.

Abstract: This disclosure describes techniques and mechanisms for authenticating user device(s) by ensuring that two user devices accessing the same online service are co-located, while protecting private information associated with a user's network landscape and/or Bluetooth device(s). The techniques may ensure that a second factor authentication device is in the same location as a first factor access device, and that a first factor access device is in the same location as it was during previous access attempts).

Abstract: Techniques for creating consent contracts for devices that indicate whether the devices consent to receiving network-based communications from other devices. Further, the techniques include enforcing the consent contracts such that network-based communications are either allowed or disallowed in the network-communications layer prior to the network communications reaching the devices. Rather than simply allowing a device to communicate with any other device over a network, the techniques described herein include building in consent for network-based communications where the consent is consulted at one or more points in a communication process to make informed decisions about network-based traffic.

Abstract: A system and method are disclosed for generating a teleconference space for two or more initial communication devices using a computer coupled with a database and including a processor and memory. The computer generates a teleconference space and transmits requests to join the teleconference space to the two or more initial communication devices. The computer stores in memory identification information, and audiovisual data associated with one or more users, for each of the two or more initial communication devices. The computer transmits audiovisual teleconference data to each of the two or more initial communication devices. The computer transmits a request to join the teleconference space to a third communication device, stores identification information and audiovisual data from the third communication device, and transmits audiovisual teleconference data that includes audiovisual data from the third communication device to each of the three or more communication devices.

Abstract: Techniques provided herein relate to electronic data access requests. An access system receives at least one electronic data action request from a client. At least a portion of the data access authentication information is sourced from a secondary device connected to an intermediary device. The electronic data action request is authenticated based upon the data access authentication information.

Abstract: Embodiments of systems and methods to provide a firmware update to devices configured in a redundant configuration in an Information Handling System (IHS) are disclosed. In an illustrative, non-limiting embodiment, an IHS may include computer-executable instructions to, when a signed certificate associated with a client expires, challenge the client by transmitting a first plurality of keys to a client IHS, wherein the client IHS is configured to respond the challenge by associating each of the keys with a second plurality of keys, pairing each of the first key with its associated second key, sending the paired first and second keys to the server IHS, and authenticate the client IHS by verifying that each of the first plurality of keys is associated with the second plurality of keys.

Abstract: A secure private network connectivity system (SNCS) within a cloud service provider infrastructure (CSPI) is described that provides secure private network connectivity between external resources residing in a customer's on-premise environment and the customer's resources residing in the cloud. The SNCS provides secure private bi-directional network connectivity between external resources residing in a customer's external site representation and resources and services residing in the customer's VCN in the cloud without a user (e.g., an administrator) of the enterprise having to explicitly configure the external resources, advertise routes or set up site-to-site network connectivity.

Abstract: A quantum entanglement communication service can be provided by detecting a request to access data stored at a first computer. In response to detecting the data access request, a request can be generated to request that a server computer generate an entangled particle pair. Measurement data can be received, the measurement data corresponding to a measurement observed after interacting a first bit of a token stored at a second computer with a first entangled particle from the entangled particle pair. An operation to perform on a second entangled particle of the entangled particle pair at the first computer can be determined and performed. A state of the second entangled particle can be measured to obtain a value, and a bit string can be generated, where the bit string can include a number that corresponds to the value.

Abstract: A system includes a plurality of remote units; a centralized unit communicatively coupled to the plurality of remote units via a fronthaul network; and an entity that performs deep packet inspection. The centralized unit transmits sets of data to the plurality of remote units across the fronthaul network in packets, each of the sets of data mapped to at least one of the plurality of remote units and each of the packets including a respective indicator indicating each remote unit the associated packet is intended for, wherein each indicator comprises a plurality of bit positions where each bit position is mapped to a different one of the plurality of remote units. The entity performs the deep packet inspection on the packets to determine each remote unit the packets are intended for and communicate each packet to each remote unit the packet is intended for over the fronthaul network.

Abstract: Method and apparatus for improving the flexibility of supporting service continuity are disclosed. A method comprises receiving a PCC rule containing a traffic steering control information per AF request which includes an indication on whether service continuity for offload traffic is supported or not; and performing a PSA relocation based on the information.

Abstract: An external Secure Intelligent Secondary Router is connected to a Primary Wired/Wireless Router/Modem via wire cable, and whereby said external Secure Intelligent Secondary Router communicably coupled to said Primary Wired/Wireless Router/Modem creates one or more secure secondary Wi-Fi networks that can only be accessed by a computing device that has been registered by the rightful account owner and whose identity has been validated by an online validation service.

Abstract: The present invention comprises a computer-implemented method for zero-trust authentication and session management utilizing the Bitcoin Lightning Network. A user requests access to the resource of a service provider and the user provides authentication material to securely access the service provider. The service provider initiates a Hold Invoice via a cryptographic function to generate a pre-image hash instructing the user to authorize release a specified amount of Bitcoin. Bitcoin is then moved into the Hold Invoice where it remains during an authentication attempt. A successful attempt issues an access token to log into an authenticated session. The Hold Invoice remains in place until the session ends, then the Hold Invoice is canceled and Bitcoin is released to the user. An unsuccessful attempt or a violations of terms of use, reveals the pre-image, denies the user access, and Bitcoin is transferred to the service provider as a settled payment transaction.

Abstract: A machine data validation system can track and validate the integrity of machine data generated by machines. The system can generate hashes for the items and batch hashes that can be validated using an immutable data store, such one or more blockchains in a tiered blockchain structure. The system can store machine data and additional associated data in a first lightweight blockchain, and store grouped sets of the data in a second robust blockchain. The system can implement the tiered blockchain structure to efficiently store and reference the hashes to validate the machine data at different times or upon request from an end-user.

Abstract: A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g.

Abstract: The present disclosure relates to a system, method, and computer-program product for identifying and tagging users. Embodiments may include receiving, using at least one processor, a first content request. Embodiments may further include associating a user-access identifier with a first portion of data from the first content request based upon a second portion of the data from the first content request. Embodiments may also include storing the first portion of data from the first content request and the user-access identifier within a memory system. Embodiments may further include receiving a second content request. Embodiments may also include generating a user-identifier tag based upon the user-access identifier stored in the memory system, the first portion of data from the first content request, and a first portion of data from the second content request. Embodiments may further include providing a response to the second content request, the response including the user-identifier tag.

Abstract: Methods and systems to identify a user across multiple browsers and machines are described. In some embodiments, a web request is received at a retrieval service from a browser. The web request may include a request to access a retrieval service website of the retrieval service and may be initiated by a redirection of the browser from a requesting service to the retrieval service. A unique identifier associated with a user logged in to an account of the retrieval service may be determined. The user may be logged in to the account via the browser. A redirect request is sent from the retrieval service to the browser. The redirect may include the unique identifier and may redirect the browser from the retrieval service website to the requesting service. The unique identifier may be used by the requesting service to perform additional functionality specific to the user.

Abstract: A fraud detecting method for use in an in-vehicle network system including a plurality of electronic control units that communicate with each other via a network includes detecting whether a state of a vehicle satisfies a first condition or a second condition, and switching, upon detecting that the state of the vehicle satisfies the first condition or the second condition, an operation mode of a second electronic control unit connected to the network. A first mode in which a first type of detecting process for detecting a fraudulent message in the network is performed is switched to a second mode in which the first type of detecting process is not performed upon detecting that the state of the vehicle satisfies the first condition. Moreover, the second mode is switched to the first mode upon detecting that the state of the vehicle satisfies the second condition.

Abstract: Methods and apparatus are provided for network slice configuration. In one example aspect, a method in a network function in a network is disclosed. The network is a visited network for at least one User Equipment, UE. The network provides a network slice for the at least one UE, and the network function is a gateway for data communications for the at least one UE. The method includes obtaining an IP address for at least one service for the at least one UE, and providing the at least one service to the at least one UE according to a gateway configuration from a home network of the at least one UE.

Abstract: The invention relates to a method and a system for generating and saving a set of digital data or evidence associated with an individual within a system including several devices issuing and receiving evidence and a medium for communicating between the devices, which may include: For the generation of the data constituting evidence by a device, the definition of a data block characterizing the evidence, For the individual wishing to build him/herself a set of evidence, adding to the received data block data characterizing a piece of evidence, a datestamp parameter, an indicator identifying the device receiving a piece of evidence, an evidence signature. In order to use a piece of evidence, an individual issues a request containing the evidence proving that he/she is the recipient of this evidence to a third-party system. The third-party system contacts the device issuing the evidence which re-signs.

Abstract: A learning device includes processing circuitry configured to use a web browser to crawl one or more web pages from an originating web page, and to accept input of log information obtained from the web browser until an ending web page is reached, and generate a training model using, as training data, any one or more feature amounts among a feature amount of each web page included in the log information, a feature amount about an operation performed on the web browser on a path reaching the ending web page, and a feature amount about an event occurring on the path reaching the ending web page.

Abstract: Techniques and apparatus for optimizing an initial access stratum security mode command procedure are described. One example technique includes sending a first service request to establish a connection with a network. A second service request is sent to the network, upon determining that one or more criteria is satisfied. Another example technique includes sending a first service request to establish a connection with a network and sending a second service request after sending the first service request. The first service request is associated with a first security parameter and the second service request is associated with a second security parameter. A security mode command procedure is participated in with a base station, based on the first security parameter and the second security parameter.

Abstract: Systems and methods for presenting user-selectable options for parental control in response to detecting a triggering action by a user are disclosed. A system generates for output a first content item on a device. The system identifies a first user and a second user in proximity to the device and determines that a first gesture is performed by the first user wherein the first gesture is covering the eyes of the second user. In response to determining that the first gesture is performed, the system presents a selectable option for a user input such as (a) skipping a portion of the first content item; (b) lowering the volume; (c) removing the video of the first content item; or (d) presenting a second content item instead of presenting the first content item. In response to receiving a user input selecting the selectable option, the system performs an action corresponding to the selectable option.

Abstract: Systems and methods for implementing a system for analyzing large amounts of event data to determine any potential security threats or anomalies. Event data may be obtained and processed. The processed event data may be analyzed to detect any potential security threats or anomalies.

Abstract: An integrated access and backhaul (IAB) donor central unit (CU) may transmit, to an IAB-node, a plurality of messages for a child of the IAB-node, the plurality of messages including a first message being associated with a first condition, and a second message being associated with a second condition, and transmit an indication instructing the IAB to forward, to the child, the first message if a first condition is met or the second message if a second condition is met. The IAB-node may receive, from the IAB-donor-CU, the indication, determine that one condition among the first condition and the second condition has occurred, forward one of the first message or the second message to the child based on the occurrence of the one condition, and discard the other of the first message or the second message.

Abstract: A method includes receiving, by an identity provider computing system, a user token from a third party provider, wherein the user token is associated with a user of the identity provider computing system; sending, by the identity provider computing system, a prompt to a user device associated with the user token, the prompt requesting authentication information and including a code; and authenticating, by the identity provider computing system, the user token based on receipt of the requested authentication information and receipt of the code from the third party provider.

Abstract: Techniques are provided that facilitate responding to cyberattacks using counter intelligence (CI) bot technology. In one embodiment, a first system is disclosed that comprises a processor and a memory. The memory can store executable instructions that, when executed by the processor, facilitate performance of operations including receiving a request from a second system requesting assistance in association with a cyberattack on the second system, wherein the request comprises information indicating a type of the cyberattack. The operations further comprise selecting a counter intelligence bot configured to respond to the type of cyberattack, and directing the counter intelligence bot to respond to the cyberattack, wherein the directing comprises enabling the counter intelligence bot to respond to the cyberattack by establishing a gateway with the second system and employing the gateway to intercept and respond to traffic associated with the cyberattack on behalf of the second system.

Abstract: A computer method and system for mitigating Domain Name System (DNS) misuse using a probabilistic data structure, such as a cuckoo filter. Intercepted is network traffic flowing from one or more external hosts to a computer network, the intercepted network traffic including a DNS request that requests a Resource Record name in a DNS zone file. A determination is made as to whether the DNS request is requesting resolution at a protected DNS Name Server. A hash value is calculated for the requested Resource Record name if it is determined the DNS request is requesting resolution at the protected DNS Name Server. A determination is then made as to whether the calculated hash value for the requested Resource Record name is present in the probabilistic data structure. The DNS request is forwarded to the protected server if the requested Resource Record name is determined present in the probabilistic data structure.

Abstract: In a method for enabling a message receive end to quickly confirm a certificate status, a defined field of a certificate includes classification information of the certificate, and a defined field of a certificate revocation list includes classification information of a revoked certificate, so that the receive end can quickly narrow a searching or matching range in massive records of the certificate revocation list based on the classification information carried in the certificate of a transmit end.

Abstract: A computing system for detecting shadow applications operating in devices used by an organization, the system including a memory and a processor configured to monitor incoming email messages received by email accounts of the organization, identify, from the incoming email messages, a first list of software services used by identities of the organization, collect from identity provider services a second list of software services used by identities of the organization via the identity provider services, identify a list of unsanctioned applications that appear in the first list and do not appear in the second list of software services, and update a database based on the list of unsanctioned applications.

Abstract: A computer-implemented system for authorizing access to one or more smart devices provided in a local environment is disclosed herein. The system comprises a client device, a local network node, and a remote network node. The remote network node is configured generate a link and send it to an address associated with a personal identifier of the client device, and in response to the client device having executed the link, the client device being configured to receive an authorization code. The authorization code is locally or remotely validated based on a challenge previously generated by the client device. An access token is generated and sent to the client device, thereby authorizing the client device access to the one or more smart devices in the local environment.

Abstract: This application provides a communication method and apparatus, and relates to the field of communication technologies. The method may include: A network device performs integrity protection on system information by using a first private key, and sends the system information, where the system information includes a first public key corresponding to the first private key and/or an index of the first public key. Correspondingly, a terminal device receives the system information from the network device, and if determining that the first public key is valid, the terminal device verifies integrity of the system information by using the first public key. According to this method, on one hand, the terminal device can effectively identify validity of the system information. On the other hand, because the system information includes the first public key and/or the index of the first public key, flexible update of an asymmetric key can be implemented.

Abstract: An image forming apparatus is provided with a storage, a controller, an image forming part, a first interface configured to receive an image forming job, and a second interface to which a portable storage device is connectable. When the particular storing function is enabled, image data is stored in the portable storage in response to receipt of the print job, and an image is formed in accordance with the image data stored in the portable storage. When the particular storing function is disabled, the image data related to the print job is stored in the storage of the image forming apparatus in response to receipt of the print job, and an image is formed in accordance with the image data stored in the storage of the image forming apparatus.

Abstract: Upon determining a first user of an object is authorized via first biometric data, object components are controlled based on user data for the first user. A second user is permitted to access the object based on detecting a presence of the second user within a predetermined time of detecting an absence of the first user. Then, upon determining a delay parameter is satisfied, a user status of the second user is determined via second biometric data. The user status is one of authorized or not authorized. The object components are controlled based on the user status of the second user.

Abstract: A method for scalable vulnerability detection is provided. The method includes selecting at least a workload of a plurality of workloads deployed in a first cloud environment for inspection, wherein the workload includes a first volume; generating in a remote cluster an inspection node, the inspection node including at least a first disk, wherein the remote cluster provisions inspection nodes in response to demand for inspection nodes; generating a persistent volume (PV) on which the at least a first disk is mounted, wherein the at least a first disk is generated from a snapshot of the first volume; and generating a persistent volume claim (PVC) of the PV for an inspector workload, wherein the inspector workload is configured to inspect the PV for an object, and wherein inspector workloads are provisioned in response to demand for inspector workloads.

Abstract: An authentication system includes an authentication module and a user history database storing order information that includes, for each of multiple logins of the first user to a web property, at least one of: an indication of an order of hypertext transfer protocol (HTTP) headers that were previously received at the authentication module during the login, and an indication of an order of navigator object properties that were previously returned to the authentication module during the login. The authentication module is configured to: receive, from a web browser of a first entity attempting to log in to the web property, credentials of the first user; determine order information of the first entity's web browser; perform a comparison operation based on the order information of the first user and that of the first entity, and determine whether to allow the first entity to log in based on the comparison operation.

Abstract: A processing element array includes N processing elements (PE) arranged linearly, N?2, and an operating method of the PE array includes: performing a first data transmission procedure, where an initial value of I is 1 and the first data transmission procedure includes: operating, by an ith PE, according to a first datum stored in itself, and sending the first datum to other PEs for their operations, adding 1 to I when I<N, and performing the first data transmission procedure again, performing a second data transmission procedure when I is equal to N, which includes: operating, by the Jth PE, according to a second datum stored in itself, and sending the second datum to other PEs for their operations, reducing J by 1 when J>1 and the (J?1)th PE has the second datum, and performing the second data transmission procedure again.

Abstract: Techniques for facilitating onboarding to a non-public network is provided. Provisioning parameters may be provided to User Equipment (UE) from a Default Credential Server (DCS) via a secure communication tunnel. Additionally or alternatively, provisioning parameter container(s) including readable provisioning parameters for an Onboarding Network (ONN), and secure provisioning parameters for the UE, may be transmitted to the UE via the ONN. The disclosed methods and apparatuses enable the UE to onboard to a non-public network using the provisioning parameters, and to verify the integrity of the provisioning parameters and ensure the provisioning parameters are not modified by an unauthorized device.