Abstract: A method includes receiving, from a client device, an input/output (I/O) request pursuant to a first protocol, the first protocol being a standards-based I/O protocol. The I/O request is communicated to a proxy communicatively coupled with a mainframe server, the mainframe server being configured to communicate using a second protocol, the second protocol being a proprietary, mainframe protocol that is inconsistent with the first protocol. The method further includes accessing a database having a mapping of a plurality of I/O requests of the first protocol to a plurality of corresponding capabilities of the second protocol, and converting the I/O request pursuant to the first protocol to a corresponding capability pursuant to the second protocol. Security and management policies associated with the mainframe server are enforced using the proxy and the I/O request is executed on the mainframe server, using the corresponding capability pursuant to the second protocol.

Abstract: A credential management system stores GDPR wallets of individuals who consent to share their private data with various consumers, and constructs GDPR directories for the consumers allowing access to the wallet records. If an individual decides they no longer want to share their records with a specific consumer, the system deactivates access to the specific consumer for compliance with privacy laws. However, the consumer may have a legitimate need to retain the information in which case the system will still allow access to records that were available prior to deactivation, but will block access to any newly added records in the individual's wallet. An individual may also automatically deactivate all current consumer connections; if this global deactivation happens after a specific consumer has been already been deactivated, the system will use two different deactivation dates for the access filter depending on which consumer is attempting to view the wallet.

Abstract: A method includes obtaining first and second data sets to be reconciled and, using matching rules, identifying discrepancies between the data sets. The matching rules include at least one permutation key, where each permutation key identifies a subset of data to be grouped together in one of the data sets. Identifying the discrepancies includes attempting to match one or more first characteristics associated with the grouped subset of data in one of the data sets to one or more second characteristics associated with another of the data sets. The matching rules could involve multiple matching characteristics, and the matching rules could be generated using a metric to select the matching characteristics of the matching rules. The metric could be based on a combination of a number of matched data items and a number of matched groups of data items.

Abstract: An information management device or the like capable of quickly and appropriately inquiring of a user propriety of using at least a part of personal information data is provided. A DA unit 2 as the information management device includes a controller 2a and a wireless communication circuit 2c. The controller 2a acquires, when an activation request to any one of a plurality of application software is generated, the personal information data used by the one piece of application software and acquires a propriety status of consent to use the personal information data for each item, and when the item without the consent to use is included, determines a terminal with a highest probability of being used by the user based on the current time and a correlation model, and transmits an inquiry signal which inquires the propriety of the consent to use the non-consent item to the terminal.

Abstract: A cross-network communication system includes a plurality of client networks. The cross-network communication system includes a Service Negotiation Plane configured to forward messages between the plurality of client networks via a plurality of control interfaces, each of which corresponds to one of the plurality of client networks. Each of the plurality of control interfaces includes a first data guard that belongs to the corresponding client network. The first data guard is configured to prevent exfiltration of classified information or permit only particular types of messages to traverse the Service Negotiation Plane.

Abstract: Aspects of the disclosure relate to monitoring and deploying security policy rules in in a container-based computing infrastructure. A computing platform may train a quantum knowledge graph based on interactions in a container-based computing infrastructure. The computing platform may generate and deploy, to the container-based computing infrastructure, one or more security rules associated with interactions in the container-based computing infrastructure based on the quantum knowledge graph les. Subsequently, the computing platform may monitor interactions between containers in the container-based computing infrastructure and identify, using the quantum knowledge graph, an anomaly in a first interaction between a first container and a second container.

Abstract: The present disclosure provides a method for determining the authenticity of an identity document that includes receiving, by an electronic device, an image of an identity document. The document image includes facial image data and personal data of a person associated with the identity document and an identity document number. Moreover, the method includes extracting the personal data and the document number from the identity document image. The extracted personal data includes at least a surname and the extracted identity document number includes groups of characters that represent personal data and information about an entity. Furthermore, the method includes decoding a first group of the characters using a soundex coding algorithm, identifying a surname that corresponds to the decoded first group of characters, comparing the identified surname against the surname in the extracted personal data, and determining the authenticity of the identity document using a result of the comparison.

Abstract: The present disclosure discloses a method for determining an abnormal device in a process of measuring energy of natural gas based on Internet of Things (IOT). The method may include obtaining a natural gas detection parameter detected by at least one detection device via a sense network platform in response to a query request; determining first energy data and second energy data by processing the natural gas detection parameter; determining whether the abnormal device exists by comparing the first energy data and the second energy data; in response to determining that the abnormal device exists, for each detection device, determining a probability that the detection device is abnormal based on related information of the detection device, the first energy data, and the second energy data; and determining the abnormal device based on the probability that the detection device is abnormal.

Abstract: Systems, methods, network devices, and machine-readable media disclosed herein include executing a secure algorithm for computing on a plurality of machines in a cluster by receiving a large input message and dividing the large input message into a plurality of initial input messages, computing an encryption of initial input messages, and evaluating a cluster computing circuit using a homomorphic encryption scheme.

Abstract: Methods and apparatus for portable network interfaces to manage authentication and license enforcement. A system may include a plurality of resource instances including a producer instance configured to implement a network-accessible service, and an authentication coordinator. The coordinator may assign an interface record to the service, wherein the interface record comprises an IP address and a set of security properties. The coordinator may configure the security properties to allow a client to request an attachment of the interface record to a selected resource instance, such that the selected resource instance is enabled to transmit network messages from the IP address using one or more physical network interfaces of the selected resource instance. The producer resource instance initiates authentication operations for the service, including at least one authentication operation based on the IP address of the interface record.

Abstract: Described herein are systems and methods that provide access of a cloud service workload to data of storage devices. A control plane identifies one or more arrays of the storage devices as to what the workload needs access. Discovering is performed by the control plane as to data access of the cloud service to the storage devices. Cloud service accounts which include compute resources used by the workload are identified by the control plane. The control plane provides access to the workload and the compute resources to the data using the data access of the cloud service.

Abstract: A computing system includes a BIOS, a BMC coupled to the BIOS, and one or more hardware components. The BMC can receive commands from a user, and transition between a locked state and an unlocked state. When the BMC is in the unlocked state, the BMC responds to commands received from the user. When the BMC is in the locked state, the BMC ignores commands received from the user. The BMC is configured to receive an unlock command from a user that includes an unlock signature. The BMC is further configured to determine whether the unlock signature is authentic. If the unlock signature is authentic and the BMC is in the locked state, the BMC is configured to transition from the locked state to the unlocked state, to allow the user access to the hardware components of the computing system.

Abstract: A vehicle data management system and data jurisdiction system manage vehicle data between multiple jurisdictions and enables a set of jurisdiction rules involving rules of various jurisdictions to be applied consistently. The vehicle data jurisdiction system can detect changes in jurisdiction of a vehicle based on various pieces of received vehicle information and applies appropriate jurisdiction rules from a set of jurisdiction rules. Various jurisdictions may have conflicting jurisdiction rules and, in such circumstances, the data jurisdiction system resolves potential conflicts between the rules using a jurisdiction rules resolution workflow. Based on the resolution of the conflict, the data jurisdiction system can migrate data of the vehicle to one or more other jurisdictions, or otherwise implement the correct rules determined by resolving the conflict.

Abstract: Some disclosed methods involve controlling a display system to present one or more restricted access virtual buttons in a secure region. The restricted access virtual buttons may correspond to functionality of the apparatus or functionality of a software application for which access is restricted. Some disclosed methods involve controlling the display system to present one or more unrestricted access virtual buttons in a non-secure region. The unrestricted access virtual buttons may correspond to functionality of the apparatus or functionality of the software application for which access is not restricted. Responsive to the selection of a virtual button displayed in the secure region, some methods involve performing an authentication process and executing the functionality of the device or functionality of a software application for which access is restricted after successful authentication.

Abstract: A data storage interface layer provides access management and transformation of data stored in various backend storage clusters. The data storage interface can serve as a point of access for data accessors to access stored data via a consistent data access protocol, even when a data storage cluster on which requested data is stored may use a different protocol. The data storage interface can also provide in-line transformation of requested data and/or control of access to requested data.

Abstract: Securing protocol keys in a communication node comprises transferring a protocol access key stored in a secure enclave of a secure host platform to a secure key store in a communication platform via a secure transfer. The protocol access key which is plaintext is secure from access by a host processor of the secure host platform. A protocol key stored in the secure enclave is encrypted to an encrypted protocol key. The encrypted protocol key is transferred from the secure enclave to the communication platform over an unsecure bus. The encrypted protocol key is deciphered based on the protocol access key in the communication platform to form the protocol key. The protocol key which is plaintext is secured from access by the host processor, the communication controller, or both.

Abstract: An ABE method with multiple tracing attribute authorities: performing, by a central authority, system initialization to generate a public parameter and disclosing the public parameter; performing, by each of attribute authorities, initialization to generate a key pair, and disclosing a public key in the key pair; performing, by a data owner, symmetric encryption on plaintext data, performing ABE on a symmetric key based on a hidden access structure, and generating an integrity verification value; requesting, by a data user, a decryption key to the attribute authority according to an own attribute; restoring, by the data user in response to decryption, an access structure, generating an outsourcing decryption key, sending the outsourcing decryption key to a cloud storage center for semi-decryption; generating, by the cloud storage center, a semi-decrypted ciphertext, and feeding the semi-decrypted ciphertext back to the data user; fully decrypting the semi-decrypted ciphertext according to a private decryption

Abstract: The present disclosure involves systems, software, and computer implemented methods for using multiple synonymous identifiers in data privacy integration protocols. One example method includes identifying a request to initiate a protocol in a multiple-application landscape for an object with an identifier. A determination is made that at least one context-using application participant of the protocol relies on a context-providing application participant of the protocol for resolving the identifier to a local identifier local to a context of the context-providing application participant. A resolution request is sent to context-providing application participants that can provide resolution for an identifier for at least one context-using application. A local identifier corresponding to the identifier that is local to the context of the context-providing application participant is received from each context-providing application participant.

Abstract: Techniques are described herein for function-level limiting of privileges for a target application. Privileges dependencies for different functions of an application are determined based on static evaluation of the code base. A call graph with nodes representing the application functions is established, and the nodes are associated with the determined privilege dependencies. The graph is modified using iterative backward dataflow analysis to associate the nodes in the graph with privileges that are reachable from each node. Transition-edges are identified within the graph, where a transition-edge connects nodes having different sets of privileges. Function calls implementing the identified transition-edges are replaced, in instructions for the application (e.g., bytecode or machine code), with calls to wrapper functions.

Abstract: Systems and methods are described herein for providing provable provenance for assessment results. For example, an AI model and/or a dataset may be assessed using an assessment service to determine whether a bias exists within the AI model and/or the dataset. The results of the assessment may be provided to an auditing service to confirm the assessment results. The systems and methods described herein provide for provable provenance for the assessment results such that the auditing service can verify whether a model and validation dataset provided by a client are the same that were used during an assessment and have not been tampered with by a malicious party.

Abstract: A system and method for deploying cybersecurity resources includes sourcing cybersecurity operations data that includes a plurality of distinct datasets derived from a handling of a target cybersecurity event; extracting, from the cybersecurity operations data, at least cybersecurity task feature data relating to a plurality of cybersecurity tasks and metadata, wherein each cybersecurity task of the plurality of cybersecurity tasks includes an identification of an operation executed when handling or the target cybersecurity event and an identification of an operator executing the operation; deriving timestamp data for each operation executed by a respective operator of each respective cybersecurity task of the plurality of cybersecurity tasks instantiating, by computer processors, a cybersecurity event data structure; using entries of the cybersecurity event data structure to compute allocation values for cybersecurity resources for handling impending cybersecurity events; and deploying, within a security ope

Abstract: Embodiments of the present disclosure relate to devices, methods, apparatuses and computer readable storage media for data sharing. In example embodiments, a method for data sharing is provided. The method comprises, in response to receiving a first request to share data of a user from a data sharing agent, creating a data sharing smart contract for the user. The method further comprises publishing the data sharing smart contract to one or more data consumers. The method further comprises, in response to receiving a second request to access the data from a data consumer, generating, by executing the data sharing smart contract, an indication that the data consumer is authorized to access the data. In addition, the method further comprises sending the indication to the data consumer. In this way, end users are enabled to manage and share their personal data by themselves.

Abstract: An object is to lower the ratio of the number of users of an authentication service to the number of users of an application which uses the authentication service. A state of a first application is obtained by executing a second application. Whether to perform authentication processing is determined according to the state of the first application by executing the second application. Moreover, an instruction to perform the authentication processing is issued by executing the first application or the second application in a case where it is determined that the authentication processing is to be performed.

Abstract: An example operation may include one or more of receiving, by a document processor node, a document and a signed digital receipt identifying an owner of a version of the document associated with a blockchain transaction, verifying, by a document processor node, the version of the document based on the signed digital receipt, and executing a smart contract to enable a conflict-free document versioning based on a hash of the document recorded on a ledger of the blockchain.

Abstract: An illustrative method includes a data protection controller receiving, from a security threat monitoring application communicatively coupled to the data protection controller by way of a network, event data triggered by a detection by the security threat monitoring application of a security threat against a host attached to a storage element of a storage system remote from the host; and performing, based on the event data, a data protection operation with respect to the storage element.

Abstract: Disclosed is a 5th generation (5G) or a pre-5G communication system provided to support a higher data transmission rate than that of post-4th generation (4G) communication systems, such as long term evolution (LTE). A method of operating a network node in a wireless communication system is provided. The method includes receiving, from a plurality of first network nodes, network data, generating first recommendation operation information for a second network node based on the network data, and transmitting, to the second network node, a first analysis result message including the first recommendation operation information.

Abstract: In a method for securing a web browser, display instructions for displaying web content are received from a content server by a web browser operating on a client computing device. The web browser creates a document object using the display instructions and determines from the document object whether one or more of the display instructions meet font profiling criteria selected to identify attempts to profile font display characteristics of the web browser. Responsive to a determination that font profiling criteria are met, the web browser alters a character display of the document object and implements the document object for displaying the web content on the client computing device.

Abstract: A method and/or system for Artificial Intelligence assisted service catalogue generation for network service provisioning is disclosed. The method comprising receiving input data which comprises either or combination of one or more specification documents or one or more configuration changes in network functions and/or network components. The entities and attributes of the entities are extracted from the input data which are then reconciled with graph database representing network function model to determine modifications in the input data. The graph database is updated based on the modifications identified in the input data, and recommendations comprising model elements are generated using AI engines which are displayed at the service modeler interface for generation of the service catalogue for network service provisioning.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for privacy-preserving cross-domain experiment monitoring are described. In one aspect, a method includes receiving, by a first server of a MPC system, a request for digital content including a first secret share of an application instance identifier that identifies the application instance associated with the device. The first server conducts, in collaboration with a second server of the secure MPC system, a privacy-preserving selection process to select a winning digital component from a set of digital components. Each digital component has a corresponding unique experiment identifier and unique control identifier. A first secret share representing the winning digital component is generated. A response is generated and includes the first secret share of the selection result and data representing whether the application is in the experiment group or a control group for each digital component.

Abstract: Briefly, example methods, apparatuses, and/or articles of manufacture are disclosed that may be utilized to bring about accessing a data store to determine that signal packets have been received, via an electronic communications network, from a communications device that is to be verified. The communications device being co-located with a real-world identity. The method may additionally include electronically determining that a subscriber account identifier or a subscriber-unique alias is bound to an account held by the real-world identity and electronically tying the subscriber account identifier or the subscriber-unique alias to the real-world identity in response to electronically verifying the communications device after determining that the signal packets have been received from the communications device and in response to electronically determining that the subscriber account identifier or the subscriber-unique alias is bound to the account held by the real-world identity.

Abstract: Systems and methods for optionally restricting the rendering of particular content items. An example method comprising: receiving a plurality of content rendering options supported by a client device; determining a content item to be rendered, the content item being associated with a restriction attribute; selecting a content rendering option supported by the client device in view of the restriction attribute; generating a token comprising data associated with the selected content rendering option and the content item; receiving a client request from the client device, wherein the client request is associated with the content item and indicates a chosen content rendering option; comparing the data of the token with the chosen content rendering option indicated by the client request to determine a match; and granting the client device access to perform the chosen content rendering option on the content item based on the outcome of the determination of the match.

Abstract: An authentication system for granting access to an account associated with a user. An authenticator of the authentication system including a processor and a memory, the authenticator configured to: receive a request for authentication that identifies the user; access an authentication account associated with the user, wherein the authentication account indicates a smart device associated with the user; activate a control parameter of the smart device, wherein the control parameter may cause an effect in a media sample from the smart device; receive the media sample from the smart device and determine if the effect corresponding to the control parameter is observed in the media sample; and in response to a determination that the effect is not observed in the media sample, indicate that the request for authentication is a fraudulent request.

Abstract: Embodiments herein facilitate a rule-based anonymization of an original dataset. The system may include a processor including a data privacy evaluator and a rules engine. The data privacy evaluator may receive at least one anonymized dataset corresponding to a predefined strategy of anonymization. The at least one anonymized dataset may include a variation from the original dataset by at least one of a privacy metric and a consistency metric. The data privacy evaluator may evaluate the at least one anonymized dataset and may generate a final output value based on a first output and a second output. The processor may assess the final output value with respect to a predefined threshold through the rules engine. If the final output value may be equal or higher than the predefined threshold, the system may permit an access to the anonymized dataset.

Abstract: An illustrative method includes a data protection system determining a metric associated with operations performed with respect to a storage system during a measurement interval, determining that the metric deviates by more than a threshold amount from a historical baseline metric associated with the storage system, and directing, based on the determining that the metric deviates by more than the threshold amount from the historical baseline metric, the storage system to generate a recovery dataset for data maintained by the storage system.

Abstract: An objective of the present invention is to make a search for illegal (illegitimate) content more efficient. The illegitimate content relates to content posted by an unauthorized user without a legitimate ownership of the content. An illegitimate content search device according to the present invention comprises a phishing content sensing part for, using a profile of candidate content being potentially illegitimate content, sensing, from among the candidate content, phishing content being non-illegitimate content for guiding a user's viewing.

Abstract: In examples, a system for using interchangeable non-compute resources is provided. The system includes at least one processor and memory storing instructions that, when executed by the at least one processor, cause the system to: receive a first key corresponding to a first non-compute resource, define a first connection with the first non-compute resource based on the first key, receive a second key corresponding to a second non-compute resource, define a second connection with the second non-compute resource based on the second key, receive an indication corresponding to a selection of the first non-compute resource, and configure the system to interface with the first non-compute resource at a deployment of a generated application.

Abstract: A method comprises receiving, by a shim application of a user equipment (UE), an outbound communication from a first application destined for an external device, prior to transmitting the outbound communication to the external device, determining, by the shim application, whether to forward the outbound communication to the external device, via a radio interface of the UE, based on a first policy, receiving, by the shim application, an inbound communication destined for a second application from the external device, via the radio interface, determining, by the shim application, whether to forward the inbound communication to the second application based on a second policy, receiving, by the shim application, an inter-enclave communication from the first application destined for the second application, and determining, by the shim application, whether to forward the inter-enclave communication to the second application based on the second policy.

Abstract: A process of issuing a limited-use electronic certificate. In operation, a public key infrastructure (PKI) device receives a request for an electronic certificate from an end entity. The PKI device detects an anomaly with respect to the request received from the end entity. The PKI device generates, based on the detected anomaly, a limited-use electronic certificate. The PKI then issues the limited-use electronic certificate to the end entity. When the end entity determines that the issued certificate is a limited-use certificate with limited-use attributes such as a shortened validity period or lowered assurance level, the end entity provides a visual and/or audio prompt indicating the issuance of the limited-use certificate and further including one or more corrective actions to be performed to eliminate the anomaly prior to sending a new request for an electronic certificate to the PKI device.

Abstract: A method includes creating, by a first provider, a first listing referencing first shared data and comprising first access controls, wherein access to the first shared data by a second provider is filtered based on the first access controls, creating, by the second provider, a second listing referencing second shared data and the first shared data filtered based on the first access controls, and adding the second listing to a catalog in a data exchange, the catalog comprising metadata describing the second shared data.

Abstract: In general terms this invention provides embodiment of systems that permit better usage of consumer generated data that permit the consumer methods to monetize the information and maintain control over the data at the time of its creation and at later times. Certain embodiments comprise a user whose interaction can cause a provider to create data regarding the interaction. The user can authenticate the data using encryption aspects and permit the user to self-publish data. The self-publishing can occur in a manner that only requires direct trust of the technology provider regarding the data validity. The invention may incorporate an Ethereum network. Embodiments of the system may verify, exchange, encrypt and decrypt data allowing purchasers to purchase the data or certain portions of it.

Abstract: In general, embodiments relate to a method for performing a local vulnerability check of an application upgrade to be downloaded, comprising: receiving an application upgrade download request from a client device; sending, by a client device upgrade manager, information related to the application upgrade download request to a local vulnerability validator; determining by the local vulnerability validator, based on impact score information, that a specific version of the application upgrade to be downloaded has vulnerabilities; sending the impact score information to the client device upgrade manager; and notifying, based on the impact score information, the client device that the application upgrade to be downloaded has vulnerabilities.

Abstract: A method, apparatus and computer program product generate and utilize a digital signature to identify an object of interest. The method includes providing a reference image depicting the object to a signature encoding module having a hypernetwork. An indication of the object within the reference image is also provided. The method includes generating, with the signature encoding module, the digital signature representing the object. The digital signature includes parameter(s) configured to define processing to be performed by another neural network. The method includes providing the digital signature and at least one query image to a query processing module having a neural network. The method includes identifying, by the query processing module, the object within the at least one query image based upon the digital signature by processing the at least one query image with the neural network of the query processing module in a manner defined by the parameter(s).

Abstract: Some embodiments include a method of providing security and privacy for a message sender. The method can include a messaging application determining that a messaging interface of the computing device is active and is revealing or about to reveal the electronic message. The messaging application can identify a recipient account of a messaging server system that is associated with the electronic message according to the electronic message or the messaging server system. The messaging application can then monitor a data feed from a sensor of the computing device to detect a biometric pattern that matches against a biometric profile model associated with the recipient account utilizing a biometric recognition process. In response to determining that the detected biometric pattern does not match the biometric profile model associated with the recipient account, the messaging application can activate a privacy shield to prevent content of the electronic message from being revealed.

Abstract: An applet may be downloaded or provided to a web browser when a user visits a site in order to protect data input by the user from being captured by malicious software, such as key loggers. The applet may present a user input field in the web browser and may generate a random sequence of low-level key stroke or mouse click events within the input field when the user enters information, such as a username and/or password. A listening key logger will receive a large amount of random data, whereas the applet will receive and buffer the actual user data that may be communicated to a remote site access by the user.

Abstract: Methods, apparatus, systems and articles of manufacture (e.g., physical storage media) to provide device enhancements for software defined silicon implementations are disclosed. Example non-transitory computer readable medium includes instructions to cause one or more processors to at least generate a first stock keeping unit, associate the first stock keeping unit with a semiconductor device, the first stock keeping unit associated with a first set of features to be provided by the semiconductor device, command the semiconductor device to activate a feature not included in the first set of features to cause the semiconductor device to provide a second set of features, generate a second stock keeping unit for the semiconductor device, and associate the second stock keeping unit with the semiconductor device and the second set of features to be provided by the semiconductor device.

Abstract: Creating compatible anonymized data sets by performing with machine learning equipment that operates a machine learning model by defining data types of variables of a data set; identifying quasi-identifiers for the data set; defining reidentification sensitivity of all or any targeted subset of the individual variables and quasi-identifiers; defining missing data handling rules for the individual variables; defining allowed data transformations including generalization and use of synthesized data; optimizing quasi-identifier selection, use of synthesized data and a choice of data transformations to minimize information loss and maximize privacy metrics based on the data set; the allowed data transformations; and the missing data handling rules; training the machine learning model using the data set according to the defined data types; the optimized quasi-identifier selection; the optimized use of synthesized data; and the choice of data transformations; and anonymizing the data set using the training of the m

Abstract: One embodiment is directed to an adapter entity comprising a Technical Report 069 (TR-069) protocol automatic configuration server (ACS) module configured to communicate with managed equipment included in a radio access network (RAN) using the TR-069 protocol. The adapter entity further comprises a Network Configuration Protocol (NETCONF) server configured to communicate with an Open Network Automation Platform (ONAP) Software Defined Network Radio instance (SDN-R) of an ONAP management and orchestration (MANO) environment using NETCONF. The adapter entity further comprises a TR-069-to-NETCONF mapper module, communicatively coupled to the TR-069 protocol ACS module and the NETCONF server, configured to dynamically map NETCONF requests and responses to and from TR-069 Protocol requests and responses. The adapter entity is configured to dynamically map NETCONF requests and responses to and from TR-069 Protocol requests and responses. Other embodiments and examples are disclosed.

Abstract: A system receives a request from a user to execute a command on an air-gapped computer system. If a role-based access control system permits the user to execute the command, the system prompts a number of approvers to determine whether to approve of the user executing the command. If a required number of approvers have approved of the user executing the command, the system encodes the command and incorporates the encoded command in an encoded message. The system uses a simplex communication output device to communicate the encoded message to a simplex communication input device for the air-gapped computer system. The system enables execution of the command by requesting the air-gapped computer system to execute the command, or by providing the user with an access token, received from the air-gapped computer system, which enables the user to physically access the air-gapped computer system and execute the command.

Abstract: A method for securing an electronic control unit (ECU). The method may include generating a granular security control adjustment authorization ticket (G-SCAAT) for securing the ECU according to a plurality of security parameters determined based on to a role selected for a corresponding user. The G-SCAAT may include security values to be used in controlling the ECU to operate according to the security parameters.

Abstract: Provided is a data processing device including: a noise removal unit that removes noise from data to which noise has been added, the data having been received from a terminal device; a measurement unit that measures the data for each data type constituting a data set and indicating a classification of the data; and a data set updating unit that updates the data set on the basis of a measurement result of the measurement unit.