Abstract: A system and method of implementing an API of an authentication service includes implementing a confirmation API, wherein the implementing includes: initiating a confirmation API request based on receiving an access request, wherein the confirmation API request operates to perform an authentication of a requestor making the access request; identifying the requestor based on a search of the requestor via the confirmation API; identifying, by one or more API endpoints of the remote authentication service: (i) a subscriber account of the subscriber maintained by the remote authentication service and (ii) identifying a user device of the requestor that is enrolled with the subscriber account based on the confirmation API request; transmitting a confirmation request to the user device; obtaining from the user device a response to the confirmation request and presenting the response to the confirmation request to the subscriber; and granting or denying the access request.

Abstract: Provided is a method for providing a safe operation of subsystems within a safety critical system (SCS). A malfunctioning subsystem of the SCS sends a malfunction signal to the other subsystems of the SCS including a one-time cryptographic key unique to the malfunctioning subsystem, which is then decrypted by the other subsystems and collective safety management is initiated when the cryptographic key is valid. Also provided are traffic control systems, autonomous driving systems or automotive driver assistance systems. A swarm-like behavior of the subsystems collectively reacting to emergency situations is combined with a one-time cryptographic authentication and/or authorization procedure preventing repeated manipulation of the system by the same perpetrator.

Abstract: A device, method, and system for forwarding, to a pod, a utility container associated with each of at least one network service for enabling a pre-registration of a network function (NF) with an NF registration function (NRF); sending, from the utility container, an authorization code to an NF authorization platform, wherein the authorization code is associated with the at least one network service; suspending a registration procedure for the NF with the NRF until the authorization code is forwarded from the NF authorization platform to the NRF; and resuming, responsive to a service registration request, the registration procedure based on a validation of the authorization code identified in the service registration request.

Abstract: Efficient authentication in a file system with multiple security groups is disclosed. A file system (FS) executing on at least one processor device receives, from a first client application of a plurality of client applications, a request to access a first object, the request including a unique object ID that identifies the first object. The FS determines, based on a data structure maintained by the FS and inaccessible to the first client application, that the first client application is associated with a first security group of a plurality of different security groups. The FS determines, based on metadata of the first object, that the first object is associated with the first security group, and grants the first client application access to the first object.

Abstract: Embodiments of the present disclosure relate to methods, systems, and computer program products for event management. In a method, a token is obtained at a first agent device that is included in a network system, the token is for authenticating a first packet that is transmitted in the network system, and the first packet is generated according to a first network format. A second packet is generated based on the first packet and the token according to a second network format. The second packet is transmitted to a second agent device that is included in the network system, here both of the first and second agent devices support the first and second network formats. With these embodiments, the packet may be authenticated in a more effective way.

Abstract: Embodiments of this application disclose a permission verification method, and related apparatuses. In the embodiments of this application, a permission operation request is received by a first node device in a blockchain from a client, and the permission operation request is forwarded to a second node device in the blockchain; a first contract execution result is obtained according to the permission operation request; a second contract execution result broadcasted by the second node device is received based on the permission operation request; and the user permission verification is determined to succeed in a case that the first contract execution result is consistent with the second contract execution result. This solution implements decentralized permission verification based on a blockchain permission management contract system, thereby improving the data security.

Abstract: Provided are a system and method for authenticating a transaction. The authentication method may be performed by a user computing device, and may include providing, to a merchant device, account information for payment of a transaction, receiving, from the merchant device, a request to authenticate the transaction using payment software of the user device, and executing the payment software in a virtual environment. The executed payment software may authenticate, with an external server, that the account is paired with the payment software of the user device, and transmit a result of the authenticating to a payment network.

Abstract: Techniques for transport layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for transport layer signaling with next generation firewall includes monitoring transport layer signaling traffic on a service provider network at a security platform; and filtering the transport layer signaling traffic at the security platform based on a security policy.

Abstract: Provided is a computing device of a group based communication system configured to securely validate a client device associated with a group-based communication interface user. An example computing device is configured to identify a validating request transmitted from the client device. If a validating request is identified, the example computing device will transmit a temporary device code to the client device associated with the group-based communication interface user and an e-mail code to an e-mail address associated with a user profile associated with the group-based communication interface user. The example computing device also stores the codes transmitted. The example computing device then receives a confirmation exchange from the client device and determines whether the confirmation exchange satisfies client device validation parameters.

Abstract: The present invention relates to IoT devices existing in a deployed ecosystem. The various computers in the deployed ecosystem are able to respond to requests from a device directly associated with it in a particular hierarchy, or it may seek a response to the request from a high order logic/data source (parent). The logic/data source parent may then repeat the understanding process to either provide the necessary response to the logic/data source child who then replies to the device or it will again ask a parent logic/data sources for the appropriate response. This architecture allows for a single device to make one request to a single known source and potentially get a response back from the entire ecosystem of distributed servers.

Abstract: In some aspects, a method for revoking access to a network application on a client device. The method includes establishing, by a client application on a client device responsive to authenticating a user, access to one or more network applications of one or more first servers of a first entity via an embedded browser of the client application, receiving, by the client application, a notification from a second server of a second entity that access for the user to a network application of the one or more network applications is to be revoked, and performing, by the client application responsive to the notification, one or more revoking actions based at least on a policy.

Abstract: The technology disclosed relates to non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP). In particular, it relates to an assertion proxy receiving a verified assertion from an IDP obtained from an assertion that is generated when a user logs into a service provider (SP) and is verified in dependence upon the IDP's public key. It also relates to evaluating the verified assertion against one or more security policies. It further relates to forwarding the verified assertion evaluated to the SP and causing establishment of a single sign-on (SSO) authenticated session without modifying the assertion.

Abstract: A computer-implemented method according to one aspect includes receiving an indication of a track range to be released within a storage volume; identifying a data backup within a backup storage space for the storage volume that corresponds to the track range; and releasing the track range within the storage volume in response to determining that the corresponding data backup has expired within the backup storage space.

Abstract: In an example computer-implemented method, a number of cursor locations within a text field, and associated action types and time stamps are received via a processor. One or more features including a latency between a number of events associated with the cursor locations is extracted via the processor based on the cursor locations and the associated action types and time stamps. A user is authenticated, identified, or verified via the processor based on the extracted one or more features and a learning model or a statistical mechanism.

Abstract: Example mobile devices disclosed herein include a camera, memory including computer-executable instructions, and a processor to execute the instructions to at least associate a location of the mobile device with picture data obtained with the camera. The processor is also to assign a first data tag to the picture data when the location of the mobile device corresponds to a first area, the first data tag to identify a first security level for the picture data, or assign a second data tag to the picture data when the location of the mobile device does not correspond to the first area, the second data tag to identify a second security level for the picture data. The processor is further to determine whether to permit an application to access the picture data based on whether the first data tag or the second data tag is assigned to the picture data.

Abstract: A tracking device can use a permanent encryption key pair to encrypt a temporary private key that corresponds to a set of diversified temporary public keys. When a community mobile device subsequently detects the tracking device, the central tracking system provides a diversified temporary public key to the community mobile device. The community mobile device uses the diversified temporary public key to encrypt location data representative of a location of the community mobile device, and provides the encrypted location data to the central tracking system. When a user subsequently requests a location of the tracking device from the central tracking system, the central tracking system provides the encrypted temporary private key and the encrypted location data to a device of the user, and the device can decrypt the encrypted temporary private key using the permanent encryption key pair, and decrypt the encrypted location data using the decrypted temporary private key.

Abstract: In an embodiment, a computer implemented method comprises receiving, at a first computing device associated with a managing entity, a request to perform an operation of a managed service; publishing to a first block of a distributed ledger system, by the first computing device associated with the managing entity, identification information of the managing entity; identifying, by a second computing device associated with the managed service, the identification information published to the first block of the distributed ledger system; publishing to a second block of the distributed ledger system, by the second computing device associated with the managed service, acknowledgement information comprising an indication that the identification information of the managing entity published to the first block was received and verified; publishing to a third block of the distributed ledger system, by the second computing device associated with the managed service, management request information comprising an operation r

Abstract: Techniques are described for providing customizable sign-on functionality, such as via an access manager system that provides single sign-on functionality and other functionality to other services for use with those services' users. The access manager system may maintain various sign-on and other account information for various users, and provide single sign-on functionality for those users using that maintained information on behalf of multiple unrelated services with which those users interact. The access manager may allow a variety of types of customizations to single sign-on functionality and/or other functionality available from the access manager, such as on a per-service basis via configuration by an operator of the service, such as co-branding customizations, customizations of information to be gathered from users, customizations of authority that may be delegated to other services to act on behalf of users, etc.

Abstract: A method and a system for dataset evaluation are provided. The method can include acquiring a new dataset for integration with an existing dataset. The existing dataset is used to train a machine learning model. The method can also include calculating a baseline of variation for the existing dataset. The baseline of variation can be determined by evaluating various characteristics of the existing dataset. The method can further include determining an output value for the new dataset by also evaluating characteristics of the new dataset. The method can also include comparing the output value to the baseline of variation to generate a variance between the output value and the baseline of variation. The method can further include determining whether the variance is within an acceptable range of the baseline of variation.

Abstract: Methods and systems for routing a user request for a service to a version of the service in a geographical region associated with the user are described herein. The service may be deployed in multiple geographical regions, and the service may have multiple versions in each of the geographical regions. A user device may send a request for a service to a first server in a geographical region. The first server may determine whether the user is associated with the geographical region. Responsive to determining that the user is not associated with the geographical region, the first server may ask one or more servers in other geographical regions whether the user is associated with any of the other geographical regions.

Abstract: Methods and apparatuses relating to mitigations for speculative execution side channels are described. Speculative execution hardware and environments that utilize the mitigations are also described. For example, three indirect branch control mechanisms and their associated hardware are discussed herein: (i) indirect branch restricted speculation (IBRS) to restrict speculation of indirect branches, (ii) single thread indirect branch predictors (STIBP) to prevent indirect branch predictions from being controlled by a sibling thread, and (iii) indirect branch predictor barrier (IBPB) to prevent indirect branch predictions after the barrier from being controlled by software executed before the barrier.

Abstract: A system and method to create a plurality of hyperscaler accounts having predefined access rights to an object store of a database service in a cloud environment; store hyperscaler credentials specifying access rights to the object store corresponding to the predefined access rights of the hyperscaler accounts in a secure credential store, the hyperscaler credentials providing access to the object store for a specified backup function; map each of a plurality of different backup service component processes to one of the hyperscaler credentials, each of the plurality of backup service component processes operative independent of each other and having a specific backup service functionality; receive a request to execute one of the plurality of different backup service component processes; and authenticate access rights of the backup service component process included in the request based on the mapping.

Abstract: A computer system to establish a connection between a client device and a server device is provided. The computer system includes a gateway device that receives a message from the client device. The message includes a connection request and authentication information. The gateway device extracts the authentication information and the connection request from the message. The gateway device authenticates the client device, based on the authentication information. Subsequently, the gateway device transmits the connection request to the server device. Thereafter, the gateway device acts as a transparent proxy between the client and server devices, while the client and server devices engage in a handshake process to establish the connection between the client and server devices.

Abstract: A mobile device is carried by a person to be authenticated. An acceleration sensor is installed in the mobile device and configured to output an acceleration signal corresponding to acceleration applied to the mobile device. A processing device is configured to execute determination processing for determining whether the person is walking based on the acceleration signal. A control device is configured to control transmission of a radio signal, and to control an operation of a controlled device based on a result of the determination processing and a result of authentication processing for authenticating, by way of the mobile device, the person as a user of the controlled device. The determination processing is activated in response to reception of the radio signal by the mobile device.

Abstract: The invention relates to the technical field of network security, in particular to a network resource access system and method, a user portal, and a resource portal to isolate users from network resources to reduce unnecessary information disclosure, thus reducing security risks. According to the technical solution, the resource portal acquires resource information associated with the resource portal according to a configuration from an administrator or from a third party, as well as a list of user portals capable of communicating with the resource portal, receives a second access request sent from a user portal in the list of user portals, generates a third access request according to the second access request, and then sends the third access request to a target network resource server.

Abstract: Embodiments for providing demographic reach with anonymity by a processor. User data access may be managed via a data access agent by generating a unique user privacy profile having a selected level of anonymity for each relationship between a user and an application service.

Abstract: An electronic device and method are disclosed, the method including a communication circuitry, a memory storing an application, a display, and a processor operatively connected with the communication circuitry, the memory, and the display. The processor executes the method, including: receiving a request to execute the application, outputting an information input screen relevant to executing the application on the display based on the request, receiving at least one piece of input information to be entered into the information input screen, from a specific external electronic device via the communication circuitry, and automatically entering the at least one piece of input information into the information input screen.

Abstract: Disclosed herein are system, method, and device embodiments for implementing password suggestion. An embodiment operates by selecting one or more random terms from dictionary information, generating an alphanumeric string based on a password requirement, combining the one or more random terms and the alphanumeric string to form a generated password, determining a password strength of the generated password based on compromised password information, and presenting the generated password for selection by a user device when the password strength meets or exceeds a threshold value.

Abstract: A system, apparatus, and method for sharing network credentials. One embodiment of a method comprises: establishing a Bluetooth connection between a first Internet of Things (IoT) device and a mobile device of a first user having an IoT app installed, the mobile device to couple the first IoT device to an IoT service; receiving a request from a user from the mobile device to configure the first IoT device using network credentials from a second IoT device, the second IoT device registered with an account of the user on the IoT service and configured to connect to a secure network of the user with the network credentials; establishing a communication channel between the first IoT device and the second IoT device through the IoT service and the mobile device to obtain the network credentials; and using the network credentials at the first IoT device to securely connect to the secure network.

Abstract: With the advent of augmented reality devices becoming increasingly prevalent, accessible, and cross-compatible, there is an opportunity to leverage the capabilities of such devices in order to streamline workflow and information access in number of contexts. The present invention provides an integrated, dynamic system for leveraging the capabilities of augmented reality systems in order to provide users with useful or critical information in a dependable, seamless, and secure manner.

Abstract: Targeted lockdown of a computer system for an identified vulnerability is provided. The targeted lockdown includes configuring a vulnerability lockdown module implemented on a computer system to perform targeted actions to change a configuration of the computer system. The computer system may be scanned by a vulnerability scanner configured to identify vulnerabilities. In response to identifying a vulnerability, the vulnerability may be communicated to the vulnerability lockdown module and the vulnerability lockdown module may implement a vulnerability lockdown mode by causing the computer system to perform the targeted actions to change the configuration of the computer system by restricting functionality of portions of the computer system affected by the identified vulnerability.

Abstract: Approaches for using self-balancing shaped rewards include randomly selecting a start and goal state, traversing first and second trajectories for moving from the start state toward the goal state where a first terminal state of the first trajectory is closer to the goal state than a second terminal state of the second trajectory, updating rewards for the first and trajectories using a self-balancing reward function based the terminal states of the other trajectory, determining a gradient for the goal-oriented task module, and updating one or more parameters of the goal-oriented task module based on the gradient. The second trajectory contributes to the determination of the gradient and the first trajectory contributes to the determination of the gradient when the first terminal state is within a first threshold distance of the second terminal state or the first terminal state is within a second threshold distance of the goal state.

Abstract: Embodiments of a device and method are disclosed. In an embodiment, a method of communications involves at a head end (HE), receiving an authentication message from a wireless access point (AP) deployed at a customer site and at the HE, receiving an authentication response from an authentication server in response to the authentication message.

Abstract: A board associated with a communication platform and/or one or more channels associated therewith is described. In an example, the board can be associated with editable text and one or more objects capable of being at least one of reordered, added, deleted, or edited. In an example, the one or more objects can be associated with one or more sections. In an example, a communication platform can perform a modification to the board, based at least in part on receiving a request associated with the modification, and can cause the board to be presented via a user interface associated with a member of at least one communication channel with which the board is associated. In an example, the board can be sharable with users associated with different communication channels, workspaces, organizations, or the like.

Abstract: In an authority management method for providing interoperability across different locations and networks, an identity information database and an authority information database are established. Biological image information is obtained from users and registered in the database or an associated database. Biometric image information and an access request of a user are obtained. If there is certain identity information matching the biometric image information of the user in the identity information database, information as to authority and extent of authority are certain identity information queried from the authority information database. The access request is determined to be allowed or not allowed according to the certain authority information. If the access request is to be granted, and allowed in respect of a desired activity, an operation instruction is generated accordingly. A system for administering such method and device applying method are also disclosed.

Abstract: Systems and methods for Wi-Fi sensing are provided. Wi-Fi sensing systems include sensing devices and remote devices configured to communicate through radio-frequency signals. Sensing devices and remote devices are configured to communicate with one another to establish sensing transmission configurations through established protocols. Sensing devices described herein are configured to provide Wi-Fi sensing measurements based on the reception of messages transmitted from remote devices according to established configurations.

Abstract: Security design and architecture for a multi-tenant Hadoop cluster are disclosed. In one embodiment, in a multi-tenant Hadoop cluster comprising a plurality of tenants and a plurality of applications, a method for identifying, naming, and creating a multi-tenant directory structure in a multi-tenant Hadoop cluster may include (1) identifying a plurality of groups for a directory structure selected from the group consisting of a superuser group, a plurality of tenant groups, and at least one application group; (2) creating an active directory for each of the groups; (3) adding each of a plurality of users to one of the plurality of tenant groups and the application group; (4) creating tenant directories and home directories for the users; and (5) assigning owners, group owners, default permissions, and extended access control lists to the tenant directories and the home directories.

Abstract: Systems and methods for multiplexing of a dedicated communication channel for multiple entities, including initiating, at a first entity, a request to share data with a second entity; sharing a portion of an aggregate record for the with the second entity including creating an entity-specific copy; initiating, at the first entity, a request to share data with a third entity; and sharing a portion of the aggregate record with the third entity including creating an entity-specific copy. The portions shared with the second and third entities are dependent on data sharing rules defining shared data, linked data, and entity-specific data that is i) nonsynchronous and ii) provided for display only at the entity associated with the data.

Abstract: A model-driven system automatically deploys a virtualized service, including multiple service components, on a distributed cloud infrastructure. A master service orchestrator causes a cloud platform orchestrator to retrieve a cloud services archive file, extract a cloud resource configuration template and create cloud resources at appropriate data centers as specified. The master service orchestrator also causes a software defined network controller to retrieve the cloud services archive file, to extract a cloud network configuration template and to configure layer 1 through layer 3 virtual network functions and to set up routes between them. Additionally, the master service orchestrator causes an application controller to retrieve the cloud services archive file, to extract a deployment orchestration plan and to configure and start layer 4 through layer 7 application components and bring them to a state of operational readiness.

Abstract: Ergonomic keyboard-less typing may be used to replace traditional typing on a computer keyboard. The user may use an alternative user interface device, such as a smart phone, a tablet, or a wearable device, to make character selections. One of a plurality of user contact types may be received from an input interface, to provide a first indication of the character inputs the user would like to select. A display menu, generated at least in part based on the contact type received, may then present a plurality of gesture types, and one or more characters corresponding to each of the plurality of gesture types. A second indication of one of the plurality of gesture types may be received at the input interface. A selection of one or more characters may then be displayed based on the received first indication and the received second indication.

Abstract: There is a need for more effective and efficient network security coordination. This need can be addressed by, for example, techniques for network asset vulnerability detection. In one example, a method includes detecting network assets within a monitored computer network; and for each network asset: determining a vulnerability profile, determining a connectivity profile, determining a vulnerability designation based on the vulnerability profile for the network asset and a network vulnerability documentation repository, determining whether the vulnerability designation for the network asset indicates a positive vulnerability designation, and in response to determining that the vulnerability designation indicates the positive vulnerability designation, decoupling the network asset from the monitored computer network using the connectivity profile for the network asset.

Abstract: Techniques for establishing a data connection are described. In an example, a computer system receives, from a second device of a computer network, first data associated with a first device and second data associated with the second device. The first device is not connected to the computer network. The computer system determines third data generated by one or more devices other than the first device and the second device and associated with at least one of: the first device, the second device, a user account, or the computer network. The computer system generates, based on the first data, the second data, and the third data, a confidence score indicating a likelihood of a user authorization to connect the first device to the computer network. The computer system sends, to the second device based on the confidence score, instructions associated with connecting the first device to the computer network.

Abstract: A method including transmitting, by an infrastructure device to a user device, a determined characteristic of an authentic feature included in an authentic network communication associated with an authentic entity, with which the user device intends to communicate over a network; determining, by the user device, an observed characteristic of a current feature included in a current network communication associated with a current entity with which the user device is communicating over the network; comparing, by the user device, the observed characteristic with the determined characteristic; and determining, by the user device, that the current network communication is authentic or that the current network communication is not authentic based at least in part on a result of comparing the observed characteristic with the determined characteristic. Various other aspects are contemplated.

Abstract: A computing device includes an interface configured to interface and communicate with a dispersed storage network (DSN), a memory that stores operational instructions, and a processing module operably coupled to the interface and memory such that the processing module, when operable within the computing device based on the operational instructions, is configured to perform various operations. The computing device receives, from another computing device, a vault provisioning request and processes the vault provisioning request to determine whether the other computing device is authorized to request provisioning of another vault within the DSN. When the other computing device is authorized, the computing device generates a vault within the DSN in response to the vault provisioning request from the other computing device and updates access control information within the DSN to include an initial access control for the vault and an identifier of the other computing device.

Abstract: A vehicle identification system and method incorporating image recognition for retrieval, authentication, and/or notification. The vehicle identification system having a computing structure comprising at least one processor, a tangible computer-readable memory, and a transceiver for communicating over a network. A camera system communicating with the computing structure. The camera system having at least one camera observing at least one vehicle within a camera range of an establishment. The camera system capturing at least one image of the at least one vehicle. The tangible computer-readable memory comprises instructions to configure the at least one processor to: receive image data from the camera system; and detect an identifiable feature of the vehicle within the image data.

Abstract: Computerized systems are provided for detecting or receiving a sharing gesture in a communication group and responsively instantiating or updating one or more computer objects that include rich contextual data associated with the sharing gesture. These computer objects can be instantiated or updated based on one or more rules or policies. These computer objects or associated indications can be surfaced back to a user to give the user context regarding the shared resource. It can be determined whether a user has access to (or permission to access) such a computer object and/or an associated computer resource for presentation to the user.

Abstract: A system and method for reducing a time to mitigate distributed denial of service (DDoS) attacks are provided. The method includes receiving a plurality of attack feeds on at least one protected object in a secured environment; analyzing the plurality of attack feeds to determine characteristics of a DDoS attack against the secure environment; determining a set of optimal mitigation resources assigned to the secured environment; selecting, based on the set of optimal mitigation resources and the attack characteristics, at least one optimal workflow scheme; and initiating a proactive mitigation action by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme.

Abstract: The present disclosure provides a method, apparatus, device, medium and program product for replying questions. The method presents a reply viewing interface for a question to a user, the reply viewing interface including a first reply control; receives a first reply operation of the user based on the first reply control; publishes a first reply video according to the first reply operation, the first reply video being used for replying to the question.

Abstract: A system and method for implementing a two-side token for OAUTH are described. A first request for access by a partner app server to user account information owned by a host server is received at a host auth server. Upon receiving authorization to share the user account information, a response is returned to the partner app sever. The response includes an access token. In response to returning the response to the partner app server, an event is written to an event queue. The event provides an indication that the request for access was received and that the corresponding response with the access token was returned. The event, when read by a host app server, instructs the host app server to submit a second request to a partner auth server for a reciprocal access token.

Abstract: A management system detects a change at the target device. The management system transmits a request message to authorization devices of the authorization users of the multi-user authorization pool to from the authorization users an indication of whether the detected change is approved. The management system receives a plurality of response messages from authorization devices of the multi-user authorization pool indicating whether the detected change is approved by the corresponding authorization user, and based on at least three of the plurality of response messages indicating a disapproval, that the detected change is disapproved. In response to the determination that the change is disapproved, an instruction message is sent to a target managed device to instruct the target managed device to rollback to an earlier state.