Abstract: Applications supporting operations of an autonomous vehicle fleet can be implemented on and supported by cluster infrastructure. These applications have endpoints where data traffic runs in and out of these applications. Securing access to these endpoints can prevent unauthenticated and unauthorized access to these endpoints and the protected resources accessible through these endpoints. Securing access to these endpoints, managing entitlements and security policies, and maintaining security systems that can enforce the security policies are not trivial tasks. One solution addresses some of these challenges by offering a simple frontend for users to define the entitlements and security policies, leveraging an open source security solution, and ensuring backwards compatibility to other security solutions in the cluster infrastructure.

Abstract: The antenna hub of a satellite gateway has limited space. Existing frequency conversion utilize bulky components that consume significant space and are costly to maintain in terms of complexity, time, and expense. Accordingly, a compact and flexible frequency conversion system is disclosed. This frequency conversion system consumes less space, provides built-in automated software-controlled configurability and redundancy, and provides easy replaceability at both a channel level and a device level.

Abstract: A system and method for detecting a cybersecurity risk of an artificial intelligence (AI), is presented. The method includes: inspecting a computing environment for an AI model deployed therein; generating a representation of the AI model in a security database, the security database including a representation of the computing environment; inspecting the AI model for a cybersecurity risk; generating a representation of the cybersecurity risk in the security database, the representation of the cybersecurity risk connected to the representation of the AI model in response to detecting the cybersecurity risk; and initiating a mitigation action based on the cybersecurity risk.

Abstract: Provided is a security key input system using a one-time keypad. The security key input system may include: a keypad input unit configured to output a security keypad including one or more null keys each having no identification mark written thereon, and receive a security key from a user; a control unit comprising a one-time keypad generator configured to generate a one-time keypad; an input terminal comprising an NFC recognition unit configured to provide the one-time keypad generated by the one-time keypad generator to an output terminal through NFC with the output terminal contacted with the input terminal; a display module; an NFC recognition module configured to receive the one-time keypad from the input terminal through the NFC recognition unit; and the output terminal comprising a controller configured to output the one-time keypad received from the NFC recognition module through the display module.

Abstract: Various techniques and mechanisms for sharing remote resources among a trusted group are disclosed. A credential management agent utilizes a resource credential for a first user to access a secure resource corresponding to the first user for a second user by at least validating a second user and validating a consent of the first user to allow the second user to access the secure resource using the resource credential for the first user. The secure resource resides on a remote server system accessible via one or more application program interfaces (APIs). A platform management agent provides an interface for shared resource-agnostic credential sharing. The platform management agent validates credentials for the second user as belonging to a trusted group and forwards a request for access to the secure resource for the second user to the credential management agent.

Abstract: Authorization for access to an application server and associated communication service can be desirably managed. When a device attempts to access an application server and service, an authorization server generates an encrypted token, comprising device identifier information, and communicates the token to the device. The device communicates the token to the application server. The application server communicates the token to the authorization server. The authorization server determines whether the device is validated to access the application server and service based on the encrypted token, private decryption key, and initialization vector, and based on subscriber-related information. The authorization server does not share the private decryption key or initialization vector with the application server. If validated, the authorization server communicates validation-related information, including a permitted portion of subscriber-related information, to the application server.

Abstract: Dynamic multi-network security controls are provided herein. A method can include receiving a report of malicious network traffic observed by first network equipment operating in a first communication network, where the report indicates a second communication network distinct from the first communication network as an originating network of the malicious network traffic, identifying second network equipment operating in the second communication network as a source of the malicious network traffic, and based on the identifying, blocking communications from the second network equipment for a defined time interval.

Abstract: Methods and systems are described herein for generating and assigning resources based on timestamps. A plurality of permission messages associated with a plurality of authorization events may be received with each permission message including an authorization timestamp indicating a generation time of a corresponding permission message. In addition, a plurality of data records may be received with each data record including a corresponding plurality of parameters. Based on the permission messages and the data records, a resource multiplier is generated, and resources assigned to each data record are multiplied based on the resource multiplier.

Abstract: A system and method for altering client fingerprint that includes editing data components of network communication from a client device to a server, which comprises editing network protocol data from the client during negotiation of a cryptographic protocol; selectively enabling access to library components specified in the edited client network protocol data; and sending a client communication to the server using the edited client network protocol data.

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

Abstract: A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The tunnel device is selected based on an attribute, such as IP Geolocation. A tunnel bank server stores a list of available tunnels that may be used, associated with values of various attribute types. The tunnel devices initiate communication with the tunnel bank server, and stays connected to it, for allowing a communication session initiated by the tunnel bank server. Upon receiving a request from a client to a content and for specific attribute types and values, a tunnel is selected by the tunnel bank server, and is used as a tunnel for retrieving the required content from the web server, using standard protocol such as SOCKS, WebSocket or HTTP Proxy. The client only communicates with a super proxy server that manages the content fetching scheme.

Abstract: A system for cross cloud workload identity virtualization including a program having instructions to route a first network call from a workload in a first cloud computing environment addressed to a first cloud computing environment instance metadata service (IMS) having destination data with an IP address of 169.254.169.254 to a universal IMS (UIMS) different from the first cloud computing environment IMS, route a second network call from the workload addressed to a destination other than the first cloud computing environment IMS to the destination indicated by the second network call, respond to the first network call with credentials valid for accessing a cloud service provided in a second cloud computing environment. The workload can access the cloud service from the first cloud computing environment, and access the cloud service from a third cloud computing environment different from the first cloud computing environment.

Abstract: Methods and systems for managing access to data stored in data storage systems are disclosed. An end device and/or user thereof may require access to sensitive data of varying sensitivity levels stored in a data storage system. To prevent malicious parties from gaining access to the sensitive data, an access control system may be implemented. The access control system may include a registration process that registers end device and user combinations and assigns cryptographic key pairs to each registered combination. The key pairs may be generated using information specific to the sensitivity level of the data and managed using a key tree structure. Before sensitive data may be accessed, a requesting device and its associated user may be authenticated using the key pairs generated during registration. The sensitive data may be encrypted using sensitivity level and device-specific encryption.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: Techniques are described for managing secrets for accessing resources of a computing service provider by a client computing device. Two secrets are created that are valid for accessing the resource by the client computing device. When one of the two secrets are invalid for accessing the resource, the client computing device can use the second of the two secrets to gain access to the resource.

Abstract: Methods and systems for managing computing infrastructure compliance with standards are disclosed. The computing infrastructure may provide computer implemented services that may be at elevated risk if the computing infrastructure fails to comply with various standards such as security or redundancy standards. To manage compliance with standards, a cross-standard compliance coverage model may be used. The cross-standard compliance coverage model may use information regarding infrastructure components of the computing infrastructure to ascertain compliance with any number of standards.

Abstract: An image forming apparatus includes an authentication application device that registers information acquired from an authentication system, and indicating a normal application accessible by a user when the user logs in in the image forming apparatus, in temporary user information, and a normal application device that decides, upon being requested to activate itself, whether the user who has logged in in the image forming apparatus is authorized to utilize the normal application device, on a basis of the temporary user information.

Abstract: An application for dynamic, granular access permissions can include a database interface, a user interface, a login process, an administrator, an event handler and an authorization process. The database interface can be an interface to an access control permissions database that stores roles, actions, or policies for users of the application. The login process can authenticate a user and determine a default set of access control permissions for that user when they are using the user interface. The administrator can provide access control permissions for a user by using the database interface. The event handler can dynamically modify access to functionality in the user interface based on an event. The authorization process can determine whether a request from the user interface is authorized before process the request. The authorization process can use access control permissions from the administrator and either a scope limited or a temporally limited access permission.

Abstract: An information processing device includes: a hardware processor that executes a license check of software, wherein the hardware processor detects a request for remote access to the software, extracts a description about remote access from a license agreement of the software to which a request for remote access is requesting access, and determines, based on the extracted description about the remote access, whether the remote access is a license violation.

Abstract: Examples described herein relate to portable playback devices, such as smart headphones and earbuds, and ultra-portable devices having built-in voice assistants. Some example techniques relate to user interaction with voice assistants. Further example techniques relate to voice guidance played back by the headphones to guide the user under certain conditions.

Abstract: The present disclosure relates to systems, methods, and non-transitory computer-readable media that detect synthetic user accounts of a digital system via machine learning. For instance, the disclosed systems can utilize a machine learning model to analyze account features that are related to a user account and generate an indication that the user account is synthetic based on the analysis. The disclosed systems can further disable (e.g., suspend or close) the user account based on determining that the user account is synthetic. In some cases, the machine learning model provides a precision score that indicates a likelihood that the user account is synthetic, and the disclosed systems disable the user account if the precision score satisfies a threshold. In some implementations, the disclosed systems generate the machine learning model using synthetic user accounts detected via one or more rules and other user accounts that are associated with those synthetic user accounts.

Abstract: Users can be logged in to modern workspaces using different cloud identity providers and single sign-on. A login manager can be provided on a user computing device to obtain a user's login credentials via a custom login screen. The login manager can then inject the login credentials into an authentication interface of a cloud identity provider to authenticate the user for purposes of logging in to the user computing device. The login manager can leverage this authentication to perform single sign-on for all resources of a modern workspace such that the user can be logged in to the modern workspace via any cloud identity provider.

Abstract: A method at a first domain for obtaining at least one insight from a second domain, the method including registering an application with an anchor in the first domain; providing, from the anchor to the application, a first message signed by the anchor; sending, from the first domain to a network domain, the signed message; receiving, from the network domain, at least one signed token, each of the at least one signed token being for a synthetic sensor on the second domain, where the synthetic sensor provides an insight; sending a request message to the second domain, the request message requesting the insight and including the at least one token; and receiving the insight from a synthetic sensor associated with the at least one token.

Abstract: A text mining engine running on an artificial platform is trained to perform conversation role identification, semantic analysis, summarization, language detection, etc. The text mining engine analyzes words in a transcript that represent unique characteristics of a conversation and, based on the unique characteristics and utilizing classification predictive modeling, determines a conversation role for each participant of the conversation and metadata describing the conversation such as tonality of words spoken by a participant in a particular conversation role. Outputs from the text mining engine are indexed and useful for various purposes. For instance, because the system can identify which speaker in a customer service call is likely an agent and which speaker is likely a customer, words spoken by the agent can be analyzed for compliance reasons, training agents, providing quality assurance for improving customer service, providing feedback to improve the performance of the text mining engine, etc.

Abstract: A method for preventing data leakage may include: identifying data that is generated by at least one framework application in response to a data request from a first machine learning (ML) engine of a plurality of ML engines; creating a plurality of data blocks based on the generated data, a category of the first ML engine, and a tag associated with the first ML engine and the at least one framework application; determining whether the plurality of data blocks are valid to share with the first ML engine using an activity block chain associated with each of the plurality of framework applications; based on the plurality of data blocks being valid, sharing the plurality of data blocks with the first ML engine, and otherwise discarding the plurality of data blocks not to share with the first ML engine.

Abstract: Systems, methods, network devices, and machine-readable media disclosed herein include encoding data for storage or transmission by encoding the data according to a tamper-resistant data encoding scheme that renders the data secure against unbounded polynomial size attacks. The present disclosure further includes subsequently determining whether the data has been tampered with, and notifying a processor when the data has been modified or compromised.

Abstract: Devices, systems and methods are provided for remotely managing configuration of a networking device. One method of managing configuration of a networking device involves obtaining resources associated with one or more graphical user interface (GUI) displays of a web application for configuring the networking device, receiving a request to access the web application, and in response to the request, determining a representative value for the resources as a function of a current state of the resources, obtaining a reference value for the resources that reflects a validated state of the resources, and instantiating the web application using the resources when the representative value matches the reference value.

Abstract: Techniques are disclosed pertaining to determining whether execution of a transaction will exceed a system resource threshold. A computer system stores a precomputed permissions data structure in association with particular data stored in a database. That precomputed data structure may be used to determine whether a user can access the particular data. The computer system may capture metric information that pertains to parameters involved in different types of transactions that can be performed to recompute the precomputed permissions data structure. Upon receiving a request to perform a transaction that involves recomputing the permissions data structure, the computer system, may determine, based on the metric information and the transaction's particular type, whether an execution of the transaction will exceed the system resource threshold.

Abstract: For increased device security, a security policy manager is used to configure permissions for applications installed on mobile computing devices. In one approach, an evaluation server receives data associated with a context for a computing device. Based on the received data, a policy that is applicable for the current context of the computing device is identified. The identified policy has rules regarding access permissions for software installed on computing devices. The server determines a current policy implemented on the computing device, which includes determining an access permission for software installed on the computing device. The server determines that the access permission for the installed software does not comply with the policy applicable to the current context. Based on this determination, the server revokes the access permission for the installed software.

Abstract: A secure communication system enabling secure transport of information is disclosed. The system comprises a secure network with one or more packet processing units connected by links through an internal communication system. The secure network transports packets of information between credentialed and authenticated agents. Each packet is associated with a visa issued by a visa service. The visa specifies the procedures governing the processing of the packet by the packet processing units as it is transported along a compliant flow, between agents thorough the network, according to a set of policies specified in a network configuration. Packet processing units include docks and forwarders. Adaptors serving the agents communicate with the network through tie-ins to docks. The system also includes and admin service, accessible to one more admins, that facilitates configuration and management of the network.

Abstract: The present disclosure relates to managing services by a managed service provider (MSP) in a cloud based infrastructure. A control plane of the MSP is established in a first tenancy, and a first access plane of the MSP is established in a second tenancy of a cloud environment. The control plane is configured to manage a plurality of services offered by the MSP to a first host machine included in the second tenancy. A first request is transmitted from the control plane to the first access plane, where the first request is forwarded by the first access plane to the first host machine, and corresponds to a service utilized by the first host machine and managed by the control plane of the MSP. In response to the first request being validated, a first state of the first host machine is modified in the second tenancy based on the first request.

Abstract: A device management service may enforce compliance of remote devices with device specifications by disabling or enabling use of client certificates by applications installed on the devices. The device management service receives configuration data from an agent installed on the remote device. If the device management service determines that the device is no longer compliant with specifications for the device, then the device management service may prevent subsequent use of client certificate(s) by applications on the device to establish certificate-based connections. For example, the device management service may disable or revoke a client certificate or may instruct the device to disable or remove the client certificate. If the device becomes compliant at a subsequent time, then the device management service may enable the client certificate or cause a new client certificate to be sent to the device.

Abstract: Techniques and mechanisms for identifying unmanaged cloud resources with endpoint and network logs and attributing the identified cloud resources to an entity of an enterprise that owns the cloud resources. The process collects data from sources, e.g., endpoint and network logs, with respect to traffic in a computer network and based at least in part on the data, extracts relationships related to the traffic. The process applies rules to the relationships to extract destinations in the computer network that provide cloud resources in a cloud environment, wherein the cloud resources are owned by an enterprise. One or more users or business entities of the enterprise are identified as accessing the cloud resources.

Abstract: A mode selector permits deactivating a run-time operational mode and activating a privileged operational mode on a remote terminal unit (RTU). One or more functionalities associated with the privileged operational mode are performed via a local and/or a remote computing device communicatively coupled to the RTU. The functionalities include at least one of developing and deploying content for the RTU, loading security certificates for the RTU, enabling Linux root account access to the RTU, and performing system maintenance on the RTU. The mode selector switch returns the RTU to the run-time operational mode after the functionalities are performed.

Abstract: Various approaches for identifying possible unsecured devices on a network as set forth. In some cases, approaches discussed relate to systems and methods for identifying possible unsecured devices based upon a host name for each of the discovered devices.

Abstract: A specific communication device may send specific identification information for identifying the specific communication device to an external via a communication interface, wherein the external device may display a screen including the specific identification information in a case where the external device receives the specific identification information from the specific communication device; and in a case where a specific condition including that the specific identification information is sent to the external is fulfilled, a state of the display unit may be changed from a first state to a second state, the first state being a state in which the display unit does not display the specific identification information, and the second state being a state in which the display unit displays the specific identification information.

Abstract: An electronic device according to various embodiments may include: a communication circuit, a memory, and at least one processor functionally connected to the communication circuit and the memory, wherein the at least one processor is configured to: perform wireless communication with an external electronic device through the communication circuit, based on a shared secret key generated by the electronic device in a process of configuring an association with the external electronic device, transmit, to the external electronic device through the communication circuit, a renewal frame for renewing the shared secret key, at a time point at which a lifetime of the shared secret key expires or at a time point a specified time ahead of the time point at which the lifetime of the shared secret key expires, and renew the shared secret key to perform wireless communication with the external electronic device through the communication circuit, based on the renewed shared secret key.

Abstract: Disclosed are various embodiments of a multiuser unified endpoint management (UEM) system. A device check-in can be received from a client device. The device check-in can include a device identifier that uniquely identifies the client device with respect to other client devices and a user identifier that uniquely identifies the user of the client device with respect to other users of the client device. In response, a device channel identifier associated with the device identifier and a user channel identifier associated with both the user identifier and the device identifier can be obtained. Then a first set of entitlements associated with the device channel identifier and a second set of entitlements associated with the user channel identifier can be selected. Both sets of entitlements can be provided to the client device in response to the device check-in.

Abstract: A system and method is provided that enables voice recognition for legacy operating systems of a computing device. An exemplary method includes receiving speech-based instructions from a user of mobile device that indicate a request for executing a task. The speech-based instructions are then analyzed by an intelligent personal assistant running on the mobile device to determine an intent of the user. If the intent of the user identifies a specialized client software module installed on the mobile, the software module will generate a command object that includes parameters relating to the execution of the task. The command object is then transmitted by the first computing device to a personal computer with a legacy operating system where the command object causes a software agent installed on the personal computer to execute the task based on the parameters included in the command object.

Abstract: A data sharing system may facilitate sharing of data with third party systems. The data sharing request can be identified as being a potential privacy risk. To reduce the potential privacy risk, in one example, requested user data can be modified prior to sharing. The modified user data can be shared with the third party system rather than sharing unmodified user data.

Abstract: Embodiments of the present disclosure provide systems and methods for managing role hierarchies and assignment of permissions by providing secure roles which are roles where the only user that can grant any privilege to the secure role, is the role that owns the secure role. A set of secure roles that defines a role hierarchy may be generated, wherein only a role that owns the set of secure roles can grant any privilege to each of the secure roles. The role that owns the set of secure roles may grant one or more privileges to a first secure role of the set of secure roles. In response to a user other than the role that owns the set of secure roles attempting to grant a privilege to the first secure role or modify a privilege granted to the first secure role, the attempt may be denied.

Abstract: A health administration method, a health administration apparatus, a health administration system, and a data collection apparatus are provided. The health administration method involves a plurality of objects and a plurality of devices, and includes: generating a device usage record of at least one object based at least on identity information of the at least one object among the plurality of objects and data generated by a device used by the at least one object (S10), and providing the device usage record of the at least one object to a memory associated with a health administration apparatus (S20). The health administration method, the health administration apparatus, the health administration system, and the data collection apparatus can improve work efficiency of medical workers.

Abstract: A system and method for providing external resources through a zero trust environment includes recording a web session of a first user to generate a policy allowing a second user to access the resource used in the web session. The method includes receiving a request to initiate a network session with the zero trust environment, the request including login credentials, wherein the login credentials correspond to an authorizing user account; receiving a request to access a resource in a network environment which is external to the zero trust environment; detecting in the request a domain associated with the resource; and configuring a policy engine of the zero trust environment to generate a policy allowing network traffic between the domain and a designated user account, based on the received request.

Abstract: A system can maintain respective extended attributes for respective files in a file system, wherein the respective extended attributes comprise respective first-in-first-out (FIFO) queues of user identities that have been determined to have modified the respective files. The system can receive an indication to perform a delete operation on a first portion of the file system, wherein the indication is indicative of a first user identity for which files are to be preserved. The system can, in response to receiving the indication, evaluate the respective files, comprising in response to determining that the first user identity is omitted from a FIFO queue of the respective FIFO queues, delete a file of the respective files that corresponds to the FIFO queue; and in response to determining that the first user identity is identified in the FIFO queue, refrain from deleting the file.

Abstract: Various approaches for securing networks against access from off network devices. In some cases, embodiments discussed relate to systems and methods for identifying potential threats included in a remote network by a network access device prior to requesting access to a known secure network via the remote network.

Abstract: Briefly, embodiments are directed to a system, method, and article for receiving an authorization request message for a remote commerce transaction with a particular merchant, where the authorization request message comprises a merchant universal payment identifier (MuPi). The MuPi may be extracted from the authorization request message. Validation information may be determined for the MuPi. A message may be transmitted to a payment network to enable authorization of the remote commerce transaction at least partially in response to the determination of the validation information.

Abstract: Disclosed is an identity authentication system for distributed Internet of vehicles (IoV), including a core cloud, a plurality of edge clouds, a plurality of road side units (RSUs) and a plurality of terminal vehicles. The core cloud stores registration information about the terminal vehicles and the RSUs; the edge cloud performs identity verification on the RSUs according to the registration information, and after the verification is passed, the edge cloud generates a temporary shared session key and sends the same to the RSU and the terminal vehicle, and the RSU and the terminal vehicle establish encrypted communication according to the temporary shared session key, to provide a network communication service for the terminal vehicle. In the present disclosure, a vehicle identity authentication efficiency in a scene with a large traffic density can be effectively improved.

Abstract: Systems and methods mediate permissions for applications on user devices using predictive models. Data communications are monitored on a user device for permission requests and responses. A predictive model is trained with these permission requests and responses until a threshold is met. Then, a default permission response is provided on behalf of the user device in response to a permission request.

Abstract: This disclosure provides a method for controlling a camera, the camera comprising a controllable component and associating with at least one associated client and a reference device, the method comprises: obtaining a first client list of the at least one associated client and a second client list of clients that are currently connected to the same local area network as the camera by connecting with the reference device; comparing the first client list with the second client list; and controlling a state of the controllable component so that the camera is in a first state when one or more of the at least one associated client are connected to the same local area network as the camera via the reference device and is in a second state when no associated client is connected to the same local area network as the camera.

Abstract: Systems and methods are provided for persistent login. Such persistent login may be based on linking user identity across accounts of different entities to allow each entity to maintain control over their respective sets of user data, while providing a streamlined user experience that avoids much of the repetitive need to login to different services with different login credentials (e.g., during periods of heavy use). Such persistent login may utilize a set of tokens issued and exchanged between devices of the partnering entities. Such tokens may include an access token, refresh token, and identity token. When a user associated with a first entity requests access to information secured by a second entity, such request may be associated with the access token. If the access token is determined to be expired, the refresh token may be used to refresh the access token, which may also trigger issuance of a new refresh token.