Abstract: A method implemented in a Software as a Service (SaaS) management platform (SMP) is provided, including: providing, over a network, a user interface for rendering by a client device to an employee of a customer of the SMP; receiving, over the network, input from the client device via the user interface, said input identifying a request by the employee for a SaaS application that is one of a portfolio of SaaS applications used by the customer and managed by the SMP; accessing an approval setting stored in association with the SaaS application, the approval setting configured to authorize automated approval of the employee for the SaaS application; responsive to receiving the input, and based on the approval setting, then triggering a single sign-on (SSO) service to provision the employee as a user of the SaaS application.

Abstract: A gesture access system includes a mobile device having a processor, an electronic storage medium, an environment detector system, and a software-based application. The application is stored in the storage medium and executed by the processor for generating a determination that a user of the mobile device has performed an intentional motion indicative of an intent to gain access. The environment detector system is adapted to generate and output information relative to a location of the mobile device with respect to the user and to the processor to assist in the determination.

Abstract: A DNS server receives from a receiving email system, a DNS query for an email domain stored at the DNS server, the DNS query including identifying information of a sender of an email. The DNS server extracts the identifying information of the email sender from the DNS query and identifies one of a plurality of delivering organizations from the information. The DNS server determines whether the identified delivering organization is authorized to deliver email on behalf of the email domain. In response to determining that the identified delivering organization is authorized to deliver email on behalf of the email domain, the DNS server generates a target validation record based on the identity of the authorized delivering organization and the email domain, the target validation record including one or more rules indicating to the receiving email system whether the delivering organization is an authorized sender of email for the email domain.

Abstract: In some implementations, an authentication system may receive a user authentication request identifying a primary device. The authentication system may generate a challenge associated with a user profile mapped to the primary device. The authentication system may transmit a challenge message including the challenge. The authentication system may receive a challenge response including a response to the challenge, wherein the response to the challenge includes identification information regarding the user profile. The authentication system may determine a set of primary services associated with the user profile mapped to the primary device and a set of secondary services associated with a set of secondary devices. The authentication system may generate a set of security keys mapped to the set of primary services and the set of secondary services. The authentication system may provision the primary device and the set of secondary devices with the set of security keys.

Abstract: Systems and methods for embodiments of a graph based artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to analyzing identities, roles, entitlements or other identity management artifacts of a distributed networked enterprise computing environment. Specifically, embodiments of an artificial intelligence based identity management systems may perform predictive modeling for entitlement diffusion or role evolution or other aspects of identity management artifact using network identity graphs.

Abstract: Targeted lockdown of a computer system for an identified vulnerability is provided. The targeted lockdown includes configuring a vulnerability lockdown module implemented on a computer system to perform targeted actions to change a configuration of the computer system. The targeted actions may be configured based at least in part on a type of data stored on the computer system and a potential severity of an impact on the computer system if the vulnerability is exploited. The vulnerability lockdown module may implement a vulnerability lockdown mode by causing the computer system to perform the targeted actions to change the configuration of the computer system by restricting functionality of portions of the computer system affected by the identified vulnerability. The targeted actions performed by the computer system may include altering a way in which a user interacts with the computer system.

Abstract: Systems and methods described herein provide selective synchronization of DNS records. A synchronization data store is synchronized by: obtaining a complete set of domain name system (DNS) records for a first data center; and copying the complete set of DNS records to the synchronization data store. After the synchronization data store is initialized, at a particular time interval, a snapshot of the complete set of DNS records is repeatedly collected. Differences between the copied complete set of DNS records of the synchronization data store and the snapshot of the complete set of DNS records are identified. The synchronization data store is updated with the differences and a determination is made as to whether the differences should be implemented at a second data center. When the differences should be implemented at the second data center, the differences are propagated to the second data center, otherwise they are not.

Abstract: Embodiments use electronic speech samples of detainees and automatically scan electronic speech sample databases to detect when a detainee has a criminal record and to alert controlled-environment facility personnel to that record. An electronic speech sample of the detainee is captured during booking or at another time. The electronic speech sample is compared to a database of electronic speech samples of individuals with criminal records. If the electronic speech sample matches an existing electronic speech sample in the database, then information associated with the matching electronic speech sample is provided to the controlled-environment facility personnel. The information is analyzed to identify key issues, such as active warrants. The controlled-environment facility personnel are alerted to any such key information.

Abstract: The present disclosure relates to a system and methods for providing user authorization via a computer network, particularly, by using mobile authorization, wherein a user can be granted access in a variety of mobile channels. The preferred embodiment of the claimed disclosure presents a user authorization system comprising a user device associated with a data source via a data channel, while the data source is associated with an authentication system, in which there are: the user device configured to form an authorization request to the data source via at least one mobile channel associated with said device; the data source configured to receive the user authorization request and transmit the corresponding request to the authentication system; and the authentication system providing user authorization on said resource via at least one mobile channel associated with the user device.

Abstract: A system and method for backing up critical data of edge devices includes originator, surrogate, and target edge devices as well as a vault-broker server. The critical data, encrypted, is transmitted to and stored by a surrogate. The association of originator and surrogate is managed by the vault-broker server. Encryption protects the data from recovery by unauthorized parties while allowing surrogate edge devices to determine if recovery attempts are made by authorized parties.

Abstract: Systems and methods for maintaining voice assistant persistence across multiple network microphone devices are described. In one example, first and second NMDs each identify a wake word based on detected sound, and are each transitioned from an inactive state to an active state in which the NMD captures and transmits sound data over a network interface. The first NMD is selected over the second NMD to output a first response, and both NMDs remain in the active state to further capture and transmit sound data. After further capturing and transmitting of sound data, the second NMD is selected over the first NMD to output a second response. After a predetermined time, one or both of the NMDs are transitioned back to the inactive state. The selection of one NMD over another for outputting a response can be based at least in part on user location information.

Abstract: A vehicle information remote retrieval method includes an emergency personnel or first responder vehicle (FRV) establishing a vehicle connection between an infotainment system of a vehicle and the FRV. The FRV sends a vehicle information request to the infotainment system of the vehicle, via the vehicle connection, seeking release of vehicle information. The FRV obtains authentication of the vehicle information received in response to the vehicle information request. The FRV determines occupant status based on the vehicle information. The FRV communicates the passenger status to a first responder.

Abstract: Systems, methods, and computer program products to provide neural embeddings of transaction data. A network graph of transaction data based on a plurality of transactions may be received. The network graph of transaction data may define relationships between the transactions, each transaction associated with at least a merchant and an account. A neural network may be trained based on training data comprising a plurality of positive entity pairs and a plurality of negative entity pairs. An embedding function may then encode transaction data for a first new transaction. An embeddings layer of the neural network may determine a vector for the first new transaction based on the encoded transaction data for the first new transaction. A similarity between the vectors for the transactions may be determined. The first new transaction may be determined to be related to the second transaction based on the similarity.

Abstract: Aspects of the disclosure relate to dynamically generating activity prompts to build and refine machine learning authentication models. A computing platform may process a first set of login events associated with a first user account and may build a first user-specific authentication model for the first user account. Then, the computing platform may process a second set of login events associated with a second user account and may build a second user-specific authentication model for the second user account. The computing platform also may build a population-level authentication model for a plurality of user accounts. Thereafter, the computing platform may identify one or more activity parameters associated with at least one authentication model for refinement. Subsequently, the computing platform may generate and send one or more activity prompts to one or more client computing devices to request at least one user response.

Abstract: An authentication system, a user information extraction apparatus, and a user information migration method. The authentication system acquires user information for authenticating a user who uses a device and transmits the acquired user information to the information processing system and the information processing system stores in one or more memory common user information for authenticating a common user who uses the device and another device different from the device, receives the user information from the user information extraction apparatus, and adds the received user information to the common user information stored in the one or more memory.

Abstract: Described embodiments provide systems and methods performing header protection. A device can receive from a client, a request relating to a first resource, for a second resource. The device can determine, using an identifier for the session, whether an address of the first resource has been previously accessed by the client during the session. The device can verify, using an address of the second resource, whether the address of the second resource is mapped to the address of the first resource for the session between the client and the device. The device can determine whether to provide access to the second resource responsive to the address of the first resource being previously accessed by the client during the session and the address of the second resource being mapped to the address of the first resource for the session.

Abstract: An aircraft includes a video display, first and second wireless pairing transmitters, and a media distribution processor. The video display is associated with an audio content stream and a seating location in the aircraft. The first wireless pairing transmitter is associated with the video display and has a first wireless coverage volume. The second wireless pairing transmitter has a second wireless coverage volume that overlaps the first wireless coverage volume. The media distribution processor is programmed and configured to: associate a wireless speaker device with the seating location; pair the first wireless pairing transmitter with the wireless speaker device in response to associating the wireless speaker device with the seating location; and direct the audio content stream through the first wireless pairing transmitter to the wireless speaker device in response to connecting the first wireless pairing transmitter with the wireless speaker device.

Abstract: A data security method, including creating an interaction graph, by analyzing collected interaction events between users and between users and files and/or records, where a respective node of the interaction graph represents a specific one of a user, a record, and a file, where a respective edge indicates an interaction between respective users or between a respective user and a respective file and/or record, where an interaction weight assigned to the respective edge indicates an amount of the interaction, monitoring an attempt by a target user to access a target file and/or record, computing a target interaction weight between the target user and the target file and/or record from the interaction graph, and in response to the target interaction weight being below a target threshold, at least one of filtering security alerts, and blocking access by the target user to the target file and/or record.

Abstract: A permissions management service may allow a large number of user to access database objects of a database service in a scalable manner. After a data owner on-boards a database of a database service with the permissions management service, the data owner may create a data catalog for a user or user group that indicates the database objects (e.g., tables, views) that are available for the user to request access to. A request from a user may be authenticated by the permissions management service using federation/single sign-on. The user may select database objects from a data catalog of objects that are available for the user to request access to. The permissions management service sends an access request to the database service, indicating the selected database objects. The database service may then grant to the user permission to access the selected objects (e.g., via grant commands).

Abstract: A method of providing interactive media including receiving an operator input of metadata tags and transmitting a network call to social media platform servers. The network call includes a query for user posts to the social media platform server that include the metadata tags. In response to the query for users posts, the method includes receiving user post data associated with user posts that include the metadata tags. The method includes comparing a timestamp included in the received user post data with timestamps of prior user post timestamps in a stored list of prior user post data. Upon determining that the timestamp included in the received user post data is more recent than prior user post timestamps, the method includes transmitting commands to hardware devices based on the user post data. The commands are configured to activate actions of the hardware devices.

Abstract: A method for privacy preserving data processing in a linked data operating environment wherein applications have secure and permissioned access in an interoperable manner to data that is stored in one or more online data stores. The method begins by creating a privacy preserving data processing (PPDP) agent for use by an entity to process the data in association with the online data stores. The PPDP agent is then subjected to a certification process that ensures that the PPDP agent does not exfiltrate any data from the online data stores. After a successful certification, and following registration of the agent with an agent repository, a secure PPDP environment is instantiated in association with the data stores and in which the PPDP agent is then configured to execute. The PPDP agent is then executed within the secure PPDP environment over a configured security context and life-cycle of the PPDP agent.

Abstract: Examples are disclosed for remote management of a computing device. In some examples, a secure communication link may be established between a network input/output device for a computing device and a remote management application. Commands may be received from the remote management application and management functions may be implemented at the network input/output device. Implementation of the management functions may enable the remote management application to manage or control at least some operating parameters of the computing device. Other examples are described and claimed.

Abstract: An example method of enforcing granular access policy for embedded artifacts comprises: detecting an association of an embedded artifact with a resource container; associating the embedded artifact with at least a subset of an access control policy associated with the resource container; and responsive to receiving an access request to access the embedded artifact, applying the access control policy associated with the resource container for determining whether the access request is grantable.

Abstract: This application provides an identity management method, a device, a communications network, and a storage medium. The method includes generating, by a first control plane node, a first identification, a first public key, and a first private key for user equipment. The method also includes signing the first identification and the first public key based on a second private key of the first control plane node, to obtain first transaction data. The method further includes broadcasting the first transaction data in a blockchain network, where the first transaction data is to be used for consensus calculation in the blockchain network.

Abstract: Techniques for Diameter security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for Diameter security with next generation firewall includes monitoring Diameter protocol traffic on a service provider network at a security platform; and filtering the Diameter protocol traffic at the security platform based on a security policy.

Abstract: Techniques for network layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for network layer signaling security with next generation firewall includes monitoring a network layer signaling protocol traffic on a service provider network at a security platform; and filtering the network layer signaling protocol traffic at the security platform based on a security policy.

Abstract: To ensure that an electronic device is a secure electronic device, a communication device transmits a request to authenticate the electronic device to a remote electronic device across a network. The communication device receives a security challenge. One or more processors of the electronic device obtain a response to the security challenge using a secret key stored in an encrypted memory of the electronic device. The communication device then transmits the response to the response to the security challenge to the remote electronic device. If the remote electronic device recognizes the response, it transmits a shared secret content marker, which can optionally be presented at a user interface of the electronic device. The request can be automatically initiated by a companion electronic device.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, devices, and processes that securely manage transfers of digital assets between computing devices using permissioned distributed ledgers. By way of example, an apparatus may receive, from a first device, a request to transfer a digital asset to a second device and a first digital signature applied to the request. Based on a validation of the first digital signature, the apparatus may approve the request and apply a second digital signature to the request and the first digital signature indicative of the approval of the request by the apparatus. The apparatus may also transmit the request, the first digital signature, and the second digital signature to a computing system, which may validate the first and second digital signatures and perform operations that record the first public key and asset data identifying the digital asset within at least one element of a distributed ledger.

Abstract: An online software platform (OSP) produces, by applying resource digital rules to previous relationship instance data of a primary entity data associated with one or more secondary entities of the domain, a domain resource regarding the domain. The OSP may then determine, by applying an alignment digital rule of the domain to the relationship instance data and the domain resource, whether or not an alignment condition of the domain is met, which indicates whether resources for relationship instances of the primary entity should have been remitted to the domain. If the alignment condition is not met, then the OSP may assemble proposal components, and communicate some of them to the domain on behalf of the primary entity to remit the resources, without initially communicating those proposal components that would reveal the identity of the primary entity.

Abstract: Techniques for application layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for application layer signaling security with next generation firewall includes monitoring application layer signaling traffic on a service provider network at a security platform; and filtering the application layer signaling traffic at the security platform based on a security policy.

Abstract: The invention relates to a method for securely providing a personalized electronic identity on a terminal (2) which can be used by a user (1) for identification purposes when claiming an online service. In the method, an identification application is ran on a terminal (2), which is assigned to a user (1), in a system comprising data processing devices (9; 10; 11; 12) and said terminal (2), and additionally a personalization application and an identity provider application are ran.

Abstract: Authentication management by receiving a request to initiate an authentication from a computing device of a user, directing the request to a selected authentication service of a plurality of authentication services, wherein the selected authentication service is determined dynamically based on respective authentication metrics of the plurality of authentication services, receiving authentication information via the selected authentication service, and authenticating the user based on the received authentication information.

Abstract: Systems and methods for management and configuration of personal digital privacy and security. A list of protected accounts is received, where each protected account is an online user account associated with a user. For each protected account of the list, a privacy configuration is generated, based at least in part on one or more user-specific privacy rules. A login session for the protected account is accessed, without transmitting or receiving the user's password for the protected account. Based on the accessed login session for the protected account, a plurality of current status indicators are determined for a plurality of privacy settings associated with the protected account. The current status indicators are analyzed to generate updated configuration settings for one or more of the privacy settings of the protected account, and the updated configuration settings are applied to the protected account.

Abstract: Techniques are provided for anomaly-based ransomware detection of encrypted files. One exemplary method comprises obtaining metadata for an encrypted file; applying an anomaly detection technique to the metadata to compare at least one attribute in the metadata to one or more corresponding historical baseline values for the at least one attribute; and determining whether the encrypted file comprises a ransomware encryption based on the comparison. In some embodiments, one or more of file extension attributes, file size attributes and file name attributes in the metadata are compared to the one or more corresponding historical baseline values to identify a ransomware attack.

Abstract: A method of managing file permissions in a remote file storage system includes defining permissions for the remote file storage system and controlling access to objects on the remote file storage system according to the permissions of the remote file storage system. The permissions are transferred to a client file storage system remote from the remote file storage system, and access to objects on the client file storage system is controlled according to the permissions of the remote file storage system. A remote file storage system includes a permissions file generator operative to generate a permissions file, which is transmitted to a client file storage system for enforcement at the client file storage system.

Abstract: A dynamic privileged access governance system and associated processes are disclosed. The dynamic privileged access governance system and processes are cloud-native and adapt to the dynamic nature of the cloud systems.

Abstract: A system for credential authentication includes an interface and a processor. The interface is configured to receive a request from an application for authorization to access. Access to the application is requested by a user using a user device. The processor is configured to provide an authentication request to the user device, receive a device credential, wherein the device credential is backed by data stored in a distributed ledger, determine a user identifier and an authentication device associated with the user based at least in part on the device credential, provide a proof request to the authentication device, receive a proof response, determine that the proof response is valid, generate a token, and provide the token to the application authorizing access for the user.

Abstract: Various disclosed embodiments include illustrative systems, structures, and methods for performing authenticated access to a structure. An illustrative system includes a connector configured to be operably connected to a personal electronics device and to receive an electric charge from the personal electronics device, a controller couplable to an electromechanical locking device and the connector, and a memory. The memory is configured to store computer-executable instructions configured to cause the controller to receive first authentication information, receive second authentication information from the personal electronics device, authenticate the personal electronics device responsive to the first authentication information and the received second authentication information, and activate an electromechanical locking device to unlock responsive to the electric charge and a successful authentication.

Abstract: Various systems and methods of establishing and utilizing device management (DM) services in Internet of Things (IoT) networks and similar distributed network architectures, are described herein. In an example, a Cloud-To-OCF Device mediator service may be established from OCF services definition; this mediator service may be used to establish connectivity between a cloud-capable device and a cloud-based service. Further systems and methods to provide a proxy access service (PAS) hosted on a cloud service provider, that enable a PAS to coordinate and preserve device-to-device interactions from end-to-end, are also disclosed.

Abstract: Various exemplary embodiments relate to an anonymous database system. The system includes a plurality of biometric nodes in communication with one another. Each of the plurality of biometric nodes includes a biometric input that receives biometric data from a user. The system also includes at least one central database in communication with the plurality of biometric nodes; and a plurality of institution databases in communication with the plurality of biometric nodes. A first node of the plurality of biometric nodes is configured to receive a message from a second node of the plurality of biometric nodes, the message requesting authorization of data access by the second node. Various embodiments relate to a method for performing an action requiring multiple levels of authentication using an anonymous database system.

Abstract: The present disclosure relates to systems and methods for facilitating trusted handling of genomic and/or other sensitive information. Certain embodiments may use a virtualized execution environment to execute code and/or programs that wish to access and/or otherwise use genomic and/or other sensitive information. In some embodiments, data requests from the code and/or programs may be routed through a transparent data access proxy configured to transform requests and/or associated responses to protect the integrity of the genomic and/or other sensitive information.

Abstract: Techniques are disclosed relating to installing and operating applications in a server-based application workspace. A computer system, while operating the server-based application workspace, may store subscription information indicating a user that is a developer for a particular application package, and one or more users that are subscribers for the particular application package. The computer system may further store lock data for the particular application package that indicates user permissions to edit at least one application component for the particular application package. Based on the lock data, the computer system may permit the developer to edit the at least one application component of the particular application package, and deny requests from the one or more users to edit the at least one application component.

Abstract: The present invention provides methods, systems and computer program products (software) for the reliable, attack-resistant authentication of a network-connected user to a network-connected service provider.

Abstract: A system for accepting the input of a PIN comprises a first device receiving a randomized PIN layout derived on a fourth device. The randomized PIN layout is displayed on a display of the first device. A second device comprises an input for accepting a series of key presses to produce a PIN token. The PIN token indicating each of the series of key presses. A third device is in communication with the second device. The third device derives the randomized PIN layout and receives the PIN token from the second device without the PIN token being present on the first device. The third device combines the PIN layout and the PIN token to produce a PIN. The PIN is used to authenticate a transaction. The fourth and third devices each store a shared secret used to independently derive the randomized PIN layout on the fourth and third devices.

Abstract: A method for unlocking the lock using real-time wireless power supply includes proceeding with authentication identification of a powerless lock by an electronic key after pairing. Power is wirelessly supplied from the electronic key to the lock when the authentication identification starts or the authentication identification passes. The lock obtains the power wirelessly supplied from the lock to operate. When the authentication identification is identified as being successful, the electronic key outputs an unlocking command to the lock. The lock receiving the unlocking command proceeds with an unlocking operation using the power supplied wirelessly.

Abstract: Certain aspects of the present disclosure provide techniques and systems for screening chat attachments. A chat attachment screening system monitors a chat window of a first computing device associated with a first user during an interaction session between the first user and a second user. An upload of an attachment is detected based on the monitoring. Access to the attachment from a second computing device associated with the second user is blocked, in response to detecting the upload. Content from the attachment is identified and extracted. A type of the attachment is determined based on the content. A determination is made as to whether the second user is authorized to access the type of the attachment. An indication of the determination is presented on at least one of the first computing device or the second computing device during the interaction session.

Abstract: Provided is a system for blockchain-based multi-factor security authentication between a mobile terminal and an IoT device, the system including: the IoT device; a user terminal remotely controlling operation of the IoT device; and an authentication server approving control of the IoT device by the user terminal, wherein the authentication server has: a first function of recording information related to a registration hash value in a blockchain; a second function of receiving an authentication hash value generated by the user terminal when approval for control of the IoT device is requested, and determining validity of the authentication hash value by using the information related to the registration hash value recorded in the blockchain; and a third function of approving control of the IoT device by the user terminal when the authentication hash value has validity as a result of the determination.

Abstract: A system can include a processor having a secure mode and a non-secure mode, and a secure module configured to respond to tokens posted by the processor in the secure mode. Each token can identify a secure asset, and source and destination addresses within secure and public address spaces. The secure module can include a memory storing secure assets identifiable by the tokens and a memory access circuit to read data from source addresses and write processed data to destination addresses. The system can further include a cryptography engine configured to process the read data using identified secure assets. The secure module can respond to tokens posted in the non-secure mode. The memory can store, with each secure asset, a respective rule defining the address spaces where the memory access circuit may read and write data. The secure module can ignore tokens that do not satisfy respective rules.

Abstract: In a server configured to operate on a network. secured access to shared digital content is implemented in response to a request from a first user to access one or more content items belonging to a second user. Information about the first and second users is analyzed with a machine learning algorithm to determine a relationship between the first user and the second user. The first user is granted or denied access to the one or more content items based on the determined relationship.

Abstract: Disclosed embodiments relate to systems and methods for securely handling secrets by securing development and operations pipelines. Techniques include identifying a network access request for a process within the development and operations pipeline; accessing a result of at least one investigation of the process and the network access request, wherein the at least one investigation includes one of monitoring the process behavior, performing a process attestation, or performing an inspection of the network access request; determining whether to authorize the network access request; and conditional on whether the network access request is authorized, dynamically injecting a secret into the network access request, wherein the secret is not made available to the process itself.