Abstract: Approaches presented herein enable challenge-response authentication of a user based on information captured by devices associated with the user. Specifically, in one approach, a plurality of devices associated with the user that each dynamically track and store on-device data points over a period of time are identified. A request initiated by a party claiming to be the user is received to authenticate the party as the user. An authentication question is generated in a natural language, the answer to which is a data point selected from data points on at least one device of the plurality, wherein the selected data point is discoverable by viewing data points on the at least one device. The requesting party is prompted to find the data point by presenting the authentication question to the requesting party. In the case that the requesting party returns the answer, the requesting party is authenticated as the user.

Abstract: The invention relates to a method to initiate the use of cryptography and authentication methods and to perform these methods. The method comprises the steps of: generating a URI (410), calling (420) a communication component (120) using the generated URI and a proprietory URI scheme; performing (430) the cryptography and authentication method by the local communication component (120); generating (440) at least one result (440) by the communication component (120).

Abstract: The disclosed computer-implemented method for protecting passwords may include (i) intercepting network traffic indicating an attempted login procedure at a workload device to login to a protected resource, (ii) prompting a user, in response to intercepting the network traffic, and at an authentication device that has been registered to the user, to indicate whether to approve the attempted login procedure, (iii) collecting, at the authentication device, a credential for the attempted login procedure that was stored in a protected vault of the authentication device, (iv) providing, by the authentication device to the workload device, an authentication decision based on the collected credential, and (v) injecting, at the workload device, the authentication decision into a browser session to enable the user to complete the attempted login procedure to login to the protected resource. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An approach is provided for controlling computer resource usage. A new event in an integration flow in an integration platform is detected. Sender and receiver information is identified and hashed. A portion of data being sent by the sender to the receiver is selected and hashed. It is determined that the hashed sender and receiver information matches a first entry and the hashed selected portion of the data matches a second entry in a pattern repository. A recurring event in the integration flow is identified, where the recurring event uses an amount of computer resources that exceeds a threshold amount. An action is performed which reduces the amount of computer resources used by the integration flow to a new amount that does not exceed the threshold amount.

Abstract: The present application provides a system and method for accelerated network service and/or network slice provisioning in response to customer requests or requirements. The provided system and method incorporate a network service/network slice instance that is responsible for constructing and maintaining status and models associated with the dynamics of network services. A modelling function can be operated based on collected network service information to maintain a model relating to network service dynamics, and transmit indications, such as predictions of future requirements, to a corresponding network management service. The indications can be used for creation, modification, and termination of the network service, or for advanced preparation of such actions.

Abstract: A computer-implemented method includes: receiving, by a computing device, a vault access request for vault credentials stored by a vault server; verifying, by the computing device, whether a source of the vault access request originated from a multitenant application server; preventing, by the computing device, access to the vault server and the vault credentials when the source of the vault access request has not been verified as originating from the multitenant application server; obtaining, by the computing device, vault credentials from a vault server based on verifying that the source of the vault access request originated from the multitenant application server; and executing, by the computing device, a multitenant application task using the vault credentials.

Abstract: The present disclosure relates to a SDN-based method for mirroring packets, wherein a SDN controller is coupled to an upper layer application and at least one data switching exchange respectively, and the method including: a) the upper layer application sends a mirroring instruction to the SDN controller through a first northbound interface of the SDN controller; b) the SDN controller generates a second flow table based on the mirroring instruction and a first flow table sent by a first data switching exchange; wherein the first data switching exchange initiates transmission of the packets, the first flow table encapsulates the packets, and the second flow table includes at least an action command corresponding to the mirroring instruction; and c) a second data switching exchange extracts the packets from the second flow table, and mirrors the packets to the designated node based on the action command.

Abstract: Various embodiments comprise systems, methods, architectures, mechanisms, apparatus or protocols configured to provide seamless authentication of devices to secure networks via an Extensible Authentication Protocol (EAP) using credentials based on device information and/or service information visible to third party mobile services providers.

Abstract: Disclosed are various embodiments for an authentication manager. In one embodiment, the authentication manager performs an identity verification on a network site. The authentication manager determines that a particular portable data store is present in the client computing device, and then reads a security credential from the particular portable data store. The authentication manager automatically sends data encoding the security credential to the network site.

Abstract: In an approach to securing data using alternative value identification schemes, one or more computer processors receive user registration data, wherein the user registration data includes one or more authentication parameters, wherein the one or more authentication parameters includes one or more physical pressure-based inputs by a user. The one or more computer processors receive an access request requiring an authentication from the user, wherein the access request includes the one or more physical pressure-based inputs by the user associated with the one or more authentication parameters. The one or more computer processors determine whether the one or more authentication parameters match the user registration data. Responsive to determining that the authentication data matches the registration data, the one or more computer processors authenticate access for the user.

Abstract: A method for recovering data. Identity factors are collected at a device, wherein hashes of the identity factors are configured to be stored at a server. A dynamic password is generated at the device based on the identity factors and a Salt generated by the server and configured to be delivered to the device. A selfie is captured of a user. The device generates a symmetric key used to encrypt the selfie. The symmetric key is encrypted using the dynamic password. The encrypted symmetric key and the encrypted selfie are stored on the server. One or more data items are stored on the server. The dynamic password is recoverable by presenting the plurality of identity factors that are hashed to the server. The symmetric key is recoverable using the recovered dynamic password. The data items are recoverable by presenting the symmetric key and a second selfie of the user.

Abstract: An end-to-end security communication method includes, when receiving a security key generation request packet from a first host, generating, by a communication controller, a security key for end-to-end security communication between the first host and a second host, transmitting the generated security key to each of the first host and the second host, and setting a forwarding rule for transmission of a packet destined for a Media Access Control (MAC) address of the first host or a MAC address of the second host to a first switch and a second switch connected respectively to the first host and the second host. According to the end-to-end security communication method, the communication controller performs the process of generating a security key that will be shared between hosts using Software Defined-Networking (SDN), so that MAC security communication technology can be applied to communication between hosts belonging to different networks.

Abstract: The user interface associated with the item is improved. The information processor 1 displays the first item display screen 22 in which the first item icons 221 corresponding to the types of the possessed items are displayed in a list correspondingly to the possessed number. The information processor 1 switches the second item display screen 23 to display in which the second item icons 231 corresponding to the possessed items are displayed in a list correspondingly to the expiration date when the first item icon 221 in the first item display screen 22 is operated by being pressed for a long time.

Abstract: Provided is a vehicle including: a communication unit configured to communicate with a user terminal; and a control unit configured to, upon receiving a response signal including terminal information of the user terminal from the user terminal, determine an authentication allowed time for authenticating the user terminal on the basis of the terminal information, generate user information including the terminal information and the authentication allowed time corresponding to the terminal information, and authenticate the user terminal on the basis of the generated user information.

Abstract: A device determines that a data breach of an application has been reported and determines that an individual has an account with the application based on identifying an association between an application identifier and a username the individual uses to access the application. The device receives, from a user device associated with the individual, password information used to access the application. The device uses the password information and usernames for a group of applications with which the individual has accounts to perform a login procedure for the group of applications to determine that login information for one or more of the applications includes the password information used to access the application affected by the data breach. The device provides, to the user device or another device, a recommendation to change the password information used to access the application and the one or more applications.

Abstract: It is presented a method for determining whether a user with a credential should be granted access to a physical space. The method is performed in an access control device and comprising the steps of: identifying the credential presented to the access control device; obtaining a set of at least one assignment of a permission, associated with the physical space, to external organisations from a database; determining a credential organisation being associated with the credential; and granting access when, and only when, the permission is assigned to the credential organisation.

Abstract: The present teaching relates to method, system, medium, and implementations for authenticating a user. A first request is received to set up authentication information with respect to a user, wherein the first request specifies a type of information to be used for future authentication of the user. It is determined whether the type of information related to the user poses risks based on a reverse information search result. The type of information for being used for future authentication of the user is rejected when the type of information is determined to pose risks.

Abstract: An apparatus in one embodiment comprises at least one processing device having a processor coupled to a memory. The processing device is configured to implement a first ledger node of a first cloud having a first set of cloud resources. The first ledger node of the first cloud is configured to communicate over one or more networks with a plurality of additional ledger nodes associated with respective additional clouds having respective additional sets of cloud resources, to monitor auditable information relating to cloud resources of the first cloud and cloud services provided by the first cloud, to associate the auditable information with one or more cloud service transactions, and to generate a cryptographic block characterizing the one or more cloud service transactions and the associated auditable information. The cryptographic block is entered into a blockchain distributed ledger collectively maintained by the first and additional ledger nodes.

Abstract: A method and system for operating an appliance scanner system. A device can maintain at least two isolated communication channels, one to connect to a configuration service and others for connecting to document processing and management services. This can enable the configuration service to reside outside of a secure network. Firewalls and policies can prevent content generated at the scanner from exiting the secure network and reaching the configuration service. To set up the scanner, it can be initiated and connect to the configuration service via a operations communication channel. The configuration service can then instruct the scanner how to connect to various document services through one or more generated content communication channels. Furthermore, document services can communicate validation information back to the scanner.

Abstract: A system and method for providing cyber defense for electronic identification, vehicles, ancillary vehicle platforms, and telematics platforms using blockchain. The vehicle may be a ground-based vehicle, air-based vehicle, roadable aircraft vehicle, sea-based vehicle, autonomous vehicle, or unmanned aerial vehicle. Wherein ancillary vehicle platforms may include, but not limited to, aviation platforms, urban air mobility platforms (UAM), and unmanned aircraft systems (UAS). The system and method include determining whether a user is an authorized operator of a vehicle, the vehicle including an external display of a digital license tag. If the user is determined to be an unauthorized operator of the vehicle, the system activates a primary kill switch which prevents the activation of the vehicle's digital license tag.

Abstract: A method and an associated device for detecting fraud during automatic face recognition, the method comprising the following steps: acquiring a first image of the face by means of a first sensor having a first field angle, and a second image of the face by means of a second sensor having a second field angle that is narrower than the first field angle; analyzing the first image to verify that there is no frame around the face; and analyzing the second image to verify that there is no moiré effect.

Abstract: An embodiment provides data driven role permissions. Computer executable instructions are received. The computer executable instructions define a role behavior with respect to a process based on a data condition. A role member user is provided different types of interactions with different instances of the process based on execution of the computer executable instructions defining the role behavior.

Abstract: Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a “wallet” of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described.

Abstract: A system may generate a seed one-time password (OTP). The system may also perform steps including transmitting the seed OTP to a user device, receiving a response OTP from the user device, and calculating an expected response OTP by applying a function to the seed OTP. The system may then compare the response OTP to the expected response OTP and send a result in response to comparing the response OTP to the expected response OTP.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace and an isolated computing environment. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The host computer system may be configured to receive a request to communicate with a first network destination. On a condition that the first network destination is determined to be trusted, the processor may be configured to communicate with the first network destination via a first browser process executed in the workspace. On a condition that the first network destination is determined to be untrusted, the processor may be configured to communicate with the first network destination via a second browser process executed in the isolated computing environment.

Abstract: Methods and systems described herein may monitor, by a browser, activity of a user within a web page displayed by the browser. Based on detecting, by the browser, an attempt by the first user to perform a financial transaction with an online vendor and associated with a financial account, biometric information associated with the user may be captured by the browser. Based on the captured biometric information, the browser may determine whether the first user is authorized to perform financial transactions with the online vendor and associated with the financial account. Based on a determination that the user is not authorized to perform the financial transaction, the browser may modify at least one element of the webpage to block the user from performing the financial transaction with the online vendor.

Abstract: A profile downloading method and apparatus is provided for a terminal to download and install a profile in a communication system. The communication method of the terminal includes transmitting a first message including information on a profile to be received from a profile provision server; receiving a second message including information indicating whether an encryption code input is required and a first modified encryption code; generating, when the first modified encryption code is successfully authenticated, a second modified encryption code; transmitting to the profile provision server a third message including information requesting to the profile provision server for the second modified encryption code and profile download, and receiving a fourth message including information on the profile from the profile provision server.

Abstract: A method for a communication network in a motor vehicle, wherein data are transmitted in at least one communication path for communication in the communication network. Also disclosed is an electronic monitoring unit.

Abstract: A directional display apparatus including a directional display device that is capable of directing a displayed image into a viewing window of variable width is provided with a privacy control function. A control system detects the presence of one or more secondary viewers in addition to a primary viewer, and decides whether the one or more secondary viewers is permitted to view the displayed image. The control system directs a displayed image into a viewing window which is adjusted, for example by decreasing the width, in dependence on that detection. In addition, the control system detects relative movement between the primary viewer and the display device, and the width of the viewing window is increased in response to detection of said relative movement.

Abstract: Techniques are provided for account recovery using an identity assurance scoring system. One method comprises providing multiple available identity assurance techniques, each assigned a corresponding identity assurance value indicating a level of assurance for the corresponding available identity assurance technique; in response to a user request to obtain access to a protected resource following a loss incident of a user authenticator: receiving, from the user, authentication information associated with the available identity assurance techniques; aggregating the corresponding assigned identity assurance values for the received available identity assurance techniques to determine an aggregate identity assurance value; determining if the aggregate identity assurance value satisfies a predefined identity assurance level criteria; and evaluating the user request to access the protected resource based on the determining.

Abstract: Techniques for reviewing transaction information are provided. A reviewer computer can review transactions that are marked for review by a resource provider. The reviewer computer can review the transaction based on user information obtained from third party servers. The reviewer computer can also review the transaction based on historical transaction information obtained from a history database. The reviewer computer can aggregated the user information and the historical transaction information in order to generated a consolidated view.

Abstract: Providing an end-to-end citizen engagement, in one aspect, may comprise obtaining data of multiple disintegrated sources from one or more of communication and social computing channels via one or more adapters. Data refactoring and management, integration and process orchestration of the data according to a data model as data attributes of the data model may be provided. One or more analytics may be performed based on the data attributes stored according to the data model and input specified to the one or more analytics. One or more results computed by performing the one or more analytics may be provided. One or more application logics supporting one or more front-end applications may be produced. One or more front-end applications for automated sensing of user activities and sensor-based individual assistant capability may be provided.

Abstract: A device that includes a network interface configured to communicate with a remote database and a memory operable to store a set of applications. The device further includes an authentication engine implemented by a processor. The authentication engine is configured to receive log-in credentials for a user on a first application, to send a user information request to the remote database, and to receive user information in response to sending the request. The authentication engine is further configured to send a user profile information request to a second application and to receive user profile information in response to sending the request. The authentication engine is further configured to identify corresponding information between the user information and the user profile information, to determine that at least a portion of the corresponding information between the user information and the user profile information matches, and to authenticate the user in response to determination.

Abstract: While managing private data in cognitive surveys, a method, system, and computer program product may deploy a set of gather agents. Access credentials for a plurality of participants may be obtained from an encrypted data store and verified. The set of gather agents may gather a set of target data associated with the plurality of participants, and the set of target data may be collected according to a set of policy criteria. It may be determined whether one or more participants of the plurality of participants has requested to review a subset of the target data, and those participants may be prompted to review the subset of target data. It may be determined whether the one or more participants rejected the subset of target data. The subset of target data may be filtered, and the filtered subset of target data may be posted to a results database.

Abstract: In response to detected attempts to gain unauthorized access to user accounts of an online system, a security module of an online system applies an attack response policy to take actions in response to the attempts. Possible responses of the policy include reordering credential types requested by the online system during multi-factor authentication-enabled login, switching to a mode in which login requests are accepted but login is not permitted for the requesting user, and logging information about the login requests. Logged information may be applied to enhance the ability to prevent future unauthorized accesses, such as adding credential values to a list of common credential values and prohibiting users from associating those values with their accounts, or training a model based on the logged information to predict a probability that a given login request is unauthorized.

Abstract: Multiple profiles are received in association with a first user account in an asynchronous messaging system. One or more of the profiles are associated with other user accounts. The associated profiles are transmitted to user clients associated with the other user accounts for storage as a local copy. The association may include inclusion in a contact list of the first user, or a contact list of the other users. The associated profiles are transmitted when messages are sent from the first account to the other user clients, or the profiles are created or updated. A public profile may include a version identifier which is updated when the public profile is updated. Updates to local copies of the public profile at other user clients may occur only when a local copy of the associated version identifier indicates that the local profile is outdated, thereby reducing network traffic.

Abstract: There are provided systems and methods for vehicle identification and device communication through directional wireless signaling. A user's device may include a directional wireless transceiver that may be used to provide wireless signaling in a specific target direction. The user may direct the device at a particular vehicle, where the vehicle may has a transceiver located within or attached to the vehicle that responds to the particular wireless signaling. The vehicle's transceiver may respond to the device of the user with a unique identifier that allows for communication with the vehicle's operator. The unique identifier may therefore allow for message content to be sent directly to a device for the vehicle's operator, or may allow for a service provider to process the message. Additionally, the vehicle's operator may establish privacy settings for communications, which may be utilized to determine whether the message content will be provided to the device.

Abstract: A method for operating an SDN-based mobile communication system, which includes a mobile network having a control plane and a data plane, with a network controller being implemented therebetween, includes: providing a control plane function that possesses information from an access network about location and/or proximity of devices and information about rules and/or policies for setting up sessions for the devices; and the network controller, by collaborative operations with the control plane function, selecting one or multiple data plane nodes that are, based on a particular device's request for session establishment, suitable to act as policy enforcement points for enforcing rules in the data plane that are for enabling connectivity for the particular device.

Abstract: A system and method comprising a server that automatically configures and sets up a restaurant's or business' information technology (IT) infrastructure, more specifically relating to point-of-sale devices (POS) and other networked devices such as scanners, tracking displays, and any other device that any business may use. Communication between the networked devices and the server is facilitated by a preconfigured router, wherein after initial communication with the server, the server may update firmware, operating parameters, and software packages of the preconfigured router and other networked devices.

Abstract: A device and method to accurately detect list-based attacks without reducing the convenience for authorized users. An acquirer acquires information on accounts used for log-in trials to a plurality of websites. An analyzer calculates the degree of use of each account used in common for log-in trials to different websites in a predetermined period of time out of the accounts acquired by the acquirer and determine the log-in trials using the account to be attacks when the degree of use exceeds a predetermined threshold. A detector detects, as an attack, a log-in trial to the website using the same account as the account used for the log-in trials determined to be attacks by the analyzer.

Abstract: Account recovery control systems and methods are provided to support a self-service account recovery process for registered users of an information system. Account recovery protocols implement a secret sharing scheme between trusted referees and registered users of the information system to enable a registered user to regain access to the user's registered account when one or more authentication factors of the registered user are lost (e.g., forgotten, misplaced, damaged, stolen, etc.).

Abstract: A system for “horizontal” salting of database tables, text files, and data feeds utilizes a key field and character position within that field (the “Key Character”) and a Salting Field, which contains content that can legitimately be in one of at least two states without impacting the usefulness of the data. A unique identifier, which is assigned to the recipient of the data, is hidden within the data by using the variations of the states in the Salting Field to represent a binary 0 or 1, with the value of the Key Character identifying the bit position of the binary 0 or 1 within the unique identifier. This type of salting is invisible to the recipient of the data file, does not alter the accuracy of the data, and can be made unique for a particular party receiving data files or unique for each data file.

Abstract: Methods and systems for implementing single sign on (SSO) and/or conditional access for client applications are described herein. The system may comprise an identity provider gateway, and the system may authenticate a user of the client application using the identity provider gateway. In some aspects, a secure communication tunnel may be established between the client application and the identity provider gateway, and the secure communication tunnel may use, for example, a client certificate. The identity provider gateway may grant or deny the client application access to one or more resources based on information associated with the client certificate.

Abstract: A method of verifying the integrity of a virtual machine in a cloud computing deployment comprises: creating a virtual machine image derived from a trusted virtual machine, wherein the trusted virtual machine has a Keyless Signature Infrastructure signature stored in a signature store; and verifying that a computation resource can be trusted. If it is verified that a computation resource can be trusted, the method further comprises: submitting the virtual machine image to the trusted computation resource; checking a signature of the virtual machine image against the stored signature of the trusted virtual machine; launching the virtual machine image on the trusted computation resource, and creating a Keyless Signature Infrastructure signature of the virtual machine image; and storing the signature of the virtual machine image in a signature store.

Abstract: The current document is directed to reverse federated identity-management systems and to reverse-federated-identity-management methods employed by the reverse federated identity-management systems. The currently disclosed reverse-federated-identity-management systems automatically provision local proxy identities in distributed computers systems from which distributed resource-distribution systems allocate resources on behalf of users and clients of the distributed resource-distribution systems. In addition, the currently disclosed reverse-federated-identity-management systems automatically record associations of local proxy identities with users and clients of the distributed resource-distribution systems so that the users can be subsequently identified to auditing and monitoring organizations should the need for detailed auditing and monitoring subsequently arise.

Abstract: Technology is described for registering Internet of Things (IoT) devices. A hub device may receive a request for hub registration from an IoT device. The request for hub registration may include IoT device information. The hub device may validate the request for hub registration at the hub device based on the IoT device information. The hub device may retrieve registration information from an IoT service. The registration information may include a dedicated security certificate for the IoT device. The hub device may forward the registration information to the IoT device to enable the IoT device to communicate IoT device data to the IoT service.

Abstract: A system includes a plurality of servers, a control plane to determine a first partition of a plurality of devices and to determine a subset of the plurality of servers to assign as candidate servers for the first partition, and a common data store comprising a first stream and a second stream. The control plane is to store, in the first stream, a first message indicating the first partition, the candidate servers, the second stream, and a first message tag, the candidate servers elect a primary server of the first partition from the candidate servers using the first stream, and the elected primary server inserts read and write updates associated with the plurality of devices of the first partition into the second stream.

Abstract: Embodiments of the present disclosure are directed to, among other things, improving data security with respect to data collection, verification, and authentication techniques associated with obtaining and transmitting identity information. For example, an identity credential may be secured using biometric information associated with a user, the biometric information being obtained using a first biometric input method of a plurality of biometric input methods. When the user is later authenticated, the authentication may be based at least in part on determining that the user has selected a biometric input method that matches the biometric input method used to secure the credential as well as providing biometric information that matches the biometric information used to secure the identity credential.

Abstract: A system for determining a calculation utilizing differential privacy including an interface and a processor. The interface is configured to receive a request to determine a result of a calculation using multitenanted data. The processor is configured to determine result data by performing the calculation on the multitenanted data; determine a deterministic modification in the event that the deterministic modification is needed to ensure privacy; modify the result data using the deterministic modification to determine modified result data; and provide the modified result data.

Abstract: The systems, methods and apparatuses described herein provide a computing device that is configured to attest itself to a communication partner. In one aspect, the computing device may comprise a communication port configured to receive an attestation request from the communication partner, and an application-specific integrated circuit (ASIC). The ASIC may be configured to receive the attestation request from the communication port. The attestation request may include a nonce generated at the communication partner. The ASIC may be further generate a verification value and send the verification value to the communication port to be transmitted back to the communication partner. The verification value may be a computation result of a predefined function taking the nonce as an initial value. In another aspect, the communication partner is configured to attest the computing device using speed of computation attestation.