A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API is distributed to clients and includes a Software Development Kit configured to generate a unique token and provide the token in association with an API request when challenged by the proxy. For example, the proxy may challenge a client to present a token in response to receiving an API request lacking a token or when a token is expired. The proxy verifies the token to authenticate the client and permits authorized clients access to the API by passing API requests received from authenticated clients on to the host for servicing.

A system and a method are disclosed for describing a mechanism for tracking malicious activity detected on a network. For example, based on network data collected from a server, the disclosed system may detect malicious activity originating from a client device directed to the server. To detect the malicious activity, network data may be captured by the server and analyzed. When malicious activity is detected, the system may track the malicious activity, using the network data, to an earliest connection date of a client device from where the malicious activity potentially originated. The earliest connection date may indicate a potential start date of the malicious activity.

Systems, methods, and computer-readable media for authenticating time sources using attestation-based techniques include receiving, at a destination device, a time reference signal from a source device, the source and destination devices being network devices. The time reference signal can include a time synchronization signal or a time distribution signal. The destination device can obtain attestation information from one or more fields of the time reference signal and determine whether the source device is authentic and trustworthy based on the attestation information. The destination device can also determine reliability or freshness of the time reference signal based on the attestation information. The time reference signal can be based on a Network Time Protocol (NTP), a Precision Time Protocol (NTP), or other protocol. The attestation information can include Proof of Integrity based a Canary stamp, a hardware fingerprint, a Secure Unique Device Identification (SUDI) of the source device, or an attestation key.

A mobile device sends a network attach request to a network node, and receives an authentication challenge from the network node, where the authentication challenge includes an authentication token, a random number, and a time variable associated with a current time at the network node. A microprocessor smart card of the mobile device retrieves the time variable from the authentication challenge, and starts a clock counter based on the retrieved time variable. The microprocessor smart card uses a current time represented by the clock counter to perform time expiration validation tests on certificates during Public Key Infrastructure (PKI) authentication or on authentication tokens during token-based authentication.

Aspects of the disclosure relate to account lineage tracking and automatically executing responsive actions upon detecting an account lineage. A computing platform may receive a first account-change message from a source-level interceptor. The first account-change message may include information identifying a source account associated with a first computing device and identifying a first target account. The first target account may be associated with a target application configured to access the target database. The computing platform may receive a second account-change message from a database-level interceptor. The second account-change message may include information identifying the first target account as a database-level source account and identifying a second target account associated with one or more target databases. After receiving the first and second account-change messages, the computing platform may generate a notification comprising information associated with an account lineage between the source account and the second target account.

Aspects of the present disclosure include a system comprising a computer-readable storage medium storing at least one program and a method for managing access permissions associated with data resources. Example embodiments involve evaluating user access permissions with respect to shared data resources of a group of network applications. The method includes receiving a request to access a data resource. The method further includes accessing a policy object linked to the data resource that includes an effective policy for the data resource. The method further includes evaluating a user's access permissions with respect to the data resource based on the policy object and communicating a response to the network application that includes the access permission of the user.

An attack detection apparatus (6) collects packets a transmission source or a transmission destination of which is a protection target apparatus (5), and generates packet information by setting an entry for each collected packet and describing attribute data of the packet together with occurrence time of the packet for each entry. Further, the attack detection apparatus (6) stores definition information which defines an extraction time width and an extraction condition for each category of attack. When a security apparatus (4) detects a packet which corresponds to any category, the attack detection apparatus (6) selects the extraction time width and the extraction condition of a category of a detection packet detected as a selection extraction time width and a selection extraction condition, specifies an extraction time range which starts from the occurrence time of the detection packet and whose width is equal to the selection extraction time width, extracts from the packet information an entry the occurrence time of which is included in the extraction time range and the attribute data of which coincides with the selection extraction condition, and determines presence or absence of an attack to the protection target apparatus (5) based on an extraction result.

Establishing secure connections from a computing device to secure servers when the computing device starts with an incorrect system clock time that would ordinarily prohibit connection to the secure servers. A method includes attempting to access a plurality of secure servers. The method further includes, from each of the servers in the plurality of secure servers, receiving one or more certificates from the secure servers and metadata which includes a specification of time. The method further includes preventing secure applications from sending sensitive data to the plurality of secure servers until a system time has been approximated. The method further includes, from the secure specifications of time, approximating a current system time. The method further includes accessing another secure server using the approximated current system time and using the approximated current system time to validate a certificate from the other server.

Telecommunications data may be summarized into mathematical statistics that may not correlate with conventional semantic attributes. Such statistics may be difficult to observe without access to the telecommunications data, and therefore may be much less susceptible to social engineering attacks or other privacy-related vulnerabilities. The mathematical statistics may represent first, second, or higher order behavior-related observations relating to subscribers physical movements, engagement of applications and web browsing on a mobile device, as well as usage and billing of a mobile device. The statistics may not correlate to semantic identifiers for subscribers, and therefore may be difficult to observe and therefore identify specific subscribers whose statistical summaries may be known.

Concepts and technologies are disclosed herein for preventing spoofing attacks for bone conduction applications. According to one aspect, a device can receive an authentication signal that has propagated through a body. The device can prevent an adversary from using the authentication signal to spoof a user to be authenticated by the device. The device can also authenticate the user.