Abstract: A computer implemented method and system for identifying a preferred set of hierarchically structured items in streaming data for analyzing Netflow data to identify those network destinations that are currently the target of a DDoS attack and to automatically select a set of network prefixes such that diversion routes for the prefixes are sent to the routers to divert attack traffic to TMS devices, The method includes searching sets of Hierarchical Heavy Hitters wherein each set corresponds to a different fraction of a total volume of network traffic and scoring each set according to an arbitrary scoring function. A certain set is selected and scored with a ‘good’ score and a member of the ‘good’ scored set is ranked in accordance with an arbitrary ranking function. A subset of the ‘good’ scored set is selected such that the volume associated with the subset is in close proximity to a user-specified total whereby the selected subset becomes a set of recommended prefixes.

Abstract: A three-factor authentication system for restricting and securing user-access to a system. The authentication system that includes a vein-image-capturing device for capturing and processing wrist-vein images. The unique biometric data is one factor of a three-factor authentication system, along with unique device identification data and a user PIN, all three used to validate and provide secure access to a user. This system can be used to restrict and provide secure access to information systems, physical spaces, personal computer devices, and any other device or system requiring controlled user access.

Abstract: Secure operations are performed on encrypted code. A processor in a first operating mode obtains encrypted code. The processor switches from the first operating mode to a second operating mode, and decrypts the encrypted code to obtain decrypted code. The decrypted code is executed, based on the processor being in the second operating mode, to provide a result. The result is encrypted, and the encrypted result is sent to a user, based on the processor switching back to the first operating mode.

Abstract: A method and system for runtime detection of botnets in containerized environments. The method includes creating a domain name system (DNS) policy for a software container, wherein the DNS policy defines at least a plurality of allowed domain names for the software container, wherein the DNS policy is created based on historical DNS queries by the software container; detecting a botnet based on traffic to and from the software container, wherein the botnet is detected when at least a portion of the traffic does not comply with the DNS policy, wherein the botnet is implemented via communication with a bot executed in the software container; and blocking at least one DNS query in the at least a portion of traffic, wherein each blocked DNS query is to a domain having a domain name that does not match any of the plurality of allowed domain names for the software container.

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.

Abstract: Mechanisms are provided to implement a malicious activity response system (MARS) that automatically identifies and handles malicious activities within the data processing system. The MARS identifies threat intelligence associated with characteristics of malicious activity. The MARS forms a hypothesis for the malicious attack to identify a malicious attack that is occurring. The MARS identifies a trap for use in isolating the malicious activity; deploys the trap and automatically reconfiguring a network associated with the data processing system such that the malicious activity is routed to the trap thereby isolating the malicious activity, observes a behavior of the malicious activity within the trap; and extracts features associated with the malicious activity in the trap. The MARS then utilizes the extracted features to improve an operation of the malicious activity response system in handling future malicious activity.

Abstract: Embodiments are directed to managing communication. Credentials of a user may be provided to an authorization service such that the authorization service authenticates the user as a member of authorization groups and such that the user may be associated with a gateway on an overlay network. The authorization groups may be compared with user groups to associate the user with one or more user group. The gateway may be associated with one or more resource group based on the user groups. Policy information may be generated for the gateway based on each resource group. The policy information may be provided to the gateway to define policies associated with resources in the overlay network. The policy information may be enforced against source nodes providing overlay traffic directed to target nodes in the overlay network.

Abstract: In secure and seamless remote access to enterprise applications with zero user intervention, a first set of policies is generated at a controller based on a user role. A user device associated with the user role is in an enterprise network. The first set of policies is pushed to the security agent in the user device associated with a user, an enterprise server, and a secure remote access gateway from the controller. Upon determining that the user device moves to a remote network, a secure connection is initiated by the security agent from the user device to the secure remote access gateway. Upon determining by the controller that the user is authenticated for the secure connection, a second set of policies is generated by the controller for the user device, the enterprise server and the secure remote access gateway. The second set of policies is pushed to the devices.

Abstract: Systems and methods, disclosed herein, of a campaign controller that stores information to a database about execution of multiple simulated phishing campaigns for multiple users, where each of the simulated phishing campaigns use one or more models for communicating simulated phishing communications. Based on this information, the campaign controller may determine a rate of success of the model, in causing a user to interact with a link in one of the simulated phishing campaigns, and may display the model's rate of success via a user interface.

Abstract: A client system comprises processing circuitry configured to receive, from an authorisation system, a first grant token for identifying the client system at the authorisation system, the first grant token having a corresponding time to expire indicative of a time at which the first grant token will not be valid for obtaining a protected resource from a resource system. The client system transmits, to the authorisation system, a refresh request for a second grant token for identifying the client system at the authorisation system, wherein the refresh request is transmitted based on the expiry time of the first grant token; and receives the second grant token at the client system, in response to the refresh request.

Abstract: An anomaly-based intrusion detection system is presented for use in vehicle networks. The intrusion detection system measures and exploits the intervals of periodic in-vehicle messages for fingerprinting electronic control units. Fingerprints are then used for constructing a baseline of clock behaviors, for example with a Recursive Least Squares algorithm. Based on the baseline, the intrusion detection system uses cumulative sum to detect any abnormal shifts in the identification errors—a clear sign of an intrusion. This approach allows quick identification of in-vehicle network intrusions with low false positive rates.

Abstract: Mechanisms are provided, in a communication device associated with a first computing device, for capturing security data exchanged between the first computing device and a second computing device. The mechanisms receive a data message from either the first computing device or the second computing device. The data message is part of an operation for establishing a secure communication connection between the first computing device and the second computing device. The mechanisms filter the received data message for security data passed in the received data message and mirror the security data to an analysis port of the communication device. Moreover, the mechanisms output, via the analysis port, the security data to a data collection and analysis system that analyzes the security data with regard to security requirement compliance.

Abstract: A data integrity protection method and apparatus in a network environment are described. A terminal device obtains an integrity protection algorithm and a key corresponding to a session or a flow, and a DRB corresponding to the session. The terminal device performs, by using the integrity protection algorithm and the key corresponding to the session, integrity protection on data of the DRB corresponding to the session or the flow, where one session includes a plurality of flows. Different integrity protection algorithms and keys can be used for different sessions, and different integrity protection algorithms and keys can also be used for different flows. In this way, integrity protection is more flexible and meets security requirements of a same user for different services.

Abstract: An authentication method, includes: receiving an authentication request from a user, the authentication request including an identity identifier of the user; acquiring authentication data associated with the identity identifier from a blockchain network, a blockchain node of the blockchain network storing a mapping relationship between identity identifiers and authentication data; and performing identity authentication for the user according to the authentication data.

Abstract: A method for automated authentication of a user VoIP phone supported by a Private Branch eXchange (PBX) configuration server is provided. A VoIP phone or a VoIP supported device is configured for an automated authentication by a vendor. The authentication method does not require manual entry of authentication data by a user. The unique VoIP phone authentication data can be provided by the vendor in a form of a MAC address. Additionally, the vendor can assign a digital certificate (containing public and private encryption keys) signed by the vendor to the VoIP phone. In this case, the VoIP phone vendor serves as a trusted authority. Thus, the VoIP phone automatically connects with the configuration server and the authentication transformation server (ATS) and the address where the VoIP phone sends the authentication data upon connection to the network is determined by the ATS.

Abstract: Presented herein are methods and systems for adjusting code files to apply memory protection for dynamic memory regions supporting run-time dynamic allocation of memory blocks. The code file(s), comprising a plurality of routines, are created for execution by one or more processors using the dynamic memory. Adjusting the code file(s) comprises analyzing the code file(s) to identify exploitation vulnerable routine(s) and adding a memory integrity code segment configured to detect, upon execution completion of each vulnerable routine, a write operation exceeding from a memory space of one or more of a subset of most recently allocated blocks allocated in the dynamic memory to a memory space of an adjacent block using marker(s) inserted in the dynamic memory in the boundary(s) of each of the subset's blocks. In runtime, in case the write operation is detected, the memory integrity code segment causes the processor(s) to initiate one or more predefined actions.

Abstract: A cyber threat attenuation system. The system comprises a cyber threat data store, a plurality of sensor control points (SCPs), wherein at least one SCP is located in each local area network (LAN) segment of an enterprise network, and an analytics correlation system (ACS). Each SCP comprises a plurality of sensor applications that analyze data packets transported by the LAN segment in which the SCP is located and transmits a notification identifying the transmitting sensor, an identity of the source of the data packet, an identity of the destination of the data packet, and a notification reason to the data store. The ACS comprises an application that determines unusual data packet traffic in the enterprise network and transmits a notification comprising information about the unusual data packet traffic and an identity of a host computer associated with the unusual data packet traffic to the data store.

Abstract: An electronic device is provided. The electronic device includes a memory and at least one processor configured to execute a first application among at least one application stored in the memory, determine whether to permit to provide meta information including information for accessing first data related to a first function of the first application stored in the memory based on first user information with which the first application is executed, and perform control as to whether to provide a virtual file system with the meta information about the first data.

Abstract: In an example embodiment, a secure display device that includes hardware that can be positioned between a personal computer or a central processing unit and a display, such as a flat panel display. Display data from the personal computer or the central processing unit to the flat panel display is transmitted through the security display device.

Abstract: A system and method is provided for encrypting data for secure storage or transport. The method includes generating object-based wave screen(s) and optionally stumbling block(s) and/or XOR block(s) associated with a block map layout. For each data segment to be encrypted, the method includes positioning the bits of the data segment within the block map layout to generate a data map, and encrypting the data map by applying the object-based wave screen(s) and optionally the stumbling block(s) and/or XOR block(s) to remap the positions of the bits within the block map layout. The encrypted data map is then stored or transported as a representation of the data segment.