Abstract: In embodiments of the present invention, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation. In response to the selection of a file, an application controller may be used to select a software application from two or more software applications to open the selected file, based at least in part on the selected file's reputation. If launched, a software application may be configured to open the file in an environment, such as a virtual machine, quarantined environment, and the like, that is appropriate for the file based at least in part on the reputation information. A software application may be a secure software application configured to manage secure files, or an insecure software application configured to manage insecure files.

Abstract: A biometric enrollment system can include a processor and a data store that stores one or more TPS templates and a sample population. The processor can be configured to receive a reference template associated with a subject, generate a cohort set based on a plurality of templates from the sample population, and perform a one-to-many comparison process on the reference template and the cohort set, wherein an output of the one-to-many comparison process comprises one or more cohort vectors. The processor can normalize the one or more cohort vectors to obtain one or more normalized cohort vectors, and can apply a lossy transformation to the one or more normalized cohort vectors. An output of applying the lossy transformation can comprise one or more transformed, privacy-secured (TPS) templates that are stored in the database.

Abstract: Described are implementations that analyze the unencrypted messages of a cryptographic protocol handshake between two devices and/or the receipt or absence of encrypted messages of the handshake to detect security vulnerabilities of one or both of those devices. For example, the unencrypted messages of a TLS handshake between a client device and a server may be analyzed to determine security vulnerabilities of the client device. Because the disclosed implementations utilize the unencrypted messages of a handshake and/or detection of the receipt or absence of encrypted messages of the handshake, involvement in the handshake or decryption of encrypted messages of the handshake is not necessary. The requirement is that the disclosed implementations are able to observe the messages of a handshake that are used to establish a secure communication between the devices.

Abstract: A method is provided for generating an output from an input according to a secret using a white-box implementation of a cryptographic function having a first operation, a second operation, and a third operation. The method applies the input to a first operation to generate a first intermediate result, applies the first intermediate result to a second operation to generate a second intermediate result, and applies the second intermediate result to a third operation to generate the output, wherein at least two of the first operation, the second operation, and the third operation is implemented by a plurality of interconnected logic elements, the interconnection of the plurality of logic elements being comprised of one of a non-algebraic interconnection of logic elements and an algebraic interconnection of logic elements having obfuscated boundaries between the at least one of the first operation, the second operation and the third operation.

Abstract: New tokenization tables are derived at intervals in order to increase the security of tokenized data that is transferred between two endpoints. Generation of the new tokenization tables is based on previous tokenization tables, which advantageously allows the generation process to be performed locally at the two endpoints independently of an external tokenization table provider. New tokenization tables can periodically be distributed to the endpoints as a new starting point for derivation.

Abstract: The invention relates to digital cloud forensics. An embodiment of the present invention applies collection processes and tools to cloud infrastructure as a service to provide a more efficient and faithful representation of evidence. An embodiment of the present invention applies innovative concepts to retrospectively investigate ephemeral instances which may have long since terminated. This innovative process provides organizations a strategy to provide forensic investigations within either a public or private cloud environment.

Abstract: Various embodiments relate to a dynamic biometric enrollment system. The dynamic biometric enrollment includes a processor and instructions stored in non-transitory machine-readable media. The instructions are configured to cause the server system to receive at least one biometric authentication sample from the user. The at least one tokenized biometric enrollment sample has been generated by tokenizing at least one biometric enrollment sample captured from a user associated with a unique user identifier. At least one biometric authentication sample captured from the user is retrieved. The at least one tokenized biometric enrollment sample is detokenized to retrieve the at least one biometric enrollment sample. The at least one biometric enrollment sample is processed using a biometric processing algorithm to generate a dynamic biometric reference template. It is determined whether the at least one biometric authentication sample matches with the dynamic biometric reference template.

Abstract: Techniques are disclosed relating to authenticating a user with a mobile device. In some embodiments, a computing device stores a first signed attestation indicating an ability of the computing device to securely perform a user authentication. The computing device receives a request to store credential information of an identification document issued by an issuing authority to a user for establishing an identity of the user. In response to the request, the computing device sends, to the issuing authority, a request to store the credential information, the sent request including the first signed attestation to indicate an ability to perform a user authentication prior to permitting access to the credential information. In response to an approval of the sent request based on the first signed attestation, the computing device stores the credential information in a secure element of the computing device.

Abstract: A computing device may include a processor and a memory. The processor may be configured to provide an encrypted second portion of a key to a client device in response to a match between data decrypted from an encrypted first portion of the key and a first portion of the key, the match being indicative of an absence of a proxy device. The processor may be configured to detect a loss in connectivity between the computing device and the client device based upon a mismatch between a decrypted second portion of the key and a second portion of the key, the mismatch being indicative of the proxy device.

Abstract: Systems and methods for detecting misuse of devices comprising: receiving, from a device, a message comprising a first hash of device data that is indicative of a current device location and usage; generating a second hash of stored data, the stored data being based on an expected location and usage associated with the device; comparing the first and second hashes; and when the first and second hashes do not match, generating an alert.

Abstract: This disclosure relates to, among other things, systems and methods for managing electronic content. Certain embodiments disclosed herein provide for a trusted data management platform that may interact with a trusted assertion service and/or a digital rights management service to manage access to and/or use of electronic content. Content creators and/or other content rights holder may register their content and/or associate rights using the trusted data management platform and/or a trusted assertion service and be assured that their content rights are securely managed and respected.

Abstract: A code segment executing on a compute instance may be identified as suspicious based on runtime behavior or similar behavioral analysis or the like. In order to ensure the identification and use of the most up-to-date identification and remediation tools, the compute instance may defer various remediation steps for an interval, during which the compute instance may wait for data updates from a threat management system. After the interval has passed, the compute instance may use any updated data or tools in order to address the code segment that triggered the initial malware detection.

Abstract: Identifying and evaluating exploitability of software vulnerabilities is provided. A vulnerability identified and a level of exploitability of the vulnerability corresponding to a software package is evaluated prior to installation of the software package on a data processing system based on data collected from a plurality of software vulnerability data sources. Related alternative software packages corresponding to the software package to be installed on the data processing system are identified based on a comparative analysis between alternative software packages and the software package. A confidence level is determined for each respective related alternative software package for resolving the level of exploitability. The related alternative software packages are ranked from least to most vulnerable based on a calculated exploitability score corresponding to each respective related alternative software package.

Abstract: A device may receive a request from a first user device to access a protected device. The device may verify a user identity of a user of the first device based on user credentials and determine that an authentication code is needed to authenticate the request to access the protected device. The device may dynamically generate multiple codes and transmit the multiple codes to a second user device associated with the user identity of the user of the first device. A first code, of the multiple codes, may correspond to a correct authentication code needed to authenticate the request to access the protected device. The device may transmit a message including an instruction for identifying the correct authentication code from among the multiple codes, receive a second code from the first device, compare the second code and the first code, and selectively authenticate the request to access the protected device.

Abstract: Described is a system (and method) for securely authorizing service level access to a backup system using an access key. The service level access (or access via a service account) may provide a user with an enhanced set of privileges to perform troubleshooting operations on the backup system. Such privileges may be unlocked by allowing a user to perform operations using an unrestricted interface of the backup system such as an operating system shell. To authorize such access, the system may provide a limited (or specialized) access key. The access key may be narrowly tailored to only provide access to a particular backup system and only remain viable for a limited duration. Accordingly, the access key may be configured to embed a system identifier, a timestamp, and a digital signature, which may be independently verifiable by the backup system before granting service level access.

Abstract: A permissions management system is disclosed for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials. The system enables the user to also securely de-authorize the third-party system. For example, records may be automatically generated that securely store account information, including one or more permissions related to the account and/or the third-party. A token associated with a record may be shared with the third-party system, but neither the record itself, nor the user account credentials, may be shared with the third-party. Accordingly, the third-party may request user account data and/or initiate transactions by providing the token, but does not itself know, e.g., the user account credentials. Further, the user may set various permissions related to the token, and may also revoke the token (e.g.

Abstract: A method for secure key exchange. The method comprises receiving a request to certify a key from a communication partner at an interface between an access and tamper resistant circuit block and exposed circuitry. Within the access and tamper resistant circuit block, a first random private key is generated. A corresponding public key of the first random private key is derived, and a cryptographic digest of the public key and attributes associated with the first random private key is generated. The generated cryptographic digest is signed using a second random private key that has been designated for signing by one or more associated attributes. The public key and the signature are then sent to the communication partner via the interface.

Abstract: A smart process control switch can implement a lockdown routine to lockdown its communication ports exclusively for use by devices having known physical addresses, enabling the smart process control switch to prevent new, potentially hostile, devices from communicating with other devices to which the smart process control switch is connected. Further, the smart process control switch can implement an address mapping routine to identify “known pairs” of physical and network addresses for each device communicating via a port of the smart process control switch. Thus, even if a new hostile device is able to spoof a known physical address in an attempt to bypass locked ports, the smart process control switch can detect the hostile device by checking the network address of the hostile device against the expected network address for the “known pair.

Abstract: Systems, devices, media, and methods are presented for retrieving authentication credentials and decryption keys to access remotely stored user-generated content. The systems and methods receive a first authentication credential and access a second authentication credential based on receiving the first authentication credential. The system and methods generate an authentication token and an encryption token. Based on the authentication token, the system and methods access a set of encrypted content and an encrypted content key. The systems and methods decrypt the encrypted content key using the encryption token and decrypt the set of encrypted content using the decrypted content key. At least a portion of the content is presented at the user device.

Abstract: An authority transfer system comprising a client, a resource server, a server that receives, from the client, an authorization request requesting permission to access to a resource managed by the resource server, and a user terminal possessed by an owner of the resource is provided. The server registers a first user terminal in accordance with a registration request of the first user terminal being received from the first user terminal, and determines whether or not a registered second user terminal can be deregistered in accordance with a registration cancellation request being received from the first user terminal, and if it is determined that the second user terminal can be deregistered, authenticates the first user terminal or the second user terminal, and deregisters the second user terminal in accordance with the authentication.