Abstract: Virtual private network (VPN)-related techniques are described. The techniques provide intuitive mechanisms by which a client device more efficiently establishes a VPN connection. In one example, a client device includes a memory, processor(s), and a VPN handler. The VPN handler is configured to monitor actions initiated by one or more applications executable by the programmable processor(s), and determine whether each of the initiated actions requires a VPN connection via which to transmit outbound data traffic corresponding to a respective application of the one or more applications. The VPN handler is further configured to, in response to a detection that at least one initiated action requires the VPN connection via which to transmit the outbound data traffic, automatically establish the VPN connection to couple the client device to an enterprise network, and transmit the outbound data traffic corresponding to the respective application, via the VPN connection.

Abstract: A method and associated computing system. A first computing environment receives data that includes first sensitive data. The first computing environment includes a hypervisor, a virtual machine running on the hypervisor, and a compliance gateway coupled to the virtual machine and the hypervisor. The compliance gateway intercepts the request. The compliance gateway inspects the intercepted request, does not find sensitive data in the request from inspecting the intercepted request, and forwards the request directly to the virtual machine in response to not finding sensitive data in the request. The virtual machine receives the request from the compliance gateway and in response. The virtual machine initiates performance of an operation indicated in the request. The hypervisor determines that the performance of the request requires the first sensitive data that is sensitive, and in response the hypervisor prevents the virtual machine from completing performance of the operation, by intercepting the operation.

Abstract: A device for detecting network traffic content is provided. The device includes a memory configured for storing one or more signatures, each of the one or more signatures associated with content desired to be detected, and 5 defined by one or more predicates. The device also includes a processor configured to receive data associated with network traffic content, execute one or more instructions based on the one or more signatures and the data, and determine whether the network traffic content matches the content desired to be detected.

Abstract: A unifying network model with a structure and architecture configured to address security, interoperability, mobility, and resource management, including priority and quality of services is provided. The network of the network model is structured as a hierarchical mesh network, with dynamically generated routing tables. The configuration of the network model optimizes routing and distributes communication load. Every device on the network is capable of being both an endpoint and a forwarder of communications. The network model may include underlying networks that are represented with one of two models, the link model or the star model. The nodes are organized in a hierarchical relationship structure to optimize throughput. The model may include a cryptographic method of dynamically assigning local network addresses.

Abstract: Users on a client system access files served by a web application through the Network File System (NFS) protocol using common web authentication mechanisms while still honoring constraints imposed by the application's authorization rules. To this end, the client system is modified to include an NFS server. Following authentication of the NFS server with the web application, NFS-based requests (from a local NFS client) directed to the application are received at the NFS server instead of being sent to the application directly. The NFS server, in turn, maps those requests to the web application preferably using standard HTTP. Because the web application's normal security model is enforced as intended at the web application, the approach enables individual users of the client system to operate under different visibility constraints dictated by the web application. Thus, fine-grained permissions may be enforced at the web application for different users.

Abstract: Technologies are generally described to implement intrusion detection based on smart power background. In some examples, upon detection of an attempt to access a resource, a power line ambiance may be determined at a location of a device on which the attempt to access the resource is executed. The power line ambiance may be based on a connection of the device and/or one or more other devices at the location to a power line. The captured/received power profiles may identify device signatures enabling generation of a digest of the location. An intrusion detection system (IDS), may receive the digest of the location and compare the digest to previous digests associated with an authorized client of the resource to evaluate an authenticity of the attempt. If the authenticity of the attempt is suspicious, the IDS may elevate security by employing one or more verification levels and/or one or more authentication techniques.

Abstract: The present disclosure is directed to a protection scheme for remotely-stored data. A system may comprise, for example, at least one device including at least one virtual machine (VM) and a trusted execution environment (TEE). The TEE may include an encryption service to encrypt or decrypt data received from the at least one VM. In one embodiment, the at least one VM may include an encryption agent to interact with interfaces in the encryption service. For example, the encryption agent may register with the encryption service, at which time an encryption key corresponding to the at least one VM may be generated. After verifying the registration of the encryption agent, the encryption service may utilize the encryption key corresponding to the at least one VM to encrypt or decrypt data received from the encryption agent. The encryption service may then return the encrypted or decrypted data to the encryption agent.

Abstract: In embodiments of the present invention, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation. In response to the selection of a file, an application controller may be used to select a software application from two or more software applications to open the selected file, based at least in part on the selected file's reputation. If launched, a software application may be configured to open the file in an environment, such as a virtual machine, quarantined environment, and the like, that is appropriate for the file based at least in part on the reputation information. A software application may be a secure software application configured to manage secure files, or an insecure software application configured to manage insecure files.

Abstract: An authorization token verification request including the authorization token is received from an application server having received a processing request along with the authorization token from the client, and, in a case where the authorization token is verified successfully on basis of the received authorization token and the authorization token information, the local user information included in the authorization token information is transmitted to the application server.

Abstract: Private anonymous electronic messaging between a message originator and a message recipient within an organization encourages open communication which can provide information to the organization that might otherwise be secreted from the organization, and can allow the message originator to obtain desired help (e.g., counseling). By profiling of the message originator based on current and previous electronic messaging within the system as well as external organizational information (e.g., behavioral or financial information), the system can assess concerns yet act as a gateway to protect the message originator's true identity through escalating levels of concern unless a genuine concern about the health, well-being, and/or safety of the message originator, others, or the organization is indicated, in which case the system can reveal the true identity of the message originator as appropriate.

Abstract: A computer-implemented method comprising: receiving, from a primary factor authentication device by one or more computer systems, a request to enroll a mobile device as a secondary factor authentication device; and enrolling by the one or more computer systems the mobile device as a first, secondary factor authentication device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for reducing latency in network communications and data presentation. In one aspect, a user session is initiated in which data related to an account is presented to the user. A user group to which the given user has been assigned is identified. A first dataset related to the account is selected based on the user group. A second dataset related to the account is selected based on types of data previously requested by various other users in the user group. A user interface for the account is updated to present at least a portion of the first dataset. Latency in updating the user interface is reduced when presenting additional portions of the first dataset or the second dataset by providing, to the client device, the second dataset prior to receiving a request for the second dataset.

Abstract: An e-mail firewall applies policies to e-mail messages between a first site and second sites in accordance with administrator selectable policies. The firewall includes a simple mail transfer protocol relay for causing the e-mail messages to be transmitted between the first site and selected ones of the second sites. Policy managers enforce-administrator selectable policies relative to one or more of encryption and decryption, signature, source/destination, content and viruses.

Abstract: In one aspect, systems and methods to improve a cryptosystem include computer-implemented operations such as scanning a biometric attribute for comparison with stored biometric data, and generating a keystream based upon the stored biometric data if the scanned biometric attribute substantially matches the stored biometric data. The computer-implemented method may also include operations for encrypting object data, and encrypting final data based upon the keystream and the encrypted object data.

Abstract: Websites are monitored for changes over time. A domain name server resolves a domain name to a single internet protocol address and then performs a reverse resolution for the single internet protocol address. When multiple alias records resolve to the same host name, the domain name server determines the single internet protocol address virtually hosts multiple domain names.

Abstract: Disclosed herein are example embodiments for behavioral fingerprinting via social networking interaction. For certain example embodiments, at least one indication of family relation for at least one authorized user may be obtained via at least one social networking interaction, and the at least one indication of family relation may be incorporated into at least one behavioral fingerprint that is associated with the at least one authorized user, the at least one behavioral fingerprint including one or more indicators of utilization of one or more user devices by the at least one authorized user.

Abstract: Systems and methods for providing a battery module 110 with secure identity information and authentication of the identity of the battery 110 by a host 120. In one embodiment, the system for providing a battery module with secure identity information includes: (1) a tamper resistant processing environment 200 located within the battery module 110 and (2) a key generator configured to generate a key based on an identity of the battery module 110 and cause the key to be stored within the tamper resistant processing environment 200.

Abstract: A method and system is provided to automatically propagate dependencies from one part of a software application to another previously unrelated part. Propagation of essential code functionality and data to other parts of the program serves to augment common arithmetic functions with Mixed Boolean Arithmetic (MBA) formulae that are bound to pre-existing parts of the program. A software application is first analyzed on a compiler level to determine the program properties which hold in the program. Thereafter, conditions are constructed based on these properties and encoded in formulae that encode the condition in data and operations. Real dependencies throughout the application are therefore created such that if a dependency is broken the program will no longer function correctly.

Abstract: Systems and methods using Information-invariant Data Transformation (IIDT) in the transfer of files from an un-trusted to a trusted computer system are disclosed. The IIDT alters the data representation of information, without altering the meaning of the information to a degree that is perceptible to a human consumer of that information. The data transformation operations eliminate embedded malware thereby providing secure transfer of files between the un-trusted and trusted computer systems.

Abstract: Data security is enhanced by computing an authentication tag based at least in part on encrypted data and additional authenticated data that includes at least a nonce. The computed authentication tag is compared against a provided authentication tag. The encrypted data is decrypted and made available for use.