Abstract: Methods and apparatus to provide isolated execution environments are disclosed. In some examples, the methods and apparatus identify a request from a host application. In some examples, the methods and apparatus, in response to identifying the request from the host application, load a microcode application into memory when excess micro operations exist in a host instruction set architecture, the microcode application being a fragment of code. In some examples, the methods and apparatus execute the microcode application. In some examples, the methods and apparatus, in response to completed execution of the microcode application, unload the microcode application from memory.

Abstract: According to one embodiment, a threat detection system is integrated with at least a dynamic analysis engine. The dynamic analysis engine is configured to automatically determine whether one or more objects included in received network traffic contains a heap spray attack. Upon detection of a potential heap spray attack, the dynamic analysis engine may copy potential shellcode within an object included in the received network traffic, insert the copy of the potential shellcode into a second region of allocated memory and analyze the execution of the potential shellcode to determine whether characteristics associated with an exploit are present.

Abstract: A trusted computing device (TCD) includes an isolated environment, host interface, secure interface, and program instructions. The environment includes an isolated environment processor (IEP), memory (secure and non-secure partition), and an auxiliary processor (AP). Memory and AP are connected for data communication with the IEP, and communicate with a host only through the IEP. The host interface and each secure interface are connected for data communication with the IEP.

Abstract: Aspects of an abuse detection system for a web service include an abuse detection engine executing on a server. The abuse detection engine includes a pre-processing module for aggregating a data set for processing and analysis; a suspiciousness test module for identifying suspicious content owners and suspicious users; a graphing module for finding connections between suspicious content owners and suspicious users; an analysis module for determining which groups are constituted of fraudulent or abusive accounts; and a notification generation and output module for generating a list of abusive entities and a notification for output to at least one of: the abusive entity, a digital content distribution company associated with the abusive entity, and a legal department or other entity for further investigation or action. Additionally, royalties for content consumptions associated with abusive accounts may be held.

Abstract: A method including determining, by a processing device, whether a computer system is able to access an authentication server, in response to determining that the computer system is able to access the authentication server, requesting a first set of credentials, authenticating the first set of credentials, assigning a user a first role for performing operations on the computer system in view of the first set of credentials, and in response to determining that the computer system is unable to access the authentication server, requesting a second set of credentials different from the first set of credentials, authenticating one or more credentials provided by the user, and assigning the user a second role for performing operations on the computer system in view of the one or more credentials, wherein the first role specifies a first type of access to at least one object on the computer system, and the second role specifies a second type of access to the at least one object, wherein the first type of access is di

Abstract: Embodiments of the present technology relate to a method for applying a security policy to an application session, comprising: determining, by a security gateway, a first user identity and a second user identity from a data packet for an application session; obtaining, by the security gateway, a security policy for the application session; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Abstract: The present disclosure includes: searching a code clone corresponding to a used source code from any analysis target source code; detecting a security sink and sensitive data of the security sink on the basis of patch information in the searched code clone; acquiring a source code which is from the user input point the a security sink by backwardly tracing the sensitive data detected in the analysis target source code; and verifying whether the searched code clone is a vulnerability in the analysis target source code by performing a concolic testing on the basis of a path from the input point to the security sink.

Abstract: A digitally signed authentication assertion is generated in response to successful authentication of a current user of a user device by using a signing key that is uniquely assigned to the authenticator process to digitally sign a document indicating that the current user of the user device was successfully authenticated on the user device. The signing key uniquely assigned to the authenticator process is stored in a key container associated with the user device, and the key container is located on a key container server that is physically separate from the user device. The digitally signed authentication assertion is conveyed from the authenticator process to an authentication service, in order to securely indicate to the authentication service that the current user of the user device has been verified as an authentic user by the authenticator process.

Abstract: According to one embodiment, an apparatus is configured to communicate a first plurality of phishing emails to a first plurality of users, each phishing email of the first plurality of phishing emails is of a first type or a second type. The apparatus is configured to determine a first response rate of the first plurality of users to phishing emails of the first type and to determine a second response rate of the first plurality of users to phishing emails of the second type. The apparatus is configured to determine a second plurality of phishing emails comprising phishing emails of the first type and the second type, wherein an aggregate response rate of a second plurality of users to the second plurality of phishing emails is predicted to be closer to a target response rate than one or more of the first response rate and the second response rate.

Abstract: An enhanced services network provides enhanced privacy and/or security over public networks to client subscribers of the service. Client devices access the enhanced services network over a public communications network (e.g., the Internet, cellular network, etc.) via a client-side edge server of the enhanced services network. The enhanced services network interfaces with client-requested network resources hosted by third-party server devices via a resource-side edge server. The particular client-side edge server and/or resource-side edge server that is utilized for a particular client session may be selected by the enhanced services network according to a rule set. The rule set may seek to achieve one or more target goals, such as: (1) limit discoverability of the enhanced services network, (2) minimize or reduce geographic/network distance between an edge server and a target computing device, and/or (3) establish connections that are more secure than the connections originally requested by the client.

Abstract: Systems and methods for transmitting AT commands indicating whether Evolved Packet System (EPS) Session Management (ESM) information should be transmitted securely are disclosed herein. A Terminal Equipment (TE) may transmit an AT command to a Mobile Termination (MT). The AT command may indicate whether protocol configuration options (PCO) should be ciphered and/or whether an access point name (APN) is provided. In some embodiments, the AT command may be a dedicated command and may only include a <securePCO> parameter and an <APNprovided> parameter. Alternatively, or in addition, the AT command may include a <securePCO> parameter, an <APN> parameter, and/or additional parameters serving additional functions. Whether the APN is provided may be determined based on whether the <APN> parameter is present and includes a non-null value. The AT command may be related to a single packet data network (PDN) connection or may relate to a plurality of PDN connections.

Abstract: A cloud infrastructure is enhanced to provide a context-based security assurance service to enable secure application deployment. The service inspects network and cloud topologies to identify potential security capabilities and needs. Preferably, these options are then surfaced to the user with easy-to-understand, pre-configured templates representing security assurance levels. When a template (e.g., representing a pre-configured assurance level) is selected by the user, the system then applies specific capabilities and controls to translate the user-selected generalized specification (e.g., “high security”) into granular requirements for a specific set of security resources. Preferably, the identification of these security resources is based on system configuration, administration, and information associated with the pre-configured template.

Abstract: Data may be encrypted using a public key. From a plurality of functions executable on the data, one or more functions may be selected. The selected one or more functions may be associated with the encrypted data. The selected one or more functions may provide exclusive access to the data. A data structure specifying conditions for access to the one or more functions may be created. An exclusive interface to provide access to the one or more functions may be created. The interface, upon determining that one or more conditions from the conditions are satisfied, may grant access to the one or more functions. The encrypted data, the associated one or more functions, the data structure, and the interface may be included into an object.

Abstract: A cloud infrastructure is enhanced to provide a context-based security assurance service to enable secure application deployment. The service inspects network and cloud topologies to identify potential security capabilities and needs. Preferably, these options are then surfaced to the user with easy-to-understand, pre-configured templates representing security assurance levels. When a template (e.g., representing a pre-configured assurance level) is selected by the user, the system then applies specific capabilities and controls to translate the user-selected generalized specification (e.g., “high security”) into granular requirements for a specific set of security resources. Preferably, the identification of these security resources is based on system configuration, administration, and information associated with the pre-configured template.

Abstract: A cloud infrastructure is enhanced to provide a context-based security assurance service to enable secure application deployment. The service inspects network and cloud topologies to identify potential security capabilities and needs. Preferably, these options are then surfaced to the user with easy-to-understand, pre-configured templates representing security assurance levels. When a template (e.g., representing a pre-configured assurance level) is selected by the user, the system then applies specific capabilities and controls to translate the user-selected generalized specification (e.g., “high security”) into granular requirements for a specific set of security resources. Preferably, the identification of these security resources is based on system configuration, administration, and information associated with the pre-configured template.

Abstract: Various exemplary embodiments relate to a method performed by a DIAMETER network node, the method including: receiving a first DIAMETER message; determining that the first DIAMETER message is not trusted; and rejecting the first DIAMETER message.

Abstract: Disclosed are a one time password generation device and an authentication method. The one time password generation device includes: a reference information generator that generates reference information; a virtual input means generator that generates a virtual input means in which a blank is provided; and a password generator that generates a one time password using an initial value, reference information and a blank.

Abstract: The present disclosure provides a network architecture and verification platform for analyzing the various modules of a Unified Extensible Firmware Interface (UEFI) firmware image. In one embodiment, the disclosed network architecture and verification platform obtains various UEFI firmware images, such as UEFI firmware image residing on a client device or a UEFI firmware image hosted by a hardware manufacturer. The network architecture and verification platform may then segregate the various UEFI firmware modules that make up the UEFI firmware image, and subject the modules to different types of analysis. By analyzing the UEFI firmware modules individually, the network architecture and verification platform builds a repository of Globally Unique Identifiers (GUIDs) referenced by a given UEFI firmware module, which may then be referenced in future analyses to determine whether any changes, and the extent of such changes, have been made to an updated version of the given UEFI firmware module.

Abstract: A cloud infrastructure is enhanced to provide a context-based security assurance service to enable secure application deployment. The service inspects network and cloud topologies to identify potential security capabilities and needs. Preferably, these options are then surfaced to the user with easy-to-understand, pre-configured templates representing security assurance levels. When a template (e.g., representing a pre-configured assurance level) is selected by the user, the system then applies specific capabilities and controls to translate the user-selected generalized specification (e.g., “high security”) into granular requirements for a specific set of security resources. Preferably, the identification of these security resources is based on system configuration, administration, and information associated with the pre-configured template.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for receiving an encrypted version of an obfuscated stack trace representing an error generated by error handling code of obfuscated code executed by a user device, the obfuscated stack trace having obfuscated code element names corresponding to deobfuscated code element names in a deobfuscated version of the code; decrypting the encrypted stack trace to generate an obfuscated stack trace; receiving an encrypted obfuscation log that maps obfuscated code element names of the obfuscated code executed by the user device to deobfuscated code element names in the deobfuscated version of the code; decrypting the encrypted obfuscation log to generate a decrypted obfuscation log; and generating a deobfuscated stack trace using the decrypted obfuscation log, the deobfuscated stack trace having deobfuscated code element names.