Abstract: In one embodiment, a user device 110 may access a network service 122 using a secure cookie 300. A high trust process may create an authentication proof 360 using a secure key. The high trust process may provide a browsing token 310 and the authentication proof 360 to a low trust process to send to an authentication service 124.

Abstract: A mechanism is provided for executing an action selected by a security management device identified from an available-action list provided by the computer device. A management program module in the computer device identifies a set of actions capable of being performed on the computer device based on a state of the computer device. The management program module stores the available-action list indicative of at least one action the management program module is allowed to execute on the computer device. The management program module sends the available-action list to the security management device for a security analysis to be performed such that an action is selected from the available-action list to be executed on the computer device. Responsive to receiving the selected action from the security management device, the management program module executes the selected action on the computer device.

Abstract: One or more relevant scanners used to identify asset vulnerabilities are identified, obtained, and logically arranged for deployment on an asset in accordance with a vulnerability management policy and a scanner deployment policy such that the relevant scanners are deployed at, or before, a determined ideal time to minimize the resources necessary to correct the vulnerabilities, if found. The relevant scanners are then automatically deployed in accordance with the scanner deployment policy and, if a vulnerability is identified, one or more associated remedies or remedy procedures are applied to the asset. At least one of the one or more relevant scanners are then re-deployed on the asset to determine if the identified vulnerability has been corrected and, if the vulnerability is not corrected at, or before, a defined time, protective measures are automatically taken.

Abstract: A device is configured to store a hash value and an encrypted hash value. The device may broadcast a boot label including the encrypted hash value. The device may receive an administrator label from an administrative device based on the boot label. The administrator label may include a decrypted hash value. The device may determine the decrypted hash value matches the hash value. The device may receive access information from the administrative device based on the decrypted hash value matching the hash value. The access information may associate authorization information and an access level. The access level may be associated with particular data that is permitted to be read from the device. The device may selectively provide the particular data to a control device based on the access information.

Abstract: Methods, apparatus and articles of manufacture for detecting suspicious web traffic are provided herein. A method includes generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time; processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time; and analyzing said filtered connections against the database to identify a connection to a destination external to the enterprise network that is not included in the information in the database.

Abstract: Systems and methods to detect malicious executable files having a script language interpreter by combining a script emulator and a machine code emulator. A system includes an analyzer configured to convert a script into pseudocode and monitor an emulation process of the pseudocode, a script emulator configured to sequentially emulate the pseudocode and write emulation results to an emulator operation log, and a machine code emulator configured to emulate the pseudocode if a transition from pseudocode to machine code is detected by the analyzer, such that the analyzer can analyze the emulator operation log to determine if the executable file is malicious.

Abstract: In an approach for determining an unauthorized device, a computer receives detection information from a computing device, wherein the detection information includes a broadcast transmission from one or more devices. The computer creates a state trajectory map based on the received detection information, wherein the state trajectory map identifies connections between at least the computing device and a first device of the one or more devices and the computing device and a second device of the one or more devices. The computer one or more anomalies within the created state trajectory map. The computer determines an unauthorized device based on the determined one or more anomalies.

Abstract: Certain aspects of a method and system for improved fault tolerance in distributed customization controls using non-volatile memory are disclosed. Aspects of one method may include mapping an input control signal to a plurality of input logic circuits within a security processor. A plurality of independent processing paths may be defined between each of the plurality of input logic circuits and an output logic circuit. Each of the plurality of independent processing paths may comprise one or more logic circuits. The input control signal may be routed via at least a portion of the plurality of independent processing paths. The portion of the plurality of independent processing paths may be combined in the output logic circuit to generate the input control signal.

Abstract: A system, method, and computer program product are provided for identifying unwanted data based on an assembled execution profile of code. In use, an execution profile of code is assembled by tracking interface usage of the code. Further, it is determined whether the code is associated with unwanted activity, based on the execution profile.

Abstract: A method for controlling access between home devices and servers in a home network system is provided. The method includes determining whether first access of the home devices to each of the servers and second access of the servers to each of the home devices is restricted, and controlling the first access and second access based on respective access rights established according to the determination.

Abstract: A security virtual machine is provided in a network including a resource shared among two or more virtual machines. All data traffic from each virtual machine to or from the shared resource is transmitted over an encrypted channel to the security virtual machine. Each connection between a virtual machine and the security virtual machine is maintained as a separate encrypted channel, preventing one virtual machine from accessing data sent to or from another virtual machine, even though the virtual machines are all sharing the same resource.

Abstract: An apparatus for preventing replay attacks and a method for preventing replay attacks are provided in this invention, wherein the apparatus for preventing replay attacks comprises: an acquisition unit for, when a request for operating a digital content is received, acquiring current location information of a set of placeholder files; a determination unit for determining whether the current location information is consistent with recorded location information of the placeholder file; a protection unit for, when inconsistent as determined by the determination unit, wherein there is a correspondence between the digital content and the set of placeholder files.

Abstract: A computer-implemented method for blocking flanking attacks on computing systems may include (1) detecting a denial-of-service attack targeting a computing network, (2) inferring, based at least in part on detecting the denial-of-service attack, a secondary attack targeting at least one computing resource within the computing network, (3) determining that the computing resource is subject to additional protection based on inferring the secondary attack targeting the computing resource, and (4) protecting the computing resource against the secondary attack by adding an authentication requirement for accessing the computing resource. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present system and method pertain to the detection of malicious software and processes such as malware. A cloud security policy system receives hashes and behavioral information about applications and/or processes executing on user devices. The cloud security policy system records this information and then evaluates the trustworthiness of the hashes based on the information received from the user devices to provide a security policy for the applications and/or processes. The security policy is sent from the cloud security policy system to user devices to be applied by the user devices.

Abstract: Multi-server one-time passcode verification is provided for respective high order and low order passcode portions. A user is authenticated by receiving an authentication passcode generated by a token associated with the user; and authenticating the user based on the received authentication passcode using at least a first authentication server and a second authentication server, wherein the first authentication server verifies a high-order portion of the received authentication passcode and wherein the second authentication server verifies a low-order portion of the received authentication passcode. The received authentication passcode is based on, for example, at least two protocodes PR,t and PB,t generated by the token and/or pseudorandom information RA,t. A codebook Ct, based on the pseudorandom information RA,t, can be used to embed additional auxiliary information into the authentication passcode.

Abstract: Methods and systems for Data Leak Prevention (DLP) in a private network are provided. A data structure is maintained within a network security appliance identifying candidate upper layer protocols, corresponding commands of interest and a corresponding suspect field within each of the commands that is to be subjected to DLP scanning as a result of its potential for carrying sensitive information. A packet is received by the network security appliance. A protocol associated with the packet is identified. It is determined whether the identified protocol is among those of the candidate protocols. Responsive to an affirmative determination and when a command represented by the packet is among those of the corresponding commands of interest for the candidate protocol, then a DLP scan is performed on the packet. Otherwise, the packet is allowed to pass through the network security appliance without being subject to a DLP scan.

Abstract: A system for protecting content includes a mobile device screen including a plurality of pixels, whereby each of the plurality of pixels have first sub-pixel units that include a first viewing angle and second sub-pixel units that include a second viewing angle. Within each of the plurality of pixels, the first sub-pixel units are adjacent to the second sub-pixel units. A processing unit is coupled to the mobile device screen and determines a portion of the mobile device screen that displays sensitive content. The processing unit obscures the sensitive content displayed on the portion of the mobile device screen by deactivating the first sub-pixel units at the portion of the mobile device screen that displays the sensitive content and activates the second sub-pixel units at the portion of the mobile device screen that displays the sensitive content.

Abstract: Methods and systems for determining consecutive matches are provided. According to one embodiment, a class definition and a data stream are received by a network security device. The data stream is partitioned into multiple data blocks each containing N data segments. Each data block is processed in parallel to compute: (i) a value (F) indicating whether every data segment value meets the class definition; (ii) a value (L) indicating a number of consecutive data segment values meeting the class definition starting from the left; (iii) a value (M) indicating a maximum number of consecutive data segment values meeting the class definition; and (iv) a value (R) indicating a number of consecutive data segment values meeting the class definition starting from the right. Corresponding values for each data block are then aggregated to determine a maximum number of consecutive data segment values meeting the class definition for the entire data stream.

Abstract: Techniques are provided for security-aware split-server passcode verification for one-time authentication tokens. An exemplary method comprises receiving an authentication passcode generated by a token; and processing the received authentication passcode using at least a first authentication server and a second authentication server. The received authentication passcode is based on a protocode and/or embedded auxiliary information. The embedded auxiliary information comprising a silent alarm and/or a drifting key is extracted from the received authentication passcode. In another exemplary method, the received authentication passcode is processed using a single processing device to extract the embedded auxiliary information comprising one or more of a silent alarm and a drifting key.

Abstract: A method for progressive convergence on network protocol stack vulnerabilities includes defining an initial protocol field and field value space for fuzz testing of a network communications protocol stack implementation. The method further includes dividing the initial space into regions corresponding to combinations of protocol fields and field values. The method further includes assigning vulnerability ratings to at least some of the regions. The method further includes executing fuzz testing of the network communications protocol stack implementation using the protocol fields and field values corresponding to the regions. The method further includes updating the vulnerability ratings of the regions based on results of the testing. The method further includes identifying, based on the updated vulnerability ratings, at least one region with a higher vulnerability rating than other regions. The method further includes performing fuzz testing for the sub-regions.