Abstract: A method for measuring robustness of web services includes selecting a web-service method for testing. The request pattern with the slowest response by the web-service method from a series of request patterns is selected as a request pattern for testing. The series of request patterns includes irregular requests, each having a payload aimed at destabilizing the web service. A test is applied to the web-service method, using the selected request pattern applied at an increasing frequency to the web-service method. The response time of the request pattern is monitored by the web-service method. The frequency of the applied request pattern when a threshold maximum time for response of the web-service method to the request pattern is reached, or when the method fails, is determined by a computer processor. A metric is determined for the web-service method based on the frequency of the applied request pattern required to reach the threshold.

Abstract: Various embodiments relating to exchanging a cryptographic key between a display device and an input device via electrostatic communication are disclosed. In one embodiment, an interactive communication device includes one or more electrodes and a radio transceiver. The one or more electrodes may be excited to capacitively couple with one or more electrodes of a proximate communication device so as to capacitively send a cryptographic key from the interactive communication device to the proximate communication device. The radio transceiver may be configured to communicate with a radio transceiver of the proximate communication device via a radio channel. The interactive communication device may be configured to subsequently exchange encrypted communications with the proximate communication device over the radio channel. The encrypted communications may be encrypted using the cryptographic key.

Abstract: A method for establishing an encrypted communication channel is described. Query IDs are generated at a first device. Each query ID identifies a keyword in a set of keywords. Query IDs are received, at a second device. A second set of keywords is determined by the second device based on the query IDs. Match IDs are determined based on the second set. Each match ID identifies a keyword in the second set. An encryption key is generated based on the second set. A response is sent which includes the match IDs and an encrypted message. At the first device, the second set is determined based on the match IDs. The second set includes keywords of the first set of keywords identified by the match IDs. The encryption key is generated at the first device and the encrypted message is decrypted. Apparatus and computer readable media are also described.

Abstract: An attestation system for asserting and verifying assertions of a known-good state of a computer system is provided. The attestation system allows a challenger and a prover to conduct an attestation so that the challenger can verify an assertion of the prover. To conduct the attestation, the prover sends, as an assertion of its state, a combined measurement of resources along with a constituent measurement of each resource to the challenger. The challenger verifies the assertion by verifying that the asserted constituent measurements represent known-good measurements and verifying that the asserted combined measurement can be generated from the asserted constituent measurements. To verify the asserted constituent measurements, the challenger determines whether each asserted constituent measurement for a resource is a known-good measurement for that resource.

Abstract: Techniques for enhancing electronic privacy utilize noise to prevent third parties from determining certain information based on search queries. Users submit search queries as part of their normal activities. For a user, the search queries submitted and information regarding search results used to generate additional search queries on different, but related topics. The generated additional search queries are submitted automatically on behalf of the user at a sufficient frequency to prevent high accuracy data analysis on search queries.

Abstract: Techniques for assigning roles to users within a computing system are described herein. A matrix representation of a probabilistic assignment of roles to users is created based at least in part on existing permissions. The matrix representation is then iteratively perturbed and the resulting perturbation is evaluated using an objective function, with perturbation decisions based at least in part on making the objective function converge to a threshold value. When the solution converges, the resulting assignment matrix may be used to assign roles to users.

Abstract: Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall maintains multiple configuration schemes, each defining a set of administrator-configurable content filtering process settings. The firewall also maintains a security policy database including multiple firewall security policies. At least one of the firewall security policies includes an associated configuration scheme and an action to take with respect to a particular network session based on a set of source Internet Protocol (IP) addresses, a set of destination IP addresses and/or a network service protocol.

Abstract: A management server is provided that manages a plurality of image forming apparatuses including an image forming apparatus compliant with a setting management function that enables an operation of security information, and an image forming apparatus non-compliant with the setting management function. The management server receives security information from the image forming apparatus, and determines whether the security information includes a change. When the image forming apparatus that is a transmission source of the security information including the change is non-compliant with the setting management function, the management server outputs a notice indicating that the security information including the change as a notice, whereas when the image forming apparatus is compliant with the setting management function, the management server outputs a notice indicating that the security information including the change as a warning.

Abstract: An inner-product predicate encryption scheme with improved flexibility without a restriction that the dimensions of an attribute vector x? and a predicate vector v? should be equivalent. A ciphertext having an element c0 and an element ct for each index t included in a set Ix? is decrypted with a decryption key having an element k0 and an element kt for each index t included in a set Iv? by computing a product of pairing operations between corresponding pairs of basis vectors on the element c0 and the element k0 and on the element ct and the element kt.

Abstract: Techniques for device quarantine in a wireless network are described. According to various implementations, a device (e.g., a mobile client device) that requests a connection to a wireless network is placed in a quarantine state in the wireless network. Attributes of the device are determined and connection parameters are specified based on the attributes. In at least some embodiments, the device can be released from the quarantine state subject to the connection parameters.

Abstract: A method of establishing privileged communication sessions to target services unifies multiple sub-sessions into a single super-session. The user client requests access to target services. The request includes authentication credentials. Using the authentication credentials, privileged credentials are retrieved for target services requiring privileged access. Interactive sub-sessions are established between an intermediate element and respective target services. Required credentials are provided by the intermediate element to the target services. The interactive sub-sessions are unified into a single super-session on the intermediate element, and the super-session is established with the user client. The super-session provides the user client with interactive control of each of the interactive sub-sessions. Data communication between the user client and the target services is conducted via the intermediate element.

Abstract: An apparatus for enabling removal or disabling of weak algorithms may include a processor and memory storing executable computer program code that cause the apparatus to at least perform operations including receiving an indication of one or more algorithms utilized by a communication device. The computer program code may further cause the apparatus to determine whether one or more of the algorithms are identified as a weak algorithm. The computer program code may further cause the apparatus to enable provision of a message to the communication device instructing the communication device to remove, disable, or assign at least one condition to at least one detected weak algorithm among the algorithms. Corresponding methods and computer program products are also provided.

Abstract: Systems, device and techniques are disclosed for implementing a security configuration change based on one or more base events and a current security configuration. An inference module may identify a security configuration change based on receiving base events from a state storage/event listener and analyzing the base events to determine if a current security configuration is optimal given the base events.

Abstract: An aircraft-based mobile device connectivity system generally includes a housing, an avionic systems interface integrated into the housing, a wireless interface integrated into the housing, and a data security module. The avionic system interface is configured to be communicatively coupled to an avionics system external to the housing. The wireless interface is configured to provide wireless communication with one or more mobile devices. The data security module is configured to receive commands from the mobile devices, securely process the commands, receive avionics data from the avionics system via the avionic systems interface and the avionics module, and securely transmit the avionics data to the mobile devices.

Abstract: A method and apparatus is disclosed herein for constructing security policies for content instrumentation against attacks. In one embodiment, the method comprises constructing one or more security policies for web content using at least one rewriting template, at least one edit automata policy, or at least one policy template; and rewriting a script program in a document to cause behavior resulting from execution of the script to conform to the one or more policies.

Abstract: Embodiments of the present invention disclose a method, a device, and a system for registering a terminal application. In the embodiments of the present invention, a download address information recommending request that is sent by a first terminal and carries a terminal identifier of a second terminal is received; and recommended download address information is returned to the first terminal, where the recommended download address information includes a terminal application download address and authentication information used for performing registration, so that the first terminal sends, to the second terminal, a recommending message carrying the recommended download address information, so as to make the second terminal register according to the terminal application download address and the authentication information used for performing registration. In this solution, less time is consumed and a registration success rate is high, which helps to improve an application activating rate for a user.

Abstract: A future proof method and system for securely transferring digital data from a data owner to a data assignee through a third party involving securely registering the data owner possessing the digital data with the third party and securely predefining to the third party a trigger event associated with a data assignee, registering the data assignee with the third party, receiving encrypted digital data and an encrypted trigger event associated with the data assignee transmitted from the data owner to the third party, and securely transferring and releasing the digital data to the at least one data assignee by the third party upon validation by the third party of the occurrence of the trigger event in such a manner that digital data can be used by data assignee on data assignee system.

Abstract: The present invention is directed to solve a problem that time is required for a process related to verification of a public key certificate of a message sender. An in-vehicle device mounted on a vehicle has a memory for holding information of a device which failed in verification of a public key certificate. At the time of performing communication between vehicles or between a vehicle and a roadside device, a check is made to see whether or not information of a device included in a message transmitted matches information of a device which failed and held in the memory. When the information matches, verification of a public key certificate is not performed.

Abstract: Techniques for managing network-connected objects are provided. In some examples, code for accessing a network-connected object may be received. The code may be configured to enable generation of an application programming interface method. In some aspects, account information associated with a user may be stored. A particular method call corresponding to the application programming interface method may be received from a computer device of the user. The particular method call may include a request to access the network-connected object. In some examples, the request to access the network-connected object may be authenticated based at least in part on the account information. Additionally, in some examples, an instruction to the network-connected object may be provided over a network if the request is authenticated.

Abstract: A WiFi roaming management method and device which redirect an HTTP request of a mobile terminal from an AP to an AC even though the AC and the AP do not exist in the same subnet, which redirects a source IP address for an HTTP request, after transferring, to an IP address of the AC, and which smoothly support a wireless Internet service in a distributed processing system according to a web authentication of the AC in a WiFi roaming method is provided. A terminal session management function and a traffic control function are separated by a premium AC (Access Controller) and a premium AP (Access Point) interworked with a tunneling method according to a CAPWAP protocol.