Abstract: Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined. A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.

Abstract: A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

Abstract: A method of using a hardware security module and an adjunct application programming interface to harden tokenization security and encryption key rotation is disclosed. In various embodiments, the method comprises receiving encrypted data at a processor of a computer system, decrypting the encrypted data to cleartext in the processor, and issuing a unique token associated with the data.

Abstract: An electronic device capable of securing data is provided. The electronic device includes a storage device for storing data and a number of securing strategies. Each of the securing strategies includes a securing condition for triggering a data securing action and one or more identifiers of the data to be secured. If the electronic device determines that a securing condition is met, the electronic device secured the data having the one or more identifiers corresponding to the met securing condition. A data securing system and method are also provided.

Abstract: An apparatus includes a memory; and a processor coupled to the memory and configured to generate a first common key whose key value varies based on a first elapsed time when a notification of the first elapsed time after a start-up of another apparatus to which a data frame to be encrypted is to be transmitted has been made, generate a second common key whose key value varies based on a second elapsed time after a start-up of the apparatus when a notification of the first elapsed time has not been made, and encrypt the data frame by any one of the first common key and the second common key as a common key and transmit the encrypted data frame to the another apparatus.

Abstract: According to one embodiment, an information processing apparatus comprises a wireless communication device, a display, a logon process module, and a display control module. The logon process module is configured to cause the display to display a logon screen, in a logon process of identifying a user account which uses an operating system. The display control module is configured to cause the display to display, together with the logon screen, a state of an access point detected by the wireless communication device.

Abstract: A plug-in software module of a DNS server helps to enforce a network security policy. The plug-in module scans communication packets at a DNS server computer and intercepts a request from a user computer to access a web site. The intercepted request is not received by the DNS service. The plug-in module initiates a security check of the user computer over a network connection to determine if the user computer has implemented the security policy of the computer network. If the user computer does not implement the security policy then the plug-in module returns an IP address to the user computer that is the IP address of a security web site. The security web site then displays on the user's browser an indication of a security policy to be applied. The security web site may also perform the security check.

Abstract: The invention relates to a method for generating a certificate for signing electronic documents by means of an ID token (106), having the following steps: —sending (201) a transaction request for a user to carry out a transaction, —as a result of the sending of the transaction request, a check is carried out as to whether the certificate (519) is available and if this is not the case, carrying out the following steps: generating (206) an asymmetrical key pair consisting of a private key and a public key using an ID token, said ID token (106) being assigned to the user; storing (207) the generated asymmetrical key pair on the ID token, wherein at least the private key is stored in a protected memory region of the ID token; transmitting (208; 509) the generated public key (518) to a first computer system, and generating (209) the certificate (519) by means of the first computer system for the public key.

Abstract: This document describes policies for digital rights management that enable distribution of full-function versions of applications that, while fully functional, have functions limited by an associated policy. A policy may be replaced or updated, thereby enabling use of previously limited functions without distribution of another version of the application.

Abstract: Systems and methods are provided to manage risk associated with access to information within a given organization. The overall risk tolerance for the organization is determined and allocated among a plurality of subjects within the organization. Allocation is accomplished using either a centralized, request/response or free market mechanism. As requested from subjects within the organization for access to objects, i.e. information and data, are received, the amount of risk or risk level associated with each requested is quantified. Risk quantification can be accomplished using, for example, fuzzy multi-level security. The quantified risk associated with the access request in combination with the identity of the object and the identity of the subject are used to determine whether or not the request should be granted, denied or granted with appropriated mitigation measures.

Abstract: Embodiments relate to an isolated program execution environment. An aspect includes receiving, by the isolated program execution environment on a computer comprising a processor and a memory, a request to run a program. Another aspect includes wrapping program code corresponding to the program as a function. Another aspect includes cloning a real global object of the isolated program execution environment to create a fake global object. Another aspect includes passing the fake global object to the function. Another aspect includes executing the function, such that the function executes the program.

Abstract: The cyber threat identification and analytics (“CTIA”) apparatuses, methods and systems, for example, identify a list of relevant malware indicators of compromise (IOCs) during a cyber security incident. The CTIA system automatically groups relevant malware IOCs from all known samples of a particular threat, given either a threat or a specific IOC without knowing the threat. In this way, an incident responder can use the group of relevant malware IOCs to have the highest probability of locating infections of variations of malware of the particular threat.

Abstract: Methods, circuits, and apparatus are provided an FPGA user, ASIC designer, or the like the ability to program a unique ID per each circuit into a memory, such as a non-volatile one-time programmable memory bank on an FPGA. This unique ID is secure such that no one else can replicate it on another part, thus keeping it unique to the user for which it was intended. An encryption engine receives plaintext and produces the unique ID that is stored in memory that is designed to only be writeable through the encryption engine. Thus, the FPGA/ASIC designer can track who is the customer they sold this part to or who the last authorized user is.

Abstract: Provided are methods and systems for mitigating a DoS attack. A method for mitigating a DoS attack may commence with receiving, from a client, a request to initiate a secure session between the client and a server. The method may continue with determining whether the client is on a whitelist. Based on a determination that client is absent from the whitelist, a pre-generated key may be sent to the client. The method may include determining validity of the established secure session. The determination may be performed based on further actions associated with the client. Based on the determination that the secure session is valid, a renegotiation of the secure session may be forced. The method may further include generating a new key using a method for securely exchanging cryptographic keys over a public channel. The new key is then sent to the client.

Abstract: Embodiments of memory devices, computer systems, security apparatus, data handling systems, and the like, and associated methods facilitate security in a system incorporating the concept of a security perimeter which combines cryptographic and physical security. The memory device can comprise a memory operable to store information communicated with a processor, and a logic operable to create at least one cryptographic security perimeter enclosing at least one selected region of the memory and operable to manage information communication between the processor and the at least one selected region of the memory.

Abstract: Verification of a user login to a secure account from a mobile device occurs when the user provides login credentials and a hardware identifier (ID) corresponding to the mobile device. The provided login credentials and hardware ID are then verified against a registry. Further, the mobile device determines and provides a geographic location of the mobile device using a global positioning system (GPS) component installed therein. The location provided by the mobile devices is then matched with a location of a network element with which the mobile device is currently communicating.

Abstract: Methods and systems for verifying authenticity of a physical object and/or for verifying possession of the object by an individual are described. In one embodiment, the object is registered with a remote processing system. Data representing at least one characteristic of the object is obtained and stored in the remote system and the identity of the individual or entity possessing the object is authenticated. After authenticating the individual, an identifier is collocated (or an existing mechanism is activated or modified to replicate the identifier) with the object, where the identifier uniquely identifies the object and the individual possessing the object. The object and the identity of the individual possessing the object can be authenticated at a future time by sensing the collocated identifier and sending the sensed identifier to the remote system. The remote system can send instructions to an entity wishing to authenticate the object and its association with the individual possessing the object.

Abstract: A method and system for accelerated decryption of a cryptographically protected user data unit, wherein a transmitter initially generates a cryptographic key that is provided with a related key identification. The transmitter then performs asymmetrical encryption of the generated cryptographic key using a public cryptographic key and encryption of at least one user data unit using the generated cryptographic key. The encrypted user data unit, the asymmetrically encrypted cryptographic key and the related key identification of the cryptographic key are transported to a receiver that decrypts the received asymmetrically encrypted key using a private key, if verification of the received related key identification of the cryptographic key indicates the cryptographic key is not present in a decrypted state in the receiver. The receiver then decrypts the received cryptographically encrypted user data unit using the cryptographic key in the receiver or with the cryptographic key decrypted using the private key.

Abstract: Aspects of the present disclosure are directed towards a method of electronic verification of motion data. This includes collecting a first set of motion data that corresponds to a first set of motion characteristics generated from physically moving a hardware element of a computer ending upon inserting the hardware element of the computer into a computer chassis. This can further include determining an approved set of motion data and comparing the first set of motion data to the approved set of motion data. This can further include determining a difference between the first set of motion data and the approved set of motion data. This can further include determining that the difference does not satisfy a threshold. This can further include executing a reaction sequence in the computer, in response to determining that the difference does not satisfy the threshold.

Abstract: The disclosed computer-implemented method for locating unrecognized computing devices may include (1) identifying a plurality of cooperating computing devices on a wireless network that are each configured with a device location application, (2) determining a physical location for each cooperating computing device within the plurality of cooperating computing devices, (3) receiving, from the device location application on the plurality of cooperating computing devices, data about packets intercepted by the plurality of cooperating computing devices that are directed to the wireless network by an unrecognized computing device, and (4) locating the unrecognized computing device based on information received from the plurality of cooperating computing devices that identifies both the physical location for each cooperating computing device and signal strengths of the packets intercepted by the plurality of cooperating computing devices.