Abstract: A method, apparatus, and computer-readable medium for searching polymorphically encrypted data includes storing one or more pseudonymous tokens in a data store, the one or more pseudonymous tokens being generated by encrypting a ciphertext using a first algorithm and an encryption key, the first algorithm comprising a polymorphic algorithm configured to generate a distinct pseudonymous token for each application of the polymorphic algorithm to the same plaintext, and identifying data in the data store that corresponds to the ciphertext by querying the data store using a search token generated by encrypting the plaintext using a second algorithm and the encryption key, the search token being distinct from the one or more pseudonymous tokens.

Abstract: Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for secure use and retention of user credentials, as well as methods for dynamic authentication of users and integrity checking of service providers in online environments. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable browser), insulating the user from the threats associated with being online for the purposes of providing secure, policy-based interaction with online services.

Abstract: The disclosed technology teaches reducing threat detection processing by applying similarity measures. The method includes recognizing that a file is an edited version of a previously processed file and retrieving, from an archive, at least an entropy measure of the previously processed file, and calculating an entropy measure for the edited version of the file. The method applies a similarity measure to compare the entropy measures for the edited version and the previously processed file, avoiding full threat scanning of the file to detect malware except when the similarity measure reaches a scanning trigger. When any similarity measure or combination of similarity measures reaches a trigger, the technology teaches processing the file by using a threat detection module to detect malware. Further included is logging the edited version of the file for further processing when the similarity measure reaches a logging trigger.

Abstract: Web-filtering operations may be implemented on the user device, rather than on a centralized proxy server, to improve reliability, performance, and/or security of the web-filtering operations. Some or all of the necessary functions related to web-filtering may be performed on the end user device to remove the complexity and security issues inherent with the current methodology. One technique for allowing operation of proxy servers on user devices is to install smart agents on the user device. The smart agents, under control of a management server, may configure the proxy server, issue trust certificates to applications on the device, and/or provide proxy access configuration (PAC) files to applications on the device.

Abstract: A new method for trusted data decryption is disclosed. A data user provides a public key Pk of an encryption key generation algorithm G. A data provider calculates an encryption key K based on an application A, a device C, and a token T by using G, encrypts a data set D by using K, encrypts G by using Pk to obtain Ge, and transmits ED and Ge to the data user. The data user can obtain a private key generation algorithm G? by using a locally stored private key Ps, and measures, in a trusted execution environment, the application A and the device C that request data to obtain MA? and CID?, calculates an encryption key K? based on MA?, CID? and a user-input token T by using G?, and decrypts ED by using K?. If K?=K, the decryption succeeds, and data D is obtained; otherwise, the decryption fails.

Abstract: A technique is provided that enables native authentication to cloud services by employing identity management of on-premise applications from the cloud. More specifically, a Web-service interface built on an innovative orchestration of platform-independent container technology is created. An identity management application is made available inside a container and which therefore can execute in any cloud-service provider. Specifically, this application can communicate back into a business' on-premise applications, using the Representation State Transfer (REST) application programming interface architecture. The container is published to the cloud for users to download. Thus, for example, by way of this technique, a user can log onto any cloud application with using the same logon information the user uses on-premise.

Abstract: Disclosed are methods, systems, and devices for facilitating secure and private communications, via a website or application of a third-party computing system (TPCS), between a user device and a service provider computing system (SPCS). The communications may be conducted via a frame in a website served by the TPCS. The TPCS may serve a website that incorporates a customizable SDK component provided by the SPCS. The communications allow the user to, for example, open a new account. The SDK component may be initialized via a script from the SPCS, and authenticated via a session token obtained from the SPCS via the TPCS. The SDK component may provide user information, input into the frame, to the SPCS via API calls to the SPCS. The user does not navigate away from the website while securely engaging the SPCS. The third-party/partner need not develop its own user interface, security protocols, etc.

Abstract: Disclosed are methods, systems, and devices for facilitating secure and private communications, via a website or application of a third-party computing system (TPCS), between a user device and a service provider computing system (SPCS). The communications may be conducted via a frame in a website served by the TPCS. The TPCS may serve a website that incorporates a customizable SDK component provided by the SPCS. The communications allow the user to, for example, open a new account. The SDK component may be initialized via a script from the SPCS, and authenticated via a session token obtained from the SPCS via the TPCS. The SDK component may provide user information, input into the frame, to the SPCS via API calls to the SPCS. The user does not navigate away from the website while securely engaging the SPCS. The third-party/partner need not develop its own user interface, security protocols, etc.

Abstract: The techniques herein are directed generally to providing access control and persona validation for interactions. In one embodiment, a method for a first device comprises: interacting with a second device on a communication channel; determining, over a verification channel with a verification service, that an identity of a user communicating on the second device is a verified identity according to the verification service; determining a persona of the user; querying a third-party entity to make a determination whether the persona is validated and to correspondingly determine a current privilege level; and managing interaction with the second device according to the determination whether the persona is validated and the corresponding current privilege level. Another embodiment comprises a verification server's perspective of facilitating the interaction between the first and second devices, where the verification server queries the third-party entity to validate the persona.

Abstract: Disclosed are methods, systems, and devices for facilitating secure and private communications, via a website or application of a third-party computing system (TPCS), between a user device and a service provider computing system (SPCS). The communications may be conducted via a frame in a website served by the TPCS. The TPCS may serve a website that incorporates a customizable SDK component provided by the SPCS. The communications allow the user to, for example, open a new account. The SDK component may be initialized via a script from the SPCS, and authenticated via a session token obtained from the SPCS via the TPCS. The SDK component may provide user information, input into the frame, to the SPCS via API calls to the SPCS. The user does not navigate away from the website while securely engaging the SPCS. The third-party/partner need not develop its own user interface, security protocols, etc.

Abstract: The present disclosure relates generally to systems and methods for content authentication. A method can include receiving from a sender system transmitted content (C) and appended content, the appended content including a digital signature associated with the content (C) and a hash tree (“SHT”) associated with the content (C), generating with a signature engine a hash tree (“RHT”) from the content (C), cryptographically verifying the received digital signature to generate a resultant hash value, comparing the resultant hash value to the second hash value of the second root node, determining that the second hash value of the second root node does not match the resultant hash value, identifying a potentially corrupted portion of content (C) via comparison of at least some of the plurality of first nodes of SHT to corresponding second nodes of RHT, and indicating that the digital signature could not be verified.

Abstract: Techniques for visualizing IoT device management are disclosed. A system utilizing such techniques can include an IoT device risk assessment system and an IoT device management visualization system. A method utilizing such techniques can include grouping IoT devices into an IoT device dimension group based on IoT device dimensions defining the group and controlling presentation of management data for the IoT devices based on the grouping of the IoT devices into the IoT device dimension group.

Abstract: The automatic generation of malware family signatures is disclosed. A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. The similarities are evaluated for suitability as a malware family signature. Suitability is evaluated based on how well the similarities uniquely identify the members of the first cluster. In the event the similarities are determined to be suitable as a malware family signature, a signature is generated.

Abstract: A method for securing a webpage or a webapp processed by a browser executing on a client system, the method comprising the browser executing an instance of white-box protected code, wherein execution of the instance of white-box protected code causes the client system to: generate a message comprising message data for use by a control system to perform one or more security tests, the control system communicably connected to the client system via a network; send the message to the control system to enable the control system to perform the one or more security tests using the message data; receive a response from the control system based, at least in part, on the message; and process the response.

Abstract: Systems, methods, and apparatus for a virtual transponder utilizing inband commanding are disclosed. In one or more embodiments, a disclosed method comprises receiving, by a payload antenna on a vehicle via a hosted receiving antenna, encrypted hosted commands transmitted from a hosted payload (HoP) operation center (HOC). The method further comprises receiving, by the vehicle, encrypted host commands transmitted from a host spacecraft operations center (SOC). Also, the method comprises reconfiguring a payload on the vehicle according to the unencrypted host commands and/or the unencrypted hosted commands. In addition, the method comprises transmitting, by the payload antenna, payload data to a host receiving antenna and/or the hosted receiving antenna. Additionally, the method comprises transmitting, by a host telemetry transmitter, the encrypted host telemetry to the host SOC.

Abstract: Described are techniques for preserving data security for sensitive information. The techniques including identifying sensitive information in first audio data from a first client device. The techniques further comprise generating second audio data including hashed sensitive information, where the hashed sensitive information comprises an audio clip that replaces the sensitive information and that is based on the sensitive information. The techniques further comprise transmitting the second data including the hashed sensitive information to a second client device. The techniques further comprise receiving third audio data including the hashed sensitive information from the second client device. The techniques further comprise generating fourth audio data by replacing the hashed sensitive information with the sensitive information and transmitting the fourth audio data including the sensitive information to the first client device.

Abstract: Embodiments are disclosed for a quantum key distribution enabled intra-datacenter network. An example system includes a first vertical cavity surface emitting laser (VCSEL), a second VCSEL and a network interface controller. The first VCSEL is configured to emit a first optical signal associated with data. The second VCSEL is configured to emit a second optical signal associated with quantum key distribution (QKD). Furthermore, the network interface controller is configured to manage transmission of the first optical signal associated with the first VCSEL and the second optical signal associated with the second VCSEL via an optical communication channel coupled to a network interface module.

Abstract: A method of operating an Internet of Things device is described. In the method, an electrical power is supplied to electrical circuitry in the Internet of Things device. The Internet of Things device is communicatively coupled to a computer network using circuitry of a transceiver and a communications module of the Internet of Things device. A detecting circuit is operated to indirectly monitor a level of activity of the communications module. If the level of activity of the communications module is determined to exceed a threshold value, a volume of communications between the Internet of Things device and the computer network is curtailed.

Abstract: A computer system detects, at time period one, that a first user of a computing device has not paid a transmitted invoice. In response to the detecting, at time period one, that the first user of the computing device has not paid the transmitted invoice, the computer system applies one or more restrictions to a first social media account corresponding to the first user. In response to the detecting, at time period two, that the first user has paid the transmitted invoice, the computer system removes the one or more restrictions from the first social media account, wherein time period two is after time period one.

Abstract: In one embodiment, a device including a processor, and a memory to store data used by the processor, wherein the processor is operative to run a manufacturer usage description (MUD) controller operative to obtain a MUD profile of an Internet of Things (IoT) device from a MUD server, the MUD profile of the IoT device including: access rights of the IoT device, and any one or more of the following a default device username and/or a default device password of the IoT device, a recommended/required device password complexity of the IoT device, at least one service that should be enabled/disabled on the IoT device, and/or allowed security protocols and/or ciphers for communication to and/or from the IoT device, enforce security of the IoT device according to the MUD profile of the IoT device. Related apparatus and methods are also described.