Abstract: Systems and methods for end-to-end encryption and compression are described herein. A query is encrypted at a client using a homomorphic encryption scheme. The encrypted query is sent to a server where the encrypted query is evaluated over target data to generate encrypted response without decrypting the encrypted query. The result elements of the encrypted response are grouped, co-located, and compressed, without decrypting the encrypted query or the encrypted response. The compressed encrypted response is sent to the client where it is decrypted and decompressed to obtain the results of the query without revealing the query or results to the owner of the target data, an observer, or an attacker.

Abstract: There are several approaches to encrypting circuits: combination logic encryption, encrypted gate topologies, transmission gate topologies, and key expansion of gate topologies. One of the approaches provides a circuit having a gate topology comprising a logic gate with integrated key transistors, where the key transistors comprise at least a PMOS stack and an NMOS stack. The PMOS stack comprises a first PMOS switch and a second PMOS switch, where the first and the second PMOS switches have sources to a voltage source and drains that serve as a source to a third PMOS switch. The NMOS stack comprises a first NMOS switch and a second NMOS switch, where the first and the second NMOS switches have sources to ground and drains that serve as a source to a third NMOS switch. Each of the above approaches may encrypt a circuit with certain advantages in delay and power consumption.

Abstract: Techniques described herein improve database security by reducing network attack surface area in conjunction with deep input validation. In an embodiment, a database session receives one or more network packets sent via a network, the database session including a database session state that specifies one or more database privileges. The database session reads said one or more network packets into one or more request-packet-buffers, wherein said one or more request-packet-buffers include an RPC op code for a database operation. Based on the one or more database privileges associated with the user associated with the database session, the database session determines whether the RPC op code may be executed. In response to determining that the RPC op code may be executed by said database session, the RPC op code is executed. In response to determining that the op code may not be executed by said database session, the execution of the RPC op code is prevented.

Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving, at a security analysis device, a set of feature vectors extracted from one or more flows of traffic to domains for a given user in a network during a period of time. The security analysis device analyzes the feature vectors included in the set of feature vectors with a set of operators to generate a set of per-flow vectors for the given user. Based on the set of per-flow vectors for the user, the security analysis device generates a single behavioral vector representative of the given user. The security analysis device classifies a computing device associated with the given user based on the single behavioral vector and at least one of known information or other behavioral vectors for other users.

Abstract: A technique for establishing connectivity between electronic devices is described. In particular, when an electronic device is first connected to a network, the electronic device may use a predefined location of a registrar device to request location information for a controller for the electronic device. The electronic device may provide a manufacturer certificate to the registrar device to confirm its identity. After receiving from the registrar device the location information and a registrar certificate that confirms its identity, the electronic device may use the location information to request the security information from a controller that allows the electronic device to establish connectivity with another electronic device. The electronic device may receive the security from the controller along with a controller certificate that confirms the identity of the controller. Moreover, the electronic device may establish a connection with the other electronic device based on the security information.

Abstract: Methods and systems for identifying sensitive data (SD) stored on data repositories is disclosed. The data is processed to calculate a plurality of float feature (FF) vectors associated with the data. The FF vectors are clustered into a plurality of clusters, each cluster associated with a respective subset of the data. A DNA vector representative of the cluster is generated for each cluster. The DNA vectors of respective clusters are compared to one or more FF vectors calculated for a respective one or more user supplied examples of SD. One or more clusters are classified as SD based on the result of the comparing, thereby identifying respective subsets of data as SD.

Abstract: A method involves: receiving a request to access a first online financial application from a client device, where the first online financial application is one of a many online financial applications made available by an online financial service, and where the many online applications includes a second online application; attempting to generate a browser fingerprint for a browser application on the client device by applying a fingerprinting algorithm to one or more items of browser metadata; associating the browser fingerprint, if generated, with external user data obtained from a web analytics tool and internal user data obtained from the online financial service; receiving login credentials for the first online financial application from a user of the client device; retrieving, using the login credentials, additional internal user data maintained by the online financial service; personalizing, upon detecting the browser fingerprint and using the external user data, the internal user data, and the additional

Abstract: A Method and a system for managing undesired service requests sent from at least one terminal to a network are described, wherein the network comprises a network node for storing trusted service-information. The method comprises the steps of: the network receiving a service request from a terminal, the request comprising service request information; and, sending, preferably via a secure communication channel, a user verification request for requesting the user to verify the service requested by the terminal if at least part of the service request information is not listed in the trusted service-information.

Abstract: Examples associated with heartbeat signal verification are disclosed. One example includes verifying a provisioning key using a trusted key. The provisioning key is received from a remote device via an intermediary process. An intermediate key provided by the intermediary process is verified using the provisioning key. A session identifier encrypted using the intermediate key and provided to the intermediary process. A first heartbeat signal is received from intermediary process. The heartbeat signal is generated based on the session identifier.

Abstract: Example embodiments disclosed herein relate to propagating belief information about malicious and benign nodes. In one example, a domain name system (DNS) resolution graph including multiple nodes is determined. In this example, a first subset of nodes is determined based on an initial benign value or an initial unknown value associated with the respective nodes. In the example, benign belief information is propagated for the first subset based on the respective initial benign values. Moreover, in the example, a second subset of the nodes is determined based on an initial malicious value or an initial unknown value. Malicious belief information is propagated for the second subset based on the respective malicious values. The propagated belief information is copied to a DNS resolution graph.

Abstract: A system and method for encryption key generation by receiving a plaintext message having a fixed character length and receiving, from a source, a plurality of random number. A matrix is created from the plurality random numbers and has at least one of the number of rows or columns equal to or greater than the character length. An array that can be used as an encryption key or a seed for an encryption key is generated by selecting an initial element within the matrix, selecting subsequent elements using a selection technique until a number of elements in the array is equal to the character length and rejecting any previously selected elements from the array.

Abstract: An optical electromagnetic radiation (EM) emitter and receiver are located upon a printed circuit board (PCB) glass security layer. A predetermined reference flux or interference pattern, respectively, is an expected flux or reflection pattern of EM emitted from the EM emitter, transmitted by the glass security layer, and received by the EM receiver. When the PCB is subject to an unauthorized access thereof the optical EM transmitted by glass security layer is altered. An optical monitoring device that monitors the flux or interference pattern of the optical EM received by the EM receiver detects a change in flux or interference pattern, in relation to the reference flux or reference interference pattern, respectively, and passes a tamper signal to one or more computer system devices to respond to the unauthorized access. For example, one or more cryptographic adapter card or computer system functions or secured crypto components may be disabled.

Abstract: An anonymous or ad hoc communication is established between unknown contacts. For example, in today's mobile communications environment, there are many instances in which a user of smart phone may wish to send a message to an unknown user's smartphone. The anonymous or ad hoc communication thus allows messaging with an unknown user.

Abstract: The communication system includes a communication buffer and a communication terminal. The communication buffer includes a physical unclonable function (PUF) device, and the communication buffer provides a security key generated by the PUF device. The communication terminal is coupled to the communication buffer, and transmits a mapping request to the communication buffer to ask for the security key. The communication terminal manipulates the transmission data with the security key to generate the encrypted data, and transmits the encrypted data to the communication buffer. The communication buffer further restores the transmission data from the encrypted data according to the security key.

Abstract: Provided are mechanisms and processes for computational risk analysis and intermediation. Security practices information characterizing security measures in place at a first computing system may be received from the first computing system via a network. Computing services interaction information characterizing data transmitted from a second computing system to the first computing system may be received from the second computing system via the network. A processor may determine a risk profile for the first computing system based on the security practices information. Based on the risk profile and the computing services interaction information, the processor may then determine an estimate of the information security risk associated with transmitting the data from the second computing system to the first computing system. A risk assessment message including the estimate of the information security risk may be transmitted to the second computing system.

Abstract: Technologies for untrusted code execution include a computing device having a processor with sandbox support. The computing device executes code included in a native domain in a non-privileged, native processor mode. The computing device may invoke a sandbox jump processor instruction during execution of the code in the native domain to enter a sandbox domain. The computing device executes code in the sandbox domain in a non-privileged, sandbox processor mode in response to invoking the sandbox jump instruction. While executing in the sandbox processor mode, the processor denies access to memory outside of the sandbox domain and may deny execution of one or more prohibited instructions. From the sandbox domain, the computing device may execute a sandbox exit instruction to exit the sandbox domain and resume execution in the native domain. The computing device may execute processor instructions to configure the sandbox domain. Other embodiments are described and claimed.

Abstract: A current operating system that is stored in a persistent storage circuit of a secure element is replaced by receiving a set of migration rules that specify changes to a set of data object types. Based upon the set of migration rules, a migration engine identifies data objects stored in a persistent storage circuit and corresponding to the set of data object types. For each of the identified data objects: a subset of the migration rules are selected that correspond to a data object type that corresponds to a particular data object, and based upon the selected subset, the particular data object is transformed. A new operating system can then be enabled.

Abstract: A cloud-based package-exchange-service for package delivery to, and pick-up from, a target vehicle includes a GPS-based proximity module. The GPS-based proximity module receives current GPS coordinates of a package delivery vehicle and of the target vehicle. The GPS-based proximity module stores both GPS coordinates. The GPS-based proximity module monitors a distance between the package delivery vehicle and the target vehicle of the customer. The cloud-based system also has a delivery module in the first server associated with a second database. The delivery module includes one or more lists of local delivery services that include registered individuals to be assigned for package exchange operations. The lists of local delivery services also include package delivery restrictions and conditions including package size, hours of operation, distance to operate, and delivery prices.

Abstract: Methods, systems, and apparatus in a service layer environment may create, update, or delete access control policy triples whenever an access control policy (ACP) resource is created, updated, or deleted. In addition, methods address potentially frequent and unnecessary ACP triple management.

Abstract: A method for providing network access to a plurality of user entities through an access point, said access point comprising a LAN interface and a broadband network interface, the method comprising the following steps at a gateway device: establishing a second secure communication link with said access point; receiving an IP address allocation request from one of said plurality of user entities via said second secure communication link; accessing a AAA server to verify whether a successful authentication of said one of said plurality of user entities on the basis of data related to a mobile subscription associated with said one of said plurality of user entities has already taken place; and upon successful verification, completing an IP address allocation scheme with said one of said plurality of user entities and enabling relaying of data between said one of said plurality of user entities and a PDN; wherein said gateway device is adapted to aggregate a plurality of instances of second secure communication li