Abstract: A cloud security method implement web security at the application level by monitoring network traffic and detecting cloud activities related to web applications, and then classifying the detected cloud activities to map certain security-related cloud activities into activity categories to enable security policy to be applied. The application-level cloud security method enables policy enforcement rules to be established for cloud activity categories. The security policies are then applied based on activity categories.

Abstract: A method of managing a local area communication network comprising at least one access equipment for accessing the network is disclosed. At least one communicating object is connected to the network. In one aspect, the method comprises upon detecting connection of a new communicating object to the network and/or upon detecting installation of new firmware on the at least one communicating object connected to the network, a learning phase involving observing interactions of the communicating object with at least one other equipment of the local area network and/or at least one equipment of a wide area communication network accessible via the access equipment. In addition, at least one security rule associated with the communicating object on the basis of the observed interactions is disclosed.

Abstract: Systems and methods for improving security in computer-based authentication systems by using physical unclonable functions are presented. A computing device used to provide authentication includes multiple arrays of physical unclonable function devices. Rather than storing user passwords or message digests of passwords, the computing device generates a message digest based on a user's credentials. A challenge response generated by measuring physical parameters of set of physical unclonable function devices specified by the message digest. The computing device can provide authentication without storing information which could be used by an attacker to compromise user credentials. Redundancy and robustness to varying loads are provided by the use of multiple PUF arrays which may be used as backups or to provide load balancing. Backdoor access may be provided to trusted parties without exposing user credentials.

Abstract: A computerized method for voice authentication of a customer in a self-service system is provided. A request for authentication of the customer is received and the customer is enrolled in the self-service system with a text-independent voice print. A passphrase from a plurality of passphrases to transmit to the customer is determined based on comparing each of the plurality of passphrases to a text-dependent or text-independent voice biometric model. The passphrase is transmitted to the customer, and when the customer responds, an audio stream of the passphrase is received. The customer is authenticated by comparing the audio stream of the passphrase against the text-independent voice print. If the customer is authenticated, then the audio stream of the passphrase and the topic of the passphrase may be stored.

Abstract: A system and method for reducing a time to mitigate distributed denial of service (DDoS) attacks are provided. The method includes receiving a plurality of attack feeds on at least one protected object in a secured environment; analyzing the plurality of attack feeds to determine characteristics of a DDoS attack against the secure environment; determining a set of optimal mitigation resources assigned to the secured environment; selecting, based on the set of optimal mitigation resources and the attack characteristics, at least one optimal workflow scheme; and initiating a proactive mitigation action by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme.

Abstract: Disclosed herein are systems and method for blocking malicious script execution. In one exemplary aspect, the method may comprise detecting an execution of a script that creates or modifies a file on a computing device and recording a first report comprising a list of operations involved in the execution of the script, an identifier of the script, and an identifier of the file. The method may comprise determining that the file includes malicious code using a malware scanner and recording a second report comprising an indication that the file includes malicious code and an identifier of the file. In response to determining that identifier of the file is present in both the first report and the second report, the method may comprise generating and storing a first rule that prevents complete execution of any script that shares at least one operation in the list of operations with the script.

Abstract: This application provide quantum key distribution methods, devices, and storage media. In an implementation, a method comprises: determining, based on a first mapping, a first quantum key of N first quantum keys corresponding to an ith node on a target routing path; determining, based on a second mapping, a second quantum key of N second quantum keys corresponding to the ith node; and generating, by the ith node based on the first quantum key corresponding to the ith node and the second quantum key corresponding to the ith node, a third quantum key corresponding to the ith node on the target routing path.

Abstract: A system includes a memory, a survey engine, and a reporting engine. The memory stores identifying information of a plurality of users. The survey engine determines a question to present to each user of the plurality of users and determines an interval for each user of the plurality of users. The determined interval for a first user of the plurality of users is different from the determined interval for a second user of the plurality of users. For each user, the survey engine communicates to that user, based on the stored identifying information, the determined question for that user according to the determined interval for that user and receives a response from each user of the plurality of users. The reporting engine generates a report based on the received response from the plurality of users.

Abstract: Disclosed are a terminal verification method, an AP device, a terminal and a system, wherein the AP device is an encrypted AP device. The method comprises: receiving a connection request sent by a first terminal, wherein the connection request comprises identification information of the first terminal; querying an authorization list according to the identification information of the first terminal, wherein the authorization list includes identification information of terminals located within a preset password-free range; and returning an authorization response to the first terminal when the authorization list includes the identification information of the first terminal, wherein the authorization response is used for instructing the first terminal to establish a network connection with the AP device.

Abstract: A message-hold decision maker system used with an electronic mail processing system that processes electronic messages for a protected computer network improves the electronic mail processing system's performance by increasing the throughput performance of the system. The improvements are achieved by providing an electronic mail processing gateway with additional logic that makes fast and intelligent decisions on whether to hold, block, allow, or sandbox electronic messages in view of potential threats such as viruses or URL-based threats. A message hold decision maker uses current and stored information from a plurality of specialized classification engines to quickly make the decisions. In some examples, the message hold decision maker will instruct an email gateway to hold an electronic mail message while the classification engines perform further analysis.

Abstract: Disclosed herein are systems and method for preventing malware reoccurrence when restoring a computing device using a backup image. In one exemplary aspect, a method may identify, from a plurality of backup images for a computing device, a backup image that was created most recently before the computing device was compromised. The method may mount the backup image as a disk and scanning the disk for malicious software. The method may disable all ports and services on the computing device to prevent unauthorized network connections and service launches. The method may restore data to the computing device from the mounted disk. The method may update software on the computing device and applying latest patches, and reopen the ports and restart the services on the computing device subsequent to updating the software and applying the latest patches.

Abstract: In order to improve security upon distributing a group key, there is provided a gateway (20) to a core network for a group of MTC devices (10_1-10_n) communicating with the core network. The gateway (20) protects confidentiality and integrity of a group key, and distributes the protected group key to each of the MTC devices (10_1-10_n). The protection is performed by using: a key (Kgr) that is preliminarily shared between the gateway (20) and each of the MTC devices (10_1-10_n), and that is used for the gateway (20) to authenticate each of the MTC devices (10_1-10_n) as a member of the group; or a key (K_iwf) that is shared between an MTC-IWF (50) and each of the MTC devices (10_1-10_n), and that is used to derive temporary keys for securely conducting individual communication between the MTC-IWF (50) and each of the MTC devices (10_1-10_n).

Abstract: Disclosed herein are a method for secure booting using a route switchover function for a boot memory bus and an apparatus using the same. The method includes maintaining a reset state in order to prevent a processor from being booted, interrupting the connection between the processor and boot memory, verifying the integrity of first boot firmware stored in the boot memory, determining whether hardware damage is detected, and releasing the reset state of the processor and the interrupted state of the connection between the processor and the boot memory in consideration of whether hardware damage is detected and verification of the integrity in order to allow the processor to be booted.

Abstract: In some embodiments, an electronic device presents a weak password warning in a password management user interface that includes information about the user account with which the password is associated. In some embodiments, an electronic device presents a weak password warning in a login user interface.

Abstract: System, device, and method of providing authenticity and rights verification mechanism for media content and for its derived versions. A media authenticity server is configured to receive a content item, and to generate for it a record having a unique content identifier and indications of permitted modifications, and optionally also copyright information usage restrictions. The media authenticity server authorizes or blocks modifications requests regarding the content item. The media authenticity server tracks and logs the permitted modifications performed on the content item, and makes this log available for inspection to end-user devices via a web browser or via a content consumption application. Optionally, playback or consumption of a modified version of the content item is blocked, or is accompanied by a warning message, if the modified version is not associated with an authenticated log of permitted modifications.

Abstract: A record of authorization including user information is received and appended to a blockchain. The record of authorization authorizes access by a third-party application to the user information for an access duration. The user information is encrypted by a group key and access duration is based on a change to the group key. The group key comprises a public/private key pair, and the access duration is implemented by an authorization group of nodes having the group key. The group key corresponds to either a valid group key at or near the start of the access duration, that enables decryption of a message in the record of authorization that includes the user information, or an incompatible group key at or after the end of the access duration, that does not enable decryption of the message in the record of authorization that includes the user information.

Abstract: Methods include establishing a transport layer security connection between the client and a server that provides the web service, identifying at least one cryptographic key for communication with the web service in the connection, closing the connection and communicating between the client and the web service using a web service token that is signed and encrypted according to the identified at least one cryptographic key. Communicating between the client and the web service using a web service token may not require creation of a new transport layer security connection. Further embodiments provide a computer configured to perform operations as described above and computer-readable medium storing instructions that, when executed by a computer, perform operations as described above.

Abstract: The disclosed computer-implemented method for improving application installation may include (i) receiving, in response to initiating an installation procedure for an application published by a security application publisher, a signed web token that is formatted according to an Internet standard that defines a structure of the signed web token such that a private section of a payload of the signed web token asserts at least one private claim, and (ii) applying the private claim to customize the installation procedure of the application according to a configuration of a technology partner that partners with the security application publisher. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method for facilitating establishing a secure connection between a client application and a content provider. An example method includes employing a security gateway to authenticate a client for communications therewith; maintaining, for the client, security credentials for a data provider via a security configuration module, wherein the security credentials are associated with a description of data, which is associated with a data provider; using the gateway to determine which of the security credentials to use to fulfill the request message received by the security gateway from the client based on the request; and employing the selected security credentials to selectively retrieve data from and deliver the data to the client application. The example method may further include generating the request message when a User Interface (UI) control displayed in a UI display screen of a browser client is selected or activated.

Abstract: An information handling system may include a processor and a basic input/output system communicatively coupled to the processor and embodied by executable instructions embodied in non-transitory computer readable media, the instructions configured to, when executed by the processor: identify, for a firmware image, a secure boot certificate; identify, for the secure boot certificate, a certificate use policy; determine whether the certificate use policy permits verification of the firmware image using the secure boot certificate; and allow the firmware image to be verified with the secure boot certificate if the certificate use policy permits verification of the firmware image using the secure boot certificate.