Abstract: Described embodiments provide managing data collected from machine 2 machine (M2M) devices. A plurality of M2M devices may be grouped based on a common interest and the same group authorization key may be assigned to M2M devices in the same device group. A data collecting terminal having a group authorization key may be allowed to collect data in M2M devices when the M2M devices have the same group authorization key.

Abstract: A method and apparatus is provided for connecting a communication device to a deployable system. The deployable system obtains at least one deployable key derived on a fixed system for the deployable system based on an existing key stored on a database of the fixed system, wherein the existing key is used to authenticate a communication device. The deployable system stores the derived key. Subsequent to the storing, the deployable system is activated to provide communication resources to communication devices disconnected from the fixed system. The activated deployable system is not connected to the fixed system. The activated deployable system receives an authentication request from the communication device requesting connection to the deployable system; generates authentication vectors using the at least one derived deployable key; and authenticates an authentication response received from the communication device using the authentication vectors.

Abstract: Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificate pairs which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process.

Abstract: A system includes a removable or replaceable I/O interface (e.g., a panel and associated electronics card). In one embodiment, a security device includes an FPGA I/O array that can be programmed for different interfaces. The interchangeable I/O panel and card is designed with a selected interface's matching physical electronics and connectors. This permits the main physical chassis of a security device to remain unchanged and avoid re-design, so that a user can readily use different interface options that can be changed by the user.

Abstract: Methods and systems for mitigating denial-of-service attacks include a proxy server that monitors a set of application servers configured to receive and service requests from clients. The proxy server intercepts the requests, and in response, provides the clients with customized client-side scripts embedded in markup language. The client-side scripts may include random strings to generate follow-through random uniform resource identifier redirection requests expected by the proxy server. The client-side scripts, upon execution, may challenge the clients by demanding user interaction within a specified period of time, requesting a delay before responding, and/or attempting to set a challenge cookie multiple times.

Abstract: Context-based application firewall functionality. A user session is initiated with a client device. The user session allows access a remote resource on a server device coupled with the client device over a network. The connection between the client device and the remote resource is through an application firewall. An application firewall context setup is performed with the application firewall in response to the user session. The application firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the application firewall. A response is created to provide information from the remote resource to the client device. The response includes metadata to be used to update the firewall context information. The firewall context information is updated with the application firewall based on the metadata. The response is transmitted to the client device.

Abstract: Shuffling data stored in columnar tables improves data storage security, particularly when used in conjunction with other security operations, such as tokenization and cryptography. A data table is accessed, and pointer values of at least one column of the accessed table are shuffled, generating a protected table. An index table mapping index values to the shuffled pointer values is generated, allowing a user with access to both the protected table and the index table to generate the original table. Without both tables, users are only able to see either the shuffled data or the index values. Example shuffling methods include, but are not limited to, random shuffling, grouped shuffling, sorting by column value, and sorting by index value.

Abstract: Methods and apparatus for quantum key distribution are described, in particular including methods and networks 300 arranged to improve and/or ensure the security of data transmitted thereby by (i) ensuring a certain level of loss within at least part of the network, (ii) placing a penultimate and an endpoint nodes in situated in a secure second enclave, (iii) analyzing a transmitted bit stream to ensure that it does not provide an unacceptable amount of information about the key that may be generated therefrom, and/or (iv) varying the order in which bits are used to generate a key.

Abstract: An encrypted security system and associated methods for controlling physical access. The system includes a security server configured to receive a request for authentication from a mobile device, the request comprising information identifying the mobile device and a physical access control device. The security server forwards an encryption message comprising a plurality of unique identifiers to the physical access control device via the mobile device. The physical access control device is configured to authenticate the plurality of unique identifiers in the encryption message and operate an access control mechanism.

Abstract: Embodiments are directed to providing an identity risk score as part of an authentication assertion, applying operating heuristics to determine an operating application's validity and to providing identity risk scores to requesting third parties. In one scenario, an authentication server receives from a cloud service portal various user credentials from a user. The user credentials identify a user to the authentication server. The authentication server verifies the user's identity using the received credentials and generates an identity risk score based on one or more identity factors. The identity factors indicate a likelihood that the user is a valid user. The authentication server encapsulates the generated identity risk score in an authentication assertion and sends the authentication assertion that includes the generated identity risk score to the cloud service portal.

Abstract: A public wireless access point network includes authorized access points sharing the same SSID and connected to a network core which implements centralized authentication so that wireless client devices can roam between authorized access points. Each authorized access point is adapted to detect the presence of unauthorized rogue access points posing as authorized access points. The authorized access points inspect data packets received from wireless client devices which have roamed into range and from the addressing information in the MAC layer and IP layer can determine whether the wireless device has previously connected to a rogue access point. If such a determination is made, the user of the device is alerted that their confidential information may have been compromised.

Abstract: An information processing system implements a security system. The security system comprises a classifier configured to process information characterizing events in order to generate respective risk scores, and a data store coupled to the classifier and configured to store feedback relating to one or more attributes associated with an assessment of the risk scores by one or more users. The classifier is configured to utilize the feedback regarding the risk scores to learn riskiness of particular events and to adjust its operation based on the learned riskiness, such that the risk score generated by the classifier for a given one of the events is based at least in part on the feedback received regarding risk scores generated for one or more previous ones of the events.

Abstract: A method, non-transitory computer readable medium and apparatus for securing user input and/or output on a mobile endpoint device. For example, the method receives an input on the mobile endpoint device, encrypts and authenticates the input in a trusted domain of the mobile endpoint device executing an application and sends the input that is encrypted and authenticated to an untrusted domain of the mobile endpoint device over a secure channel.

Abstract: A communication system having a policy server coupled to a communications network for managing secure communication with and among end instruments (EI). The EI comprises a memory, and a processor coupled to the memory with processor-executable instructions, including instructions for an operating system kernel; and instructions for a protection core that monitors operations of the operating system kernel in accordance with a security policy for the EI. Security policies can intercept calls to an operating system kernel and for each call, determining whether the call is allowed under the security policy(ies). Policies are stored in a policy library and transmitted to an EI over a wireless communication network.

Abstract: Shuffling data stored in columnar tables improves data storage security, particularly when used in conjunction with other security operations, such as tokenization and cryptography. A data table is accessed, and pointer values of at least one column of the accessed table are shuffled, generating a protected table. An index table mapping index values to the shuffled pointer values is generated, allowing a user with access to both the protected table and the index table to generate the original table. Without both tables, users are only able to see either the shuffled data or the index values. Example shuffling methods include, but are not limited to, random shuffling, grouped shuffling, sorting by column value, and sorting by index value.

Abstract: A method for DTCP to HLS conversion is provided that starts with a standard DTCP Protected Content Packet (PCP) structure. The PCP payload data is chunked at defined chunk boundaries. Each chunk is then appended with a pad to be compatible with HLS. An HLS playlist is then provided using the PCP header with identification of the chunks and a keytag. The chunk is encrypted with a DTCP key calculated by the DTCP standard using: (a) copy control bits; (b) a nonce, and (c) an exchange key ID. Relevant PCP header fields are provided in the keytag for the HLS playlist, including the value of the copy control bits, the nonce and the exchange key ID, supporting the transaction that enables calculation of the DTCP content key to enable later decryption of the chunks.

Abstract: Methods and systems for mitigating denial-of-service attacks include a proxy server that monitors a set of application servers configured to receive and service requests from clients. The proxy server intercepts the requests, and in response, provides the clients with customized client-side scripts embedded in markup language. The client-side scripts may include random strings to generate follow-through random uniform resource identifier redirection requests expected by the proxy server. The client-side scripts, upon execution, may challenge the clients by demanding user interaction within a specified period of time, requesting a delay before responding, and/or attempting to set a challenge cookie multiple times.

Abstract: An authentication system is disclosed. Information associated with at least one of a user's use of a resource and demographic information associated with the user is collected. The collected information is processed to determine one or more stimuli to be presented to the user. The collected information is processed to determine one or more stimuli to be presented to the user. Classification data provided by the user is stored. Classification data associated with the user is received. The received classification data is compared to the stored classification data. A determination of whether to authorize an action based at least in part on the comparison is determined.

Abstract: Anti-malware process protection techniques are described. In one or more implementations, an anti-malware process is launched. The anti-malware process is verified based at least in part on an anti-malware driver that contains certificates which contain an identity that is signed with the trusted certificate from a verified source. After the anti-malware process is verified, the anti-malware process may be assigned a protection level, and an administrative user may be prevented from altering the anti-malware process.

Abstract: The invention is a method for broadcast encryption that allows a broadcaster to send encrypted data to a set of users such that only a subset of authorized users can decrypt said data. The method comprises modifications to the four stages of the basic Cipher-text Policy Attribute-Based Encryption techniques. The method can be adapted to transform any Attribute-Based Encryption scheme that supports only temporary revocation into a scheme that supports the permanent revocation of users.