Abstract: A cloud-based identity and access management system that implements single sign-on (“SSO”) receives a first request for an identity management service configured to allow for accessing an application. Embodiments send the first request to a first microservice which performs the identity management service by generating a token. The first microservice generates the token at least in part by sending a second request to a SSO microservice that is configured to provide SSO functionality across different microservices that are based on different protocols. Embodiments then receive the token from the first microservice and provide the token to the application, where the token allows for accessing the application.

Abstract: A security event that is associated with one or more communication devices is detected. For example, the security event may be an unexpected change in data being sent from a communication device outside an enterprise. In response to detecting the security event, a Virtual Service Network (VSN) is created that isolates one or more communication devices that may pose a security risk. A corrective action to mitigate the security event is then implemented. For example, the corrective action may be to dynamically instantiate a firewall on the VSN that blocks the transfer of data from the communication device outside the enterprise. This allows an administrator to review the security event and take further action if necessary. Because the VSN with the firewall is created dynamically, the network remains secure while the security event is investigated.

Abstract: Provided is a method of providing, by a server, account information, the method including: receiving an account generation request message from a first device; generating first account information, based on user identification information included in the account generation request message; transmitting the generated first account information to the first device; receiving an account use request message from a second device; identifying the first account information and service identification information included in the received account use request message; and transmitting second account information corresponding to the identified first account information and the service identification information, to the second device.

Abstract: Methods, systems, and media for adding IP addresses to firewalls are provided. In some embodiments, the method comprises: receiving a network packet that includes an external IP address associated with an external device, wherein the external device is a device not protected by a firewall; determining whether the external IP address is included in a group of IP addresses maintained by the firewall; determining whether to add the external IP address to the group of IP addresses; identifying an Internet Service Provider (ISP) associated with the external IP address; determining whether the ISP is included in a group of ISPs maintained by the firewall; and in response to determining that the ISP is not included in the group of ISPs maintained by the firewall, adding the external IP address to the group of IP addresses and adding the ISP to the group of ISPs.

Abstract: A method for confirming pairing connection of terminal devices, including: acquiring third touch slide data collected by a target second Bluetooth device via a touch sensing point thereof, if a touch slide operation is detected after a connection between the first Bluetooth device and the target second Bluetooth device is established; establishing a third touch slide variation curve device according to the third touch slide data; acquiring fourth touch slide data collected by a touch screen thereof, and establishing a fourth touch slide variation curve according to the fourth touch slide data; determining whether the third touch slide variation curve matches with the fourth touch slide variation curve or not; and disconnecting the connection with the target second Bluetooth device if the third touch slide variation curve does not match with the fourth touch slide variation curve.

Abstract: Systems, computer program products and methods implementing access control on a distributed file system are described. A file system enforcement point protects an HDFS from unauthorized access by authenticating a declared identity of a task submitting a request from a client. Upon receiving the request, the file system enforcement point submits a challenge to the client, requesting the task to provide credentials of the declared identity. The task submits credentials. On the client, each task has access to credentials of a true identity of the task. Accordingly, in case a task submits a claimed identity that is different from the true identity of the task, the task cannot submit correct credentials in response to the challenge. The file system enforcement point authenticates the declared identity using the submitted credentials. The file system enforcement point allows the client to access the HDFS only upon successful authentication.

Abstract: A method for storing an object on storage nodes includes encrypting an object to be stored with a key. One or more hash values are computed for the object. The encrypted object is stored on the storage nodes. Storage location data is provided for the stored object. A transaction is computed for a blockchain, wherein information is encoded in the transaction, the encoded information representing the storage location data, the computed o hash values and key data. The transaction is stored in the blockchain provided by one or more blockchain nodes hosting the blockchain. A number of confirmations is provided for the transaction. The number of confirmations is compared with a predefined threshold confirmation number, wherein the predefined threshold confirmation number is computed such that with a pregiven certainty the encoded information in the transaction stored in the blockchain cannot be modified.

Abstract: Firewall rules and policies are automatically managed in accordance with relevancy to network traffic on a wireless network. A specific firewall rule is applied to the network packet being examined based on the identified application based on a ranking of a relevancy score. Responsive to the specific firewall rule application, the relevancy score associated with the specific firewall rule are increased, and relevancy scores for other firewall rules of the predetermined firewall rule category that are not applied to the network packet decreased. Firewall rules of the category, for order of application, are ranked based on the relevancy scores. Firewall rules having relevancy scores below a predetermined relevancy threshold are disabled and the administrator is notified.

Abstract: An anti-phishing email system and an anti-phishing email method are provided. The system includes an email address registration and authentication subsystem configured to register an email address of a user, an email signature registration subsystem configured to register a signature generated by the user for information on a to-be-sent email, and an email signature query subsystem configured for an email receiving user to query whether the email is registered after the email receiving user receives the email, to determine whether the email is an illegal phishing email.

Abstract: A communication system includes multiple nodes connected with each other. Each of the multiple nodes generates a message authentication code using a count value of a counter. The multiple nodes include a transmission node and a reception node. The count value of the counter is includes a high-order count value and a low-order count value. In the transmission node, a normal message generation portion generates a normal message to include a transmission data, the low-order count value, and the message authentication code, and a synchronization message generation portion generates a synchronization message. In the reception node, a message verification portion verifies the received normal message, a resynchronization request portion transmits a resynchronization request of the counter to the transmission node, and a count value update portion updates the high-order count value stored in the reception count value storage portion when the synchronization message is received.

Abstract: A system is provided for anonymously detecting and blocking threats within a telecommunications network. A network analyzer of the system may intercept traffic, or receive log files, related to traffic that passes over the network, collect metadata that includes values of data attributes associated with the traffic, interpret the metadata and therefrom generate and transmit a request for an associated threat score for the value of a data attribute, and receive the associated threat score and based thereon initiate a block or redirection of the traffic. A score requestor of the system may receive and serve the request by either returning the score from local storage or otherwise, generating and transmitting a secondary request to a scoring engine configured to calculate the associated threat score and the associated threat score to the score requestor to return to the network analyzer.

Abstract: A method and apparatus are provided for secure communication. The method includes binding an isolated environment, of a device, to a secure component. The secure component includes a secure application and data. The method also includes utilizing the isolated environment as an intermediary for communication of the data between the secure application and the device.

Abstract: Provided are a communication destination determination device and the like in which a communication destination that is highly likely to pose a threat can be detected. A communication destination determination device 101 is provided with: a signal transmission unit 102 which transmits, when a first signal transmitted from a communication destination 104 is received via a communication network, a second signal in response to the first signal to the communication destination 104; and a communication destination determination unit 103 which classifies whether the communication destination 104 is highly likely to pose a threat or not, on the basis of whether or not a third signal transmitted from the communication destination 104 is received within a certain time period from the timing of transmission of the second signal.

Abstract: A portable terminal device (1) sets a security level for each application in accordance with position, and stores the level in a memory (102). The security level determines whether each application is displayed or made executable on a display portion (114a) in locked state and unlocked state. A control unit (101) refers to the security level and determines the application displayed on the display portion (114a) in accordance with position information acquired by a position information acquisition unit (GPS reception unit) (104), and makes executable the application selected by the user. Thus, the portable terminal device (1) offers user-friendliness while ensuring security strength.

Abstract: An automobile device receives first data from transmitter(s) located in an automobile. A random access preamble is transmitted on an uplink carrier to a base station in response to a pre-defined condition being met based on the first data or a value of an internal timer or a user input. A time alignment command is received from the base station. Uplink signal transmission timing of the uplink carrier is adjusted according to the time alignment command. A network server transmits, via the base station over a non-GBR bearer, a first message configured to trigger establishment of a connection to the network server. A second message configured to cause transmission of the first data to the network server is received from the network server via the base station over the non-GBR bearer. The first data is encrypted and transmitted to the base station via an established non-GBR bearer.

Abstract: Systems, methods, and computer program products for credential management. An application deployment system receives a deployment manifest for deploying an application in a cloud computing environment. A deployment director of the application deployment system determines a resource to be used by the application. The deployment director determines, from the deployment manifest, an identifier, e.g., a name, of credentials for accessing the resource. The deployment director requests the credentials from a credential manager of the application deployment system. Upon receiving the credentials, the deployment director modifies the deployment manifest by replacing the identifier with the received credentials. The application deployment system deploys the application using the modified deployment manifest and then deletes the modified deployment manifest.

Abstract: Systems and methods for end to end encryption are provided. In example embodiments, a computer accesses an image including a geometric shape. The computer determines that the accessed image includes a candidate shape inside the geometric shape. The computer determines, using the candidate shape, an orientation of the geometric shape. The computer determines a public key of a communication partner device by decoding, based on the determined orientation, data encoded within the geometric shape. The computer receives a message. The computer verifies, based on the public key of the communication partner device, whether the message is from the communication partner device. The computer provides an output including the message and an indication of the communication partner device if the message is verified to be from the communication partner device. The computer provides an output indicating an error if the message is not verified to be from the communication partner device.

Abstract: A system and method to control access to data are disclosed. A request for a subject to perform an action on an object is received. A determination is made whether a policy for the subject limits the action to an object with integrity protection. The action is performed based on determining the object has integrity protection. The request is rejected based on determining the object does not have integrity protection.

Abstract: Provided are a network attack detection method and device.

Abstract: The disclosed embodiment provides a method and device for vulnerability scanning, the method comprising: a reverse scanning agent module acquires a client message; the reverse scanning agent module transmits the client message to a vulnerability scanner, enabling the vulnerability scanner to identify a vulnerability of the client according to the client message; or the reverse scanning agent module identifies the vulnerability of the client according to the client message and transmits the vulnerability to the vulnerability scanner; the reverse scanning agent module receives a control instruction from the vulnerability scanner, changes operation manner and/or mode according to the control instruction, and updates a vulnerability rule.