Abstract: The present disclosure presents methods, apparatuses, and systems to bolster communication security, and more particularly to utilize a constant time cryptographic co-processor engine for such communication security. For example, the disclosure includes a method for secure communication, comprising receiving encrypted data at a receiving device; obtaining a randomization for at least one bit of the encrypted data; modifying an execution of a cryptographic algorithm on the at least one bit to obtain a randomized cryptographic algorithm based on the randomization; and executing the randomized cryptographic algorithm on the at least one bit of encrypted data to recover original data associated with the encrypted data.

Abstract: A method, system, and computer usable program product for protocol based key management are provided in the illustrative embodiments. A key management protocol associated with a key request is identified, the key request being a request for data usable in cryptographic security. A first subset is selected from a set of policies using the key management protocol. A set of permissions is computed based on the first subset of policies, the set of permissions indicating whether the key request is permitted under the key management protocol. The set of permissions is cached in a cache in a data storage device.

Abstract: A method, computer program product, and system for providing verification processes associated with a commitment-based authentication protocol are described. A request by a user for access to one or more resources is received, and a presentation policy is transmitted to the user indicating required credentials. A commitment to a revocation handle is received, including an indication of an associated Sigma protocol executed by the user. A challenge value selected from a challenge value set associated with the associated Sigma protocol is transmitted to the user. Based on the selected challenge value, a presentation token and a value parameter that is distinct from the presentation token are received from the user. Based on a determination as to whether the presentation token and value parameter are valid in accordance with the associated Sigma protocol, access for the user to the one or more resources is granted to the user or prevented.

Abstract: User data is aggregated across a plurality of electronic communication channels and domains. An online system initially authenticates a user for access to the online system over a network. The online system provides a user identifier for the user to an authentication service. The authentication service generates a non-repeatable challenge from the aggregated user data for the user identifier and provides the non-repeatable challenge to the online system. The online system provides the challenge to the user and receives a response from the user. The online system provides the response to the authentication service and the authentication sends a success or failure back to the online system based on the response to the challenge, and based on the success or failure the online system makes a final determination for authenticating the user for accessing to the online system.

Abstract: A method and a corresponding device for authenticating a user for access to protected information, the method comprising generating a behavioral user profile associated with a first user known to be a legitimate user of the protected information, obtaining from a second user, using a behavioral input device associated with a second computing device, a behavioral user sample, storing the behavioral user sample, associated with the second user, in a temporary user profile, comparing the behavioral user sample of the second user to the behavioral user profile, and if the behavioral user sample does not match the behavioral user profile contacting the legitimate first user and receiving from the legitimate first user information regarding the legitimacy of the second user and based on the information received from the first user, providing a response to the second user and updating the user profile.

Abstract: Various devices, systems, structures and methods are disclosed related to securely authorizing a transaction by synchronizing digital genomic data with associated synthetic genomic variants. An embodiment of the present invention utilizes digital genomic data associated with an entity, such as a person, who may utilize a genome-based security device to complete a transaction. In one embodiment, a person may use a genome-based security device to communicate with an external device over a wireless or other communication interface, synchronize digital genomic data and an associated synthetic variant received from the external device with digital genomic data and associated synthetic variant stored on the genome-based security device.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: Aspects of the disclosure include a threat detecting apparatus. The threat detecting apparatus can include an interface circuit, an opcode detector, and a pattern analyzer. The interface circuit is configured to receive a data stream. The opcode detector can be configured to identify an opcode sequence embedded in the data stream based on a first model graph that includes a plurality of interconnected token nodes. Each token node is representative of an occurrence or a non-occurrence of a token. The pattern analyzer may be configured to identify an opcode signature embedded in the identified opcode sequence based on a second model graph, and to output a signal indicative of the successful identification of the opcode signature. The second model graph can include a plurality of interconnected opcode nodes, and each opcode node can be representative of an occurrence or a non-occurrence of a predetermined combination of one or more opcodes.

Abstract: Techniques for determining which resource access requests are handled locally at a remote computer, and which resource access requests are routed or “redirected” through a virtual private network. One or more routing or “redirection” rules are downloaded from a redirection rule server to a remote computer. When the node of the virtual private network running on the remote computer receives a resource access request, it compares the identified resource with the rules. Based upon how the identified resource matches one or more rules, the node will determine whether the resource access request is redirected through the virtual private network or handled locally (e.g., retrieved locally from another network). A single set of redirection rules can be distributed to and employed by a variety of different virtual private network communication techniques.

Abstract: The invention relates to a computer-implemented system and method for controlling access by users of an organization to one or more components of a computer application. The method may be conducted on a specially programmed computer system comprising one or more computer processors, electronic storage devices, and networks.

Abstract: A Layer Two Tunnel may be established between one or more user devices and a tunnel aggregator device via a home gateway. By establishing the Layer Two Tunnel, the tunnel aggregator and other entities of an access network, such as a multi-system operator (MSO) network, may be configured to identify individual user devices at a customer premise. As a result, the network operator may be able to offer individual user device and user based services. Additionally, operations, such as DHCP, NAT, etc., that may otherwise be conducted at a customer premise, such as by a home gateway, may be performed at the MSO and/or in the cloud.

Abstract: According to one example embodiment, a modem or other network device include an energy module configured to enter a low-power, low-bandwidth state when not in active use by a user. The low-power state may be maintained under certain conditions where network activity is not present, and or when only non-bandwidth-critical traffic is present. The network device may include a user interface for configuring firewall rules, and the user may be able to concurrently designate particular types of traffic as important or unimportant. The energy module may also be integrated with a firewall, and power saving rules may be inferred from firewall rules.

Abstract: A method and apparatus is provided for the virtualization of cryptographic resources which enables memory speed encryption and decryption that is not bound by the speed at which processor resources can compute the result of a symmetric-key algorithm. This is achieved through a time-memory tradeoff via empty space at provisioning time. When implementing the apparatus, un-initialized memory is filled with the output of a symmetric-key algorithm uniquely keyed for the specific set of data that is going to be written to the provisioned area. Since the provisioning operation stores cryptographically structured data, rather than redundant data, plaintext that is xor'ed into memory is automatically encrypted and ciphertext that xor'ed into memory is automatically decrypted without the need for additional cryptographic computation. This reduced computation requirement enables cryptographic function to be implemented at the ends of communication, rather than the middle, and treated as a virtualized resource.

Abstract: The advanced data protection system is implemented by distributing encrypted data across multiple isolated computing systems and using multi-factor authentication to access remote, protected decryption material. Architectural components include: Client application software reading/writing from/to a client data store executing on a client host computer, client application plug-ins communicating with external authentication devices, server application software reading/write data from/to a server data store executing on a host computer which is physically or virtually isolated from the client host computer, authentication devices, components, or systems integrated with or connected to the client computer and exposing programmatic interfaces to client application software, and secure networking components executing on both hosts that provide secure data exchange.

Abstract: Methods and systems for providing cyber security, wherein a computer with network access incorporates game theory and utilizes a honeypot to enhance game-theoretic developments over active and passive sensors. To numerically solve the uniquely three-sided game modeled cyber security problem, using a geometric solution based on three-dimensional (3D) action surface and action curve. The methods and systems determine whether the game problem has one Nash equilibrium, multiple Nash equilibriums, or no Nash equilibrium; checks whether the equilibrium is a mixed or pure Nash; and timely computes Nash equilibriums; and follows a fictitious play concept. The solution is adaptive and can be applied for any partially observed cyber security system.

Abstract: Automated device discovery of pairing-eligible devices for authenticating an unidentified user of a computing device is provided. When the user initiates a login on the computing device on which the user's identity is not known, an automated pairing-eligible device discovery authentication system interrogates a resource (e.g., subnetwork router, calendaring server) for identifying pairing-eligible devices that may be used as a second factor for authentication. A list of the pairing-eligible devices is presented to the user on the computing device. Upon selection of a pairing-eligible device to use as a second factor to verify the user's identity, the user's identity is determined, and a notification is sent to the selected pairing-eligible device for enabling the user to verify his/her identity using a second factor. Upon completion of an authentication challenge on the selected pairing-eligible device, authentication of the user is completed, and a signed token is sent to the computing device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer-readable storage medium, and including a method for managing privacy rights of a user related to the delivery of content. The method comprises providing a global privacy management interface that presents a selection tool for enabling a user to review privacy options and interests. The privacy options and interests include controls for presenting a list of identifiers that are associated with the user and interests associated with those identifiers. Each identifier is associated with a requesting source having been used by the user to access content. The interface enables de-selection of individual interests on a per-identifier or global basis. The method further comprises determining, in a server system, content to deliver to the user in view of the privacy selections.

Abstract: Cryptographic hashing circuitry such as mining circuitry used to mine digital currency may be formed on an integrated circuit. The hashing circuitry may include sequential rounds of register and logic circuitry that perform operations of a cryptographic protocol. A final hash output from the hashing circuitry may be checked using a difficulty comparison circuit to determine whether the hash output satisfies predetermined difficulty criteria. The difficulty comparison circuit may be configured as a hardwired comparison circuit having logic gates for checking only a subset of bits in the hash output. The comparison circuit may be adapted to change the number of bits that is checked based on a target number of bits for comparison set by the Bitcoin protocol. Candidate solutions found using the hardwired comparison circuit may then be fed to a host controller that checks the entire hash output to determine whether the candidate solution is valid.

Abstract: Technologies described herein provide enhanced security for storing and updating secret data, such as a password. Based on one or more conditions, an existing encryption key or a new encryption key may be used to generate encrypted data at a client computing device. The encrypted data may be communicated from the client computing device to a secret store managed by a first entity for storage of the encrypted data in the secret store. Based on one or more conditions, the new encryption key may be communicated from the client computing device to a key store managed by a second entity for storage of the new encryption key in the key store.

Abstract: Described herein is a security network controller having a main bus to which is coupled a central processing unit, a cryptographic processing circuit, a security control circuit, and a memory controller. The security control circuit is configured to receive data stored in memory from the memory controller over the main bus and send the data over a first dedicated bus to the cryptographic processing circuit to obtain encrypted data. The security control circuit is further configured to receive the encrypted data over the first dedicated bus from the cryptographic processing circuit and send the encrypted data to the memory controller over the main bus. The memory controller stores the encrypted data in memory of the security network controller.