Abstract: Portable, hand-held electronic devices for and methods to enabling a user to interact with a native operating system (OS) running on a host device and a virtual machine running on top of the native OS are presented. The host device includes a processor to communicate with an application having a target network address. The devices includes an onboard database that stores user credential information and a portable encryption and authentication service module (PPEASM) that allows to make a secure communication channel with the host device. The PPEASM configures the processor to negotiate authentication of the user with an application running on top of the native OS utilizing the user credential information, render an application running on top of the virtual machine, and pass data between the application running on top of the virtual machine and a second application running on top of the native OS.

Abstract: A multi-tiered file locking service provides file locking at the thread and process level, and can optionally include locking at the file system level. A local locking mechanism maintains a list of local locks for threads within a process. When a thread requests a lock for a file, and a local lock is obtained, a process lock for the file may be requested. When no file system locking is used, when the process lock is obtained, the thread receives the lock for the file. When file system locking is used, when the process lock is obtained, a file system lock for the file may be requested. When the file system lock for the file is obtained, the thread receives the lock for the file. The result is a file locking service that functions across threads, processes and nodes in a distributed computing environment.

Abstract: The present invention discloses a computer implemented method for developing an anomaly detector which is adapted to detect/predict anomaly in one or more network terminals and optimize the behavior of the network terminals. The said method is adapted to collect and monitor the behavior of the network terminals and compare it with the behavior profile of the network terminals in order to detect the anomaly parameter. The behavior profile is the normal interaction of the software and hardware components of the network terminals. A system for implementation and execution of such anomaly detector is also disclosed.

Abstract: Implementations of PDB Sandboxing in layers and mapping to different operating systems are described. In exemplary implementations, one or more pluggable databases (PDBs) are encapsulated on common container databases to form one or more PDB sandboxes. Encapsulating PDBs forms an isolation boundary layer configured to dynamically regulate security and isolation of the PDB sandboxes. Access by processes and resources to and from the PDBs inside respective PDB sandboxes through the isolation boundary layer, and access within PDB sandboxes, is regulated using dynamic access processes that dynamically vary access to resources and process disposed within and external to the PDB sandboxes.

Abstract: A secure and transparent digital credential sharing arrangement which utilizes one or more cryptographic levels of indirection to obfuscate a sharing entity's credentials from those entities authorized to share the credentials. A security policy table is provided which allows the sharing entity to selectively authorize or revoke digital credential sharing among a plurality of entities. Various embodiments of the invention provide for secure storage and retrieval of digital credentials from security tokens such as smart cards. The secure sharing arrangement may be implemented in hierarchical or non-hierarchical embodiments as desired.

Abstract: Concepts and technologies are disclosed herein for monitoring and controlling electronic activity. A policy service can be called for policies for controlling electronic activity occurring at one or more managed devices. The policies can include a number of rules, each of which can include a number of variables. The rules can be defined by a manager device and/or received from third parties. Third party rule submissions can be validated. If electronic activity at the managed device deviates from a rule, the manager device can be notified and the electronic activity can be blocked. The manager device can update the policy and/or issue exceptions, if desired.

Abstract: Detecting duplicate malware samples is disclosed. A first guest clock is set to a first value in a first virtual machine instance. A first malware sample is executed in the first virtual machine instance. A second guest clock value is set to the first value in a second virtual machine instance. A second malware sample is executed in the second virtual machine instance. A determination is made as to whether the first malware sample and the second malware sample are the same, based at least in part on performing a comparison of attempted external contacts generated by executing each of the respective first and second malware samples.

Abstract: An information handling system includes an input and a processor. The processor receives a sequence of events, detects a first event within the sequence of events, determines a first state of a Markov model associated with the first event, detects a second event within the sequence of events, determines a second state of the Markov model associated with the second event, detects a state transition from the first state to the second state in the Markov model, determines a partial match of the sequence of events to a kill sequence of events in response to the state transition from the first state to the second state in the Markov model, and logs all events that occurred in the information handling system in between the first event and the second event.

Abstract: A system to sign and authenticate secure transactions with an institution through a communications network, comprising a terminal connected to a communications network; a remote server with a database that stores for each user the user data userID, a private password encrypted K?priv, userID, a first security password K?mac, userID to generate an authentication password Kmac, userID and an identifier of the mobile device, Id?cel,userID; a mobile communication device of a user comprising a security code pin; an application, a transport password Ktransporte; a public password encrypted K?pub, userID and a second security password K?mac, userID for generating said authentication password Kmac, userID; and a remote hardware security module. A method to sign and authenticate secure transactions with an institution through a communications network with said system.

Abstract: The present disclosure provides a receiving apparatus for preprocessing at least one segment data packet to a data packet. The receiving apparatus includes a packet parser, a data memory, a decrypt engine, a transmission engine, a header processing unit and a controller. The packet parser fetches segment-packet-header information from a segment packet header of each segment data packet. The decrypt engine decrypts an encrypted data of each segment data packet to obtain a segment payload and a QUIC private header including sequence information. The transmission engine transmits the segment payload to a specific location of a system memory. The header processing unit calculates packet information and updates the segment packet header stored in the data memory to generate a packet header. The controller controls the transmission engine based on the sequence information to output the packet header to the system memory for generating the data packet.

Abstract: A testing system for testing computer system security includes control logic interposed between tester computers and a computer system under test. Tester computers are used by testers to test for security vulnerabilities of the computer system under test. A test results database contains records of tester interactions with the computer system under test and responses of the computer system under test to the tester interactions. A test mark database, coupled to the control logic, contains records related to granular elements of the computer system under test that are amenable to being tested for security vulnerabilities. Records of the test mark database indicate whether a corresponding granular element has been tested for security vulnerabilities. A coverage application, coupled to the test mark database, inputs data from the test mark database and outputs data indicating which granular elements of the computer system under test are to be tested.

Abstract: One embodiment provides a system that facilitates efficient and transparent encryption of packets between a client computing device and a content producing device. During operation, the system receives, by a content producing device, an interest packet that includes a masked name which corresponds to an original name, wherein the original name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level. The system obtains the original name based on the masked name. The system computes a symmetric key based on the original name and a generated nonce. The system generates a content object packet that corresponds to the original name and includes the masked name, the nonce, and a payload encrypted based on the symmetric key, wherein the content object packet is received by a client computing device.

Abstract: Aggregating traffic over multiple VPN connections is described. A first Virtual Private Network (VPN) connection is established between a client device and a first VPN server via a a first access network of the client device. A second Virtual Private Network (VPN) connection is established between the client device and a second VPN server via a second access network of the client device. Application traffic associated with a connection between an application server and a client application that corresponds to the client device is received. The application traffic associated with the connection between the application server and the client application is distributed between at least the first VPN connection and the second VPN connection.

Abstract: Aspects of the present invention provide an approach for facilitating a software-defined networking (SDN) communication in a container-based networked computing environment. In an embodiment, a SDN policy agent is created in the container-based networked computing environment. This SDN policy agent is created as a container virtual machine (VM) in the container-based networked computing environment. When a request is made by a VM to establish a SDN connection with the SDN controller for the server, the SDN controller forwards the request to the SDN policy agent. The SDN policy agent is responsible for determining whether the VM is eligible to establish the connection. If the SDN policy agent determines that the VM is eligible, the VM is allowed to become part of the SDN network.

Abstract: A processing system periodically configures a beacon code and random nonce to transmit to a beacon device at a location. Multiple users enter the location with associated user computing devices. The user computing devices retransmit the beacon code broadcasted by the beacon device to the processing system. A particular user initiates a transaction at a computing device at the location, which transmits to the processing system a request for account data and retransmits the beacon code and a random nonce. The processing system verifies the beacon code and random nonce and transmits, to the computing device at the location, user account identifiers associated with user computing devices that retransmitted the beacon code. The processing system receives a selection of the user identifier from the merchant point of sale device and transmits account information to the computing device at the location.

Abstract: A system includes a plurality of mail encryption gateways and a router. Each mail encryption gateway encrypts email according to an encryption policy of a customer. The router stores a plurality of sender policy framework (SPF) records. The router also receives an email and compares a source IP address of the email with the plurality of SPF records. The router determines that the source IP address corresponds to an SPF record of the plurality of SPF records and in response to that determination, determines that a Simple Mail Transfer Protocol From Field of the email comprises a domain of a cloud provider corresponding to the SPF record. In response to that determination, the router determines that a Multipurpose Internet Mail Extension From Field of the email comprises a domain of a customer and in response to that determination, routes the email to a mail encryption gateway.

Abstract: An integrated data and security cable couples to a portable information handling system with pins engaged at pin guides formed in the system housing on opposing sides of a data port. At least one pin selectively locks and unlocks in the pin guide to secure the system to a fixture, such as a desktop. The locking pin releases from the cable side with a key or combination or, alternatively, releases from the information handling system, such as under control of an embedded controller or other security system.