Abstract: Various techniques for exploit detection based on heap spray detection are disclosed. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment, monitoring a heap of a memory while executing the program in the virtual environment, and detecting a potential heap spray attack based on detecting a burst allocation of a first plurality of blocks in the heap of the memory, in which each of the first plurality of blocks is stored in the predefined address range of the memory.

Abstract: A method for transmitting content data includes receiving content data, and passing at least a portion of the content data based on a size of the received content data. A method for transmitting content data includes receiving content data, and passing at least a portion of the content data based on a prescribed rate. A method for transmitting content data includes receiving content data, and passing at least a portion of the content data before performing policy enforcement on the content data.

Abstract: Embodiments of the invention are directed to systems, methods and computer program products for establishing a secure connection between a data repository and an intelligence application.

Abstract: Methods, media, and computing devices for network security can include receiving flow sampled network traffic from multiple network devices with a network monitoring computing device for network traffic among multiple computing devices, comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device, and detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device. Alternatively, a suspicious network activity list can be maintained for flow sampled network traffic having source and destination ports exceptional to the list of approved ports. Alternatively, a network administrator can be alerted when a port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list exceeding a threshold number.

Abstract: A method for encryption and sealing of a plaintext file by hashing the plaintext file to produce a plaintext hash, encrypting the plaintext file to produce ciphertext, hashing the ciphertext to produce a ciphertext hash, hashing the plaintext hash and the ciphertext hash to produce a result hash, and sealing the ciphertext together with the result hash. This provides verification for non-repudiation and protects against undetected malware corrupting the plaintext or ciphertext files.

Abstract: A process verifies, with a processor, a user account for content delivery with a rolling slot configuration. The rolling slot configuration has a maximum quantity of available slots for devices authorized to receive content. The rolling slot configuration has a plurality of ordered slots that are ordered based upon priority. The process receives a request for content from the user account at a device. The process automatically registers the device in an available slot of the rolling slot configuration based upon a determination of slot availability. The process authorizes the device to play content associated with a user entitlement. The process automatically deauthorizes the device to play the content based upon a deauthorization parameter being met. The process removes a registration of the device from the available slot. The process moves a registration of an additional device with a higher priority than the device to the available slot.

Abstract: Methods for session based watermarking of media content using encrypted content streams are provided. At least two content streams of the same media content are watermarked with different watermark information and encrypted using different encryption percentages. During a playback session, a unique sequence is generated and provided to a client device for use by the client device in selecting consecutive content segments from the different content streams to produce the original media content with a watermark that uniquely identifies a user of the client device. When selecting the different content segments, the client device compares the encryption percentage of certain selected content segments with the expected encryption percentage for those content segments to determine whether the content streams have been tampered with.

Abstract: Methods, apparatus, systems and articles of manufacture to monitor media presentations are disclosed. An example method includes extracting first network packet parameters from a first network packet received at a media device when retrieving a first encrypted web page, storing, at the media device, the first network packet parameters in association with a uniform resource locator for the first encrypted web page, the uniform resource locator received from an extension in a web browser at the media device, extracting second network packet parameters from a second network packet received at the media device from an unknown encrypted web page, when the extension is inoperative, comparing the second network packet parameters to the first network packet parameters, and identifying the unknown encrypted web page as the first encrypted web page when the comparison of the second network packet to the first network packet parameters has a similarity above a threshold.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to learn malicious activity. An example method includes assigning weights of a distance function to respective statistical features; iteratively calculating, with a processor, the distance function to adjust the weights (1) to cause a reduction in a first distance calculated according to the distance function for a first pair of entities in a reference group associated with malicious activity and (2) to cause an increase in a second distance calculated according to the distance function for a first one of the entities included in the reference group and a second entity not included in the reference group; and determining whether a first statistical feature is indicative of malicious activity based on a respective adjusted weight of the first statistical feature determined after calculating the distance function for a number of iterations.

Abstract: The method integrates the dynamic and authoritative posture of an authenticated user, a registered device, and a registered service provider as a conclusive proof of identity recognition for affiliation of associated contextual attribution and referential integrity. In addition to relieving the user of the burden of remembering multiple passwords for a plurality of services, the method provides a means to facilitate an affiliation oriented architecture for a broad spectrum of web and cloud based services with affiliation aware content streaming, leveraging the affiliation score as a key trust metric. The method provides protection from user-agnostic delegation and impersonation of identity, social engineering, and compromised passwords, which are exploited by numerous strains of landed malware to launch multi-stage coordinated cyber-attacks on consumer accounts and enterprise systems.

Abstract: Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account.

Abstract: A system for detecting security vulnerabilities in web applications, the system including, a black-box tester configured to provide a payload to a web application during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, and an execution engine configured to detect the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determine, responsive to detecting the identifier within the payload, whether the payload instruction underwent a security check prior to execution of the payload instruction.

Abstract: Example embodiments disclosed herein relate to security parameter zeroization. Example embodiments include security parameter zeroization based on a remote security monitor.

Abstract: An order-preserving encryption system has an encryption means which generates a ciphertext as a sum of data which complies with a distribution X determined in advance, and the encryption means generates the ciphertext using the distribution X represented in a format that data of a bit length determined at random is selected at random according to a distribution matching the bit length.

Abstract: A method for detecting security vulnerabilities in web applications can include providing a payload to a web application during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, detecting the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determining, responsive to detecting the identifier within the payload, whether the payload instruction underwent a security check prior to execution of the payload instruction.

Abstract: For each of a plurality of endpoints of an information technology system having a plurality of security policies, a probability of being safe of each of said endpoints is determined according to each of said security policies. Said determining takes into account probability of security compromise for a single violation of each given one of said security policies. A risk-aware compliance metric is determined for said information technology system based on each of said probabilities of being safe for each of said endpoints and each of said policies. At least one of an operation and a remediation is carried out on said information technology system based on said risk-aware compliance metric. Techniques for optimizing risk-aware compliance are also provided.

Abstract: A system and method provide automatic access to applications or data. A portable physical device, referred to herein as a Personal Digital Key or “PDK”, stores one or more profiles in memory. In one embodiment, a biometric profile is acquired in a secure trusted process and uniquely associated with a user that is authorized to use and associated with the PDK. The PDK wirelessly transmits identification information including a unique PDK identification number, and optionally the biometric profile and a profile over a secure wireless channel to a reader. A computing device is coupled to the reader. An auto login server is coupled to the reader and the computing device and launches one or more applications associated with a user name identified by the received profile.

Abstract: Devices, systems and methods are disclosed for additional security, functionality, and convenience in the operation of a wireless communication device with the use of a separate proximity security token in communication with the wireless communication device. In exemplary embodiments, the token is carried by the user while device logic is installed on the user's wireless communication device. The device logic along with transceivers allows the device to sense proximity of the token through wireless communication. Given a certain range of the proximity security token, as determined by the wireless signal strength, the device logic determines whether the device is in a locked or unlocked state. If the proximity security token is outside the range, then the device is locked. The proximity security token uses ultra low power communications for optimal battery life.

Abstract: Information-processing device transmits biological information not being encrypted in association with an application ID to information delivery server device, and transmits encrypted biological information in association with a user ID to backup server device. Advisory terminal accepts an input of advice according to a user data set stored in information delivery server device. Client terminal downloads the advice according to the user data set from information delivery server device.

Abstract: Techniques for identity and policy enforced cloud communications are presented. Cloud channel managers monitor messages occurring within a cloud or between independent clouds. Policy actions are enforced when processing the messages. The policy actions can include identity-based restrictions and the policy actions are specific to the messages and/or clouds within which the messages are being processed.