Abstract: A method for generating a security policy for a network includes classifying a sample of network flows into at least one flow type selected from a group including a service flow, mirror flow, network address translation flow, and arbitrary flow; grouping the network flows based on flow type and one or more of an associated service port, source port, and destination port. Network security rules for the network are automatically generated based on the groups of network flows. The network security rules may further be transformed into a security policy and configuration files.

Abstract: Described is a system for biometric authentication. The system converts biometric data into a cryptographic key r? using a reusable fuzzy extractor process having an underlying hash function modeling a random oracle model. The system allows access to secured services when a comparison of r? to a previously computed cryptographic key r shows a match.

Abstract: Described is a process for secure and privacy-preserving data retrieval operations in a network having a plurality of nodes. The process includes receiving a query at a querying node. The query is encrypted to generate an encrypted metadata query record. The encrypted metadata query record is transmitted to each queried node that is to be searched for data. A secure pattern matching protocol is used to search a database of metadata records to match a query answer to the metadata query record. The query answer is then encrypted. A query policy is verified for the querying node, with the encrypted answer being further encrypted based on the query policy. The further encrypted answer is transmitted to the querying node, which removes the outer layer of encryption, resulting in the original encrypted answer. The original encrypted answer is then decrypted to recover the query answer.

Abstract: Systems and methods for generating filtering rules are provided. One computer implemented method includes receiving a command to modify existing network traffic rules. The method further includes performing a quality calculation for the existing network traffic rules, the quality calculation being a function of a number of distinct flows permitted by a particular rule, wherein (i) if the command to the network is to increase the number of rules, then identifying a rule of the existing network traffic rules with a highest quality calculation, splitting the rule into sub-rules and adding a new rule, and (ii) if the command to the network is to decrease the number of rules, then identifying the existing network traffic rules with quality rule calculations near a predetermined value, adding new rules, and merging the new rules to the identified rules with quality rule calculations near the predetermined value.

Abstract: Example methods and systems for mapping network service and/or application dependencies are provided. Some examples may visualize a large, complex network of network services and/or applications (e.g., Internet services and applications) and their dependencies over time. Each service (or application) may be represented as a node and the visualization may present information regarding the relationships among services and/or applications using directed edges (or lines) with varying thickness, colors, and/or line-styles depending on network data.

Abstract: Described is a system for mobile proactive secure multiparty computation using commitments. The system generates, at each server, secret sharings for each of its input gates using a Secret-Share protocol. Thereafter, sharings of inputs are generated for random gates using a GenPoly protocol. Sharings of multiplication triples are then generated for multiplication gates using a Multiplication-Triple protocol. Affine gates are then evaluated. Multiplication gates can then be evaluated using the multiplication triples and implementing a Secret-Open protocol. A Secret-Redistribute protocol is used to re-randomize the secret sharing. The Secret-Open protocol is implemented after a sharing for an output gate has been computed to reveal the secret.

Abstract: Described is a system for determining reliability of nodes in a mobile wireless network. The system is operable for receiving an Exploitation Network (Xnet) database. The Xnet database has an Xnet structure formed of a physical node layer (NetTopo), a network dependent (NetDep) layer, and an application dependent (AppDep) layer. The NetTopo layer includes NetTopo graphs reflecting connectivity between the nodes. The NetDep layer includes NetDep graphs reflecting connectivity dependencies amongst the nodes, and the AppDep layer includes Appdep graphs reflecting software application dependencies amongst the nodes. An Xnet Analytics Engine is run that monitors and evaluates reliability of each node in the mobile wireless network to provide a reliability estimate of each node.

Abstract: Described is a system for a cloud control operations plane. In operation, a job is broadcast to a plurality of physical hosts, one or more of the physical hosts having a control operations plane (COP) node and a service node associated with the COP node. The COP nodes jointly create a private job assignment. A set of job assignments is redundantly distributed to individual COP nodes pursuant to the private job assignments, such that each individual COP node is only aware of its own assignment and corresponding job. The service nodes then each complete a task associated with the job and generate an output. When a set of service nodes performing a redundant job complete their task, the corresponding COP nodes jointly perform a private result checking protocol to generate a final output. The final output is then sent to the user.

Abstract: Described is a system for obfuscating a computer program. Sensitive data of an unprotected computer program is received as input. A random oracle is used to algebraically hide a set of polynomial-size point functions representing the sensitive data. The system outputs a set of obfuscated instructions internally hiding the sensitive data. The set of obfuscated instructions are used to transform the unprotected computer program into a protected, obfuscated computer program that is accepting of the set of polynomial-size point functions. The obfuscated computer program is written to a non-volatile computer-readable medium.

Abstract: Described is a system for mobile proactive secret sharing amongst a set of servers. A First protocol distributes a block of secret data among the set of servers, the block of secret data including shares of data. Each server holds one share of data encoding the block of secret data. A Second protocol periodically refreshes shares of data such that each server holds a new share of data that is independent of the previous share of data. A Third protocol reveals the block of secret data. Shares of data are periodically erased to preserve security against the adversary. The Second protocol provides statistical security or non-statistical security against the adversary.

Abstract: Described is a system for mobile proactive secret sharing amongst a set of servers. A First protocol distributes a block of secret data among the set of servers, the block of secret data including shares of data. Each server holds one share of data encoding the block of secret data. A Second protocol periodically refreshes shares of data such that each server holds a new share of data that is independent of the previous share of data. A Third protocol reveals the block of secret data. Shares of data are periodically erased to preserve security against the adversary. The Second protocol provides statistical security or non-statistical security against the adversary.

Abstract: A method and apparatus for discovering service dependencies. A plurality of connections is identified between nodes in a data network. A set of connection pairs is identified based on the plurality of connections identified. A set of time series is created for the set of connection pairs using monitoring data received from a plurality of sensors monitoring the data network. Service dependencies may be discovered using the set of time series.

Abstract: Described is a system for implementing proactive secret sharing. The system uses a Secret-Share protocol to distribute, by a computing device, a block of secret data comprising shares of secret data among a set of computing devices, wherein each computing device in the set of computing devices holds an initial share of secret data. The system uses at least one Secret-Redistribute protocol to periodically redistribute the plurality of shares of secret data among the set of computing devices, wherein each computing device in the set of computing devices holds a subsequent share of secret data from the block of secret data that is independent of the initial share of secret data. Finally, a Secret-Open protocol is initialized to reveal the block of secret data.

Abstract: Described is a protocol for multi-dimensional secure pattern matching. The protocol is to be evaluated between two parties, P1 (or Client) and P2 (or Server). P1 holds a multi-dimensional pattern, p, and P2 holds a multi-dimensional text T (where both p and T have the same number of dimensions, but where p may be of smaller length in each dimension compared to T). P1 and P2 would then engage in a protocol that allows P1 to find out whether p is present in T or not. The security and privacy requirements are that P2 does not learn any information about the pattern p nor the result of the matching. P1 should also not learn any information about T other than whether p is present in it or not. Upon implementation of the protocol, p matches T if there exists an m× . . . ×m sub-hypermatrix (or sub-array) of T that equals p.

Abstract: Described, is system for mobile proactive secret sharing. The system initializes a RobustShare protocol to distribute a block of secret data among a set of servers comprising n servers. The block of secret data comprises a plurality of shares of data, wherein each server in the set of servers holds one share of data encoding the block of secret data. At least one Block-Redistribute protocol is initialized to protect against at least one adversary that attempts to corrupt the set of servers. During a Block-Redistribute protocol, the set of servers periodically refreshes its plurality of shares of data such that each server holds a new share of data that is independent of the previous share of data. Finally, a Reco protocol is initialized to reveal the block of secret data.

Abstract: Described is system for secure mobile proactive multi-party computation. The system securely evaluates a circuit in the presence of an adversary. The circuit receives secret inputs comprising secret values from a set of servers. Sharings of random values for the random and input gates are generated. For each input gate, a sharing of a random value associated with the input gate is opened toward a server Pi. A sum of the server Pi's secret values and the random value is broadcast to the set of servers. Each server uses the sum to adjust its sharing of the random value, generating a sharing of server Pi's secret values. The secret values are re-randomized to preserve privacy of the secret values. A sharing of the secret values is determined for each output gate, and each sharing of secret values is revealed to an intended recipient.

Abstract: Example methods and systems for mapping network service and/or application dependencies are provided. Some examples may visualize a large, complex network of network services and/or applications (e.g., Internet services and applications) and their dependencies over time. Each service (or application) may be represented as a node and the visualization may present information regarding the relationships among services and/or applications using directed edges (or lines) with varying thickness, colors, and/or line-styles depending on network data.

Abstract: Described is system for generation of elliptic curve digital signature algorithm (ECDSA) based digital signatures. A Secret-Share protocol is initialized between a client and a set of servers to share a set of shares of a private key s among the set of servers. The set of servers initializes a protocol to generate a digital signature on a message using the set of shares of the private key s without reconstructing or revealing the private key s. The set of servers periodically initializes a Secret-Redistribute protocol on each share of the private key s to re-randomize the set of shares. A Secret-Open protocol is initialized to reveal the private key s to an intended recipient, wherein the private key s is used to compute the digital signature.

Abstract: Described is system for transforming a SHARE protocol into a proactively secure secret sharing (PSS) protocol. A PREFRESH protocol is performed that includes execution of the SHARE protocol. The PREFRESH protocol refreshes shares of secret data among multiple parties. The SHARE protocol is a non-proactively secure secret sharing protocol.

Abstract: Described is a system for proactively secure multi-party computation (MPC). Secret shares representing data are constructed to perform computations between a plurality of parties modeled as probabilistic polynomial-time interactive turing machines. A number of rounds of communication where the plurality of parties jointly compute on the secret shares is specified. Additionally, a threshold of a number of the plurality of parties that can be corrupted by an adversary is specified. The secret shares are periodicially refreshed and reshared among the plurality of parties before and after computations in each of the rounds of communication. The data the secret shares represent is proactively secured.