Abstract: A method, a system, and a computer readable medium for determining a readiness of a computerized network against distributed denial of service (DDoS) attacks are provided herein. The system may include: an interface configured to obtain properties characterizing the computerized network; a knowledge base containing a plurality of rules taking into account DDoS risks and best practice related thereto; and a computer processor configured to: analyze the properties using the knowledge base to yield an analysis; and determine a readiness of the computerized network against DDoS attacks, based on the analysis. In some embodiments, the properties are obtained by analyzing a filled-in questionnaire relating to the computerized network under test. In other embodiments, these properties are automatically derived from databases containing data pertaining to the computerized network.

Abstract: A computing system for managing storage relative to a storage subsystem is provided. The computing system includes a processor and a first interface configured to interact with a deployed software system using a representational state transfer communication technique. A second interface is configured to interact with the storage subsystem in accordance with the representational state transfer technique. The computing system is configured to interact with the storage subsystem via the second interface in response to a request from the deployed software system via the first interface and to provide an output to the deployed software system through the first interface based on the interaction with the storage subsystem.

Abstract: Systems and methods for manufacturing Information Handling Systems (IHSs) with Operating System (OS)-specific hardware and/or firmware components. In some embodiments, an IHS may include a first Operating System (OS)-specific chip coupled to a motherboard; and an Embedded Controller (EC) coupled to the motherboard, the EC configured to execute program instructions that cause the IHS to, in response to a user interface device having a second OS-specific chip being coupled to the IHS during manufacturing of the IHS deactivate the first OS-specific chip and activate the second OS-specific chip.

Abstract: A system and method for static detection and categorization of information-flow downgraders includes transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment to each variable in an instruction set. The instruction set is translated to production rules with string operations. A context-free grammar is generated from the production rules to identify a finite set of strings. An information-flow downgrader function is identified by checking the finite set of strings against one or more function specifications.

Abstract: Embodiments of the present disclosure relate to automatically and dynamically elevating permissions on a mainframe system. Initially, a user may request an elevation class which corresponds to elevated class resources of the mainframe system. The elevation class may enable the user to perform actions to datasets, files, applications, or systems of the mainframe system the user may not otherwise be able to perform. If the user has permission to the elevation class, a user identification corresponding to the user and the elevation class is registered in an elevated permission structure. An access control environment element (ACEE) is dynamically created with the elevated permission structure and the elevated class resources of the elevation class are associated with the ACEE. The user can then be validated with access to the elevated class resources. At the expiration of a limited duration of time, the elevated class resources are automatically disassociated with the ACEE.

Abstract: Activity specifications of a plurality of activities to be monitored are received. Each activity specification of the activity specifications identifies properties of a corresponding activity of the activities to be monitored. A fingerprint specification of a computer security risk fingerprint is received. The fingerprint specification identifies a combination of two or more of the activities to be detected. A log of activities to identify occurrences of the activities to be monitored is analyzed. Based on the analysis, the computer security risk fingerprint in the log of activities is detected, including by detecting an occurrence of at least a portion of the combination of the activities identified by the fingerprint specification. A computer security action based on the detection of the computer security risk fingerprint is performed.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor access to data in a secured area of memory at a hypervisor level, receive a request from a process to the data in the secured area, and deny the request if the process is not a trusted process. In an example, the electronic device is a point of sale device.

Abstract: Systems and methods are provided for authenticating a user of a computing device. An example system includes a memory storing instructions, and a processor configured to execute the instructions to receive an authentication request from a user of a computing device, determine a context of the authentication request, determine a physical location of the user, and perform, based on the context of the authentication request and the physical location of the user, an associate proximity detection. The associate proximity detection includes steps to identify an associate based on at least one of the context of the authentication request or the physical location of the user, determine a physical location of the identified known associate, and determine a proximity of the user to the identified known associate. The authentication request may be approved when the determined proximity is within a threshold.

Abstract: Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.

Abstract: Technologies for secure I/O with an external peripheral device link controller include a computing device coupled to an external dock device by an external peripheral link, such as a Thunderbolt link. The external dock device includes an I/O controller that receives device data from an I/O device, generates a channel identifier associated with the I/O device, and transmits I/O data that includes the channel identifier to a dock controller. The dock controller encapsulates the I/O data to generate peripheral link protocol data and transmits the peripheral link protocol data to a host controller of the computing device over the external peripheral link. The host controller de-encapsulates the peripheral link protocol data and forwards the I/O data to memory. The channel identifier may be a predetermined value associated with the I/O controller, or may include a controller identifier associated with the host controller. Other embodiments are described and claimed.

Abstract: In an embodiment a single user authentication event, performed between a trusted path hardware module and a service provider via an out of band communication, can enable a user to transparently access multiple service providers using strong credentials that are specific to each service provider. The authentication event may be based on multifactor authentication that is indicative of a user's actual physical presence. Thus, for example, a user would not need to enter a different retinal scan to gain access to each of the service providers. Other embodiments are described herein.

Abstract: A storage controller that is coupled to a plurality of storage clouds is maintained. The storage controller determines security requirements for performing a selected operation in the plurality of storage cloud. A subset of storage clouds of the plurality of storage clouds that are able to satisfy the security requirements are determined. A determination is made as to which storage cloud of the subset of storage clouds is most responsive for performing the selected operation. The selected operation is performed in the determined storage cloud that is most responsive.

Abstract: Disclosed is an orthogonal access control system based on cryptographic operations provided by multi-hop proxy re-encryption (PRE) that strictly enforces only authorized access to data by groups of users, scalable to large numbers of users. Scalable delegation of decryption authority can be shared with a plurality of members of a group whether those members be users or devices, and members of a group can further create sub groups and delegate decryption authority to those members, whether users or devices. Members are granted access via generation of transform keys, and membership or access can be revoked merely be deleting the transform key—no elimination of the encrypted data, regardless of its storage location, is needed.

Abstract: A system for data processing is disclosed that includes a computing cluster allocation system operating on a processor and configured to receive a work project, to segment the work project into a plurality of tasks and to distribute the plurality of tasks to a plurality of anonymous computing units using a block chain algorithm, and a computing cluster monitor system operating on the processor and configured to receive data associated with the plurality of tasks from the computing cluster allocation and response data from the anonymous computing units and to determine whether the project has been completed.

Abstract: An example method for facilitating conflict avoidant traffic routing in a network environment is provided and includes detecting, at a network element, an intent conflict at a peer network element in a network, and changing a forwarding decision at the network element to steer traffic around the conflicted peer network element. The intent conflict refers to an incompatibility between an asserted intent associated with the traffic and an implemented intent associated with the traffic. In specific embodiments, the detecting includes mounting rules from the peer network element into the network element, and analyzing the mounted rules to determine intent conflict. In some embodiments, a central controller in the network deploys one or more intentlets on a plurality of network elements in the network according to corresponding intent deployment parameters.

Abstract: A cryptography service allows for management of cryptographic keys in multiple environments. The service allows for specification of policies applicable to cryptographic keys, such as what cryptographic algorithms should be used in which contexts. The cryptography service, upon receiving a request for a key, may provide a referral to another system to obtain the key.

Abstract: A system and method for early detection of a compromised client device includes a tamper detection service configured to monitor modifications to resource access privileges over time to identify unusual variations in jailbreak status that indicate compromise of the client device. For example, the tamper detection service may monitor the jailbreak status of system files over time to expose attempts to hide the jailbreak status of a protected resource. To validate that malware is attempting to hide the jailbreak status of a protected resources, the tamper detection process may launch multiple different resource accesses, targeting the protected resource, to determine whether different accessibility results are returned, indicating a compromised device.

Abstract: A non-transitory computer-readable medium comprising a black zone and a plurality of other electronic components for protecting a data exchange from a malicious attack on the data, that when executed on a processor, perform the steps comprising receiving a client hello message from a client, transmitting a server hello message, receiving a pre-master secret message encrypted with a server public key, storing the pre-master secret, protecting the black zone from malicious attacks on data by isolating hardware of the black zone from the plurality of other electronic components, calculating a master secret in the black zone, storing the master secret as a black key in the black zone, receiving a changed cipher specification and finished message encrypted with a session key, and transmitting a finished message encrypted with a symmetric key. The server hello message comprises a certificate.

Abstract: A system, method and media are shown for emulating potentially malicious code involving emulating a first ring of an operating system, emulating a second ring of the operating system, where the second ring has greater access to system resources than the first ring and where the first and second rings are separately emulated, executing a code payload in the emulated first ring, checking the behavior of the executing code payload for suspect behavior, and identifying the code payload as malicious code if suspect behavior is detected. Some examples emulate the second ring by operating system or microarchitecture functionality such that the second ring emulation returns results to the executing code payload, but does not actually perform the functionality in a host platform. Some examples execute the code payload in the emulated first shell at one or more offsets.

Abstract: A secure communication between computer systems over a network, such as the Internet, is performed utilizing an enhancement to the IKEv2 key exchange protocol that provides more security by exchanging the IKE_SA_INIT messages in a secure and protected manner. Cryptographic suites are utilized to encrypt and authenticate the IKE_SA_INIT exchange messages in order to prevent cyberattacks against such a messaging protocol.

Abstract: Accessing a security enabled application may require certain access privileges that are not readily available or associated with the application at the time a user is seeking access via a login operation. In operation, an access attempt to a security enabled application may include identifying user credentials associated with the access attempt, generating a query based on the user credentials to identify whether the user credentials are associated with a predetermined group membership. A response to the query may be received that includes group information corresponding to the user and the group information may be compared to a set of predetermined rules to determine whether the group information includes privilege rules used to grant access to the access attempt.

Abstract: A method for extracting display data from a computing resource of a computer system comprises the dynamic selection of a display capturing mode among a plurality of display capturing modes.

Abstract: According to an aspect, a system comprises at least one processor, a memory, and a non-transitory computer-readable storage medium storing instructions. The stored instructions are executable to cause the at least one processor to: receive a digital image that represents an object scanned by a detection device, determine a region of the digital image that is likely to contain an item, transform the region of the digital image to an embedding, classify, based on the embedding, the region as containing a known class of known item, and responsive to classifying the region as containing the known class of item: generate a graphical representation based on the known class of item.

Abstract: Methods, systems, and computer-readable media for optimizing web pages using a rendering engine are presented. In some embodiments, a cloud service computing platform may receive, via a communication interface and from a user device, a request for a web page. Subsequently, the cloud service computing platform may retrieve, via the communication interface, and from a server, the web page. Further, the cloud service computing platform may render, using a headless browser, the web page to identify a plurality of content parts associated with the web page. Next, the cloud service computing platform may optimize the plurality of content parts associated with the web page. Additionally, the cloud service computing platform may transmit, via the communication interface and to the user device, the plurality of optimized content parts associated with the web page. Subsequently, the user device may render the plurality of optimized content parts associated with the web page.

Abstract: A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed.

Abstract: Operations include extracting and presenting data associated with a media stream being transmitted from a source device to a target device. The media stream may include a stream of video frames displayed by the source device. A screen sharing application, executing on the source device, may capture the stream of video frames. The screen sharing application may transmit the stream of video frames to a target application executing on a target device. The target device (or an intermediate device) analyzes the media stream, as the media stream is received from the source device. The target device may execute pattern matching to extract information, including text, images, and audio clips from the media stream. The target device may present the extracted information or use the extracted information to perform tasks, such as filling in a form.

Abstract: A system, method and storage medium for operating a stealth mode of an emergency vehicle includes receiving input data including at least one of an input from an operator or one or more program input parameters; determining a data operation mode based on the received input data, wherein the data operation mode is one of a normal mode and one or more stealth modes; and generating a control signal based on the determined operation mode. When the data operation mode is one of the one or more stealth modes, the control signal is adapted to control a first device to suspend a transmission of at least one data group among candidate suspended data to at least one second device in communication with the first device.

Abstract: A message processing server includes a memory and a message processor. The message processor is configured to receive first data; save an identifier in association with a first-layer access restriction indicator and a first key, generate a first encrypted layer by encrypting the first data with the first key, and generate a token from the identifier and the first encrypted layer; receive second data and the token; recover the identifier and the first encrypted layer from the token; confirm that the identifier was saved in the memory in association with the first indicator; save the identifier in association with a second-layer access restriction indicator and a second key, generate a second encrypted layer by encrypting the first encrypted layer and the second data with the second key, and regenerate the token from the identifier and the second encrypted layer.

Abstract: A user device and a server conduct a secure online transaction. The user device transmits received user login and credentials to the server, as well as one or more properties of the user device, such as a list of applications stored on the user device. The server transmits one or more restrictions back to the user device, such as which ports to close, which applications to close, and what features of applications and the operating system should be limited during the transaction. After implementing the restrictions, the user device and the server conduct the online transaction. A unique ID may be transmitted throughout the transaction and the unique ID may be a hash. After the transaction, the user device purges transaction data, restores normal operation, and notifies the server. The transaction may be conducted in a second tunnel and the other communication via a first tunnel.

Abstract: There is provided an information processing device including: a user information management unit configured to set a user in a window in which an operation screen of an application is displayed and grant at least one of execution authority of the application set in the window according to the user and browsing authority of content in the window to the window.

Abstract: An image forming apparatus including a communication circuit configured to establish proximity communication with a biometric authentication apparatus, a display, and a processor configured to perform authentication processing with biological information detected by the biometric authentication apparatus is provided. The processor is configured to carry out control for reducing a quantity of light output from the display and incident on the biometric authentication apparatus during detection of the biological information by the biometric authentication apparatus when the processor receives information representing optical detection of the biological information by the biometric authentication apparatus from the biometric authentication apparatus through the communication circuit.

Abstract: Exemplary embodiments relate to techniques for improving startup times of a cloud-based virtual servers in response to a spike in service usage (although other applications are contemplated and described). According to some embodiments, in response to a request to provision a new virtual server in a cluster, high-priority services (e.g., those that enable the server to respond to system health checks or that support an application providing the service) are started while lower-priority services are delayed. In some embodiments, prior to receiving such a request, a new server may be started and then hibernated to create a “hot spare.” When the request is received, the hot spare may be taken out of hibernation to quickly bring the hot spare online. It is contemplated that the delayed-startup and hot spare embodiments may be used together to further improve performance.

Abstract: Techniques are described for responding to queries of a private database system. A request is received from a client device to perform a query of the private database system. A level of differential privacy corresponding to the request is identified comprising privacy parameters ? and ?. A set of data stored in the private database system and a set of operations corresponding to the query are identified. The set of operations comprises generating a density plot visualization for one or more subsets of the set of data. The set of data is segmented into disjoint regions. For each disjoint region, a density is identified, and the density is plotted in a differentially private density plot visualization using one or more graphical elements.

Abstract: Non-limiting example embodiments include methods and systems for acquiring private financial data from multiple disparate sources. The private financial data is normalized, aggregated, preferably enhanced, and stored in secure storage. Entitled entities may retrieve selected private financial data from that secure storage efficiently, flexibility, and rapidly. Examples of financial private data include non-liquidity destination related sources of private data as well as liquidity destination related sources. A non-limiting example of a computer-implemented, consolidated, private financial data service is based on a secure, permission-based, aggregated and consolidated data cloud, which enables provision/distribution to one or more authorized parties with legitimate interests selected portions of the consolidated, private financial data.

Abstract: In one embodiment, a device receives control logic programmed within at least one controller included within an industrial network. The device also determines a network topology of the industrial network, and derives a network policy for the industrial network based upon, at least in part, the control logic and the network topology.

Abstract: An information processing apparatus includes a setting unit, an extracting unit, a transmitting unit, a receiving unit, and a display. The setting unit sets, in a first area that displays thumbnails, a second area that includes a thumbnail that is open to a person concerned among the thumbnails. The extracting unit extracts a thumbnail displayed in the second area. The transmitting unit transmits information on the thumbnail extracted by the extracting unit to an information processing apparatus used by the person concerned. The receiving unit receives information on a thumbnail that is open, from the information processing apparatus used by the person concerned. The display displays, in a third area, the thumbnail displayed in the second area and a thumbnail based on the information received by the receiving unit.

Abstract: An endpoint and methods of operating the same. In one embodiment, an endpoint is connected to one or more sensors and/or actuators. The endpoint is also connected through a communication channel to a server. Each endpoint uses a unique identifier (“ID”) hidden within a protected boundary of the endpoint to associate with a lockless, single-writer thread on the server dedicated to the endpoint. The endpoint ID is encrypted within the protected boundary of the endpoint and is not communicated unencrypted. Furthermore, no association between the ID and private information associated with reader, analysis, or control threads at the server is available outside of a protected boundary of the server and this association is never transmitted on a communication channel. The endpoint can include one or more communication interfaces (e.g., of different modalities) to provide resilience to failures, errors, and computer network attacks.

Abstract: A method and apparatus for identifying malicious activity. At least one memory is configured to store historical communication data. At least one processor is configured to retrieve the historical communication data related to communications between a server and a plurality of clients in a system. The processor is further configured to cluster the historical communication data to group communications of the historical communication data. The processor is further configured to identify a plurality of patterns that indicate malicious activity based on the grouped communications. The processor is further configured to receive current communication data. The processor is further configured to determine whether the current communication data matches the one of the plurality of patterns.

Abstract: A computer system authenticates a logical port for a virtual machine. A logical network maintains logical network data for a logical switch having the logical port. A virtual switch identifies a logical port authentication request for the virtual machine and transfers the logical port authentication request. A logical port authenticator receives the logical port authentication request and transfers the logical port authentication request for delivery to an authentication database. The logical port authenticator receives a logical port authentication response transferred by the authentication database that grants the logical port authentication request for the virtual machine and transfers authorization data for the logical port. The virtual switch transfers user data for the virtual machine when the virtual machine uses the logical port responsive to the authorization data.

Abstract: In some implementations, a scheme for data communication in an automobile includes generating a cleartext message to be transmitted to a second ECU, generating a pseudo-random counter by applying a pseudorandom function to a counter value that is incremented for each cleartext message generated by the ECU; combining the cleartext message and the pseudo-random counter to create a randomized message; selecting from a plurality of available cryptography techniques, a selected cryptography technique; applying to the randomized message, the selected cryptography technique to create a ciphertext; and transmitting to the second ECU over the CAN bus, the ciphertext.

Abstract: If a search signal from an external device received through wireless communication does not include unique information of a searched device, it is determined whether or not the external device has been registered as a communication partner. If it is determined that the external device has been registered as a communication partner, registration of the external device is cancelled. It is possible to detect an inconsistency in the registration state in wireless communication with the external device registered as a communication partner.

Abstract: This disclosure related to systems and methods that facilitate the secure collection and management of operational data relating to a power generation system that includes one or more wind turbines. Embodiments disclosed herein may also be used to provide various insights on wind farm operation and management using collected operational data. Further embodiments facilitate policy-managed access to operational data, including policy-managed access implementing differential privacy, in a manner allowed and/or otherwise controlled by parties having ownership rights or interests in the data.

Abstract: An interactive, electronic network that enables multi-level control, variable access, multi-user communications of real-time contextually relevant data or information among network-connected devices, and actions based on those communications, as the network-connected devices move from one location to another and/or the data/information flow among those devices change over time.

Abstract: Systems and methods are disclosed that provide for physical access management of an access-controlled area of a distributed site of an electric power delivery system using one or more one or more articulated access control policies. In some embodiments, to authenticate rights to access an access-controlled area, a first user may provide an associated access control system with credentials satisfying first authentication requirements based on an applicable policy. In connection with subsequent access authentication requests, the access control system may accept credentials satisfying second authentication requirements that may be different than the first authentication requirements. In this manner, access control requirements to the access-controlled area may be managed based on an associated articulated policy.

Abstract: A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired.

Abstract: A collaborative authoring application provides an authoring environment in which two or more users can edit a document concurrently. Each user edits a copy of the document, sends updates to a master copy of the document, and receives updates from the master copy of the document. The authoring environment generally inhibits the users from providing conflicting editing instructions to the master copy of the document. For example, each user can generate a content lock about one or more data units within the document. The authoring environment may synchronize content locks automatically and content only at the request of the user.

Abstract: Techniques for distributed and secure content delivery are provided. Requests for content are routed to a centralized service where the requestors are authenticated for access to the content. The centralized service generates access statements for the requestors. The requestors are redirected to particular distributed content services having access to the desired content. The distributed content services verify the access statements and vend the desired content to the requestors.

Abstract: Aspects extend to methods, systems, and computer program products for controlling performance of a requested user operation. It is determined if a requested user operation can access data on behalf of a user based on an obtained user context associated with the user. The user context identifies the location of an object representing a user relative to other objects within a hierarchical data structure. The context is used to derive a role for the user. A control expression is accessed. The control expression governs access of the requested user operation for the derived role. A set of permissions is formed for the user by evaluating the control expression using the user context and a data context for the data. The user's authorization to perform the requested user operation is determined from the set of permissions. The requested user operation is performed according to the determined user's authorization.

Abstract: In embodiments of the present invention improved capabilities are described for the steps of receiving an indication that a computer facility has access to a secure data store, causing a security parameter of a storage medium local to the computer facility to be assessed, determining if the security parameter is compliant with a security policy relating to computer access of the remote secure data store, and in response to an indication that the security parameter is non-compliant, cause the computer facility to implement an action to prevent further dissemination of information, to disable access to network communications, to implement an action to prevent further dissemination of information, and the like.

Abstract: A monitoring device is mounted in each of a plurality of operational systems constituting a fault-tolerant system. The plurality of operational systems have an identical configuration including a processor system. The monitoring device includes a processor. The processor executes instruction to read data from a predetermined storage area in a memory of an accessory device to be monitored, connected to the processor system. The processor further executes instruction to compare the read data with reference data held in advance. The processor further executes instruction to separate the processor system connected to the accessory device to be monitored from the fault-tolerant system when the read data is different from the reference data.