Abstract: Access mode selection based on user equipment selected access network identity may be useful, for example, with respect to the authentication in third generation partnership project (3GPP) networks of subscribers attaching to a trusted wireless local area network (WLAN) access network (TWAN). A method of access mode selection can include informing, in a request, an authentication server regarding at least one access mode for a user equipment. The method can also include selecting a mode of the at least one access mode to use with respect to the user equipment based on a response received from the authentication server in response to the request.

Abstract: Biometric authentication, decentralized learning frameworks, and adaptive security protocols and services for a distributed operator terminals network are described. In some embodiments, the terminals may be hardware terminals, kiosks, or clients. In some embodiments, a security analysis may be performed, and security scores may be determined, for visitors requesting operations at terminals. Security scores may be determined by a vendor, in communication with the operator terminals, based on aggregation of a plurality of factors, wherein each factor may be weighted. The factors may incorporate operator settings or preferences. In one embodiment, the factors include one or more facial recognition factors. The one or more facial recognition factors may be used for biometric authentication. The vendor may use the security scores to determine user privileges or permissions for the operations. The vendor may deliver instructions or messages to the terminals based on the determinations.

Abstract: User checking for execution of pairing of an information processing device and a communication device is executed with an appropriate condition. On the basis of advertise information transmitted from a printer as the communication device, it is determined whether the printer is registered in the information processing device. In a case where the printer is a registered printer that is registered in the information processing device, it is checked with a user whether to execute the pairing. A predetermined process for pairing of communication between the printer and the information processing device is executed in a case where the execution of the pairing is directed by the user or in a case where the printer is the registered printer that is registered in the information processing device.

Abstract: A cyberattack behavior detection method and related apparatus are provided. The method includes receiving user upload information in a multilayer architecture, and detecting whether a cyberattack is included in the upload information. The upload information is only transmitted to a business logic layer for processing the upload information in response to the cyberattack not being detected.

Abstract: Systems and methods of authenticating and/or communicating key and/or data between communication parties using quantum channels are provided. In some embodiments, authentication may be provided during transmission (including at various stages), without transmission, before transmission, and/or without keys. Such systems and methods allow authentication to be performed on a bit-by-bit basis using the same quantum communication channel. Further, these systems and methods prevent an eavesdropper from gaining useful information, and/or allow man-in-the-middle attacks to be detected.

Abstract: Systems, methods, and related technologies for device monitoring and device risk monitoring are described. In certain aspects, an indicator associated with a security risk is set based on communication between a first device having an associated elevated security risk and a second device. The indicator can be stored and may be used as a basis for performing a security action.

Abstract: A method for secure authentication of control apparatuses in a motor vehicle includes sending an authentication request to a control apparatus of the motor vehicle, receiving an authentication response of the control apparatus and checking the received authentication response. If a result of the checking is that the received authentication response is invalid, the method further includes transferring the control apparatus to a fallback mode, where the fallback mode being safe for the purposes of a dependability of the applicable motor vehicle. The authentication response of the control apparatus is provided based on at least part of authenticity information of the control apparatus. The transmitting of the authentication request and authentication response is effected in an encrypted fashion in each case, and the checking of the received authentication response includes decrypting the received authentication response.

Abstract: A secure communication method comprising obtaining a secret code generated in response to a first communication device being paired with a second communication device, obtaining a prestored product key, generating a module key based on the secret code and the product key, randomly generating a session key, obtaining a key sequence number, auto-incrementing the key sequence number, setting a sending sequence number with an initial value of zero, generating a key frame by performing a computation on the session key and a verification authentication code of the session key using the module key, sending a data packet including the key frame, the key sequence number, the sending sequence number, and a data type to the second communication device. The data type indicates that the data packet is a key data packet.

Abstract: Access to a linked resource may be protected using a time-based transformation of links to the resource. A linked resource may be transmitted to a browser in a markup language page. Information indicative of a time-based transformation of a link may be transmitted to the browser in the markup language page, or separately from the markup language page. The time-based transformation may be applied to the transmitted link. The transformed link may be requested, and compared to a version of the link that has been transformed, using the time-based transformation with respect to the time the request is received.

Abstract: The present disclosure provides a method and devices for defending against distributed denial of service attacks. The method comprises: intercepting, by a defending device, a service message transmitted by a client to a server; obtaining, by the defending device, information carried in a first preset field of the service message and information carried in a second preset field of the service message according to a rule agreed on with the client; processing, by the defending device, the information carried in the second preset field and a preset key according to a hash algorithm agreed on with the client, and obtaining a hash value; and discarding, by the defending device, the service message upon determining that the hash value is different from the information carried in the first preset field.

Abstract: The present invention relates to a method of enabling authentication of an information carrier, the information carrier comprising a writeable part and a physical token arranged to supply a response upon receiving a challenge, the method comprising the following steps; applying a first challenge to the physical token resulting in a first response, and detecting the first response of the physical token resulting in a detected first response data, the method being characterized in that it further comprises the following steps; forming a first authentication data based on information derived from the detected first response data, signing the first authentication data, and writing the signed authentication data in the writeable part of the information carrier. The invention further relates to a method of authentication of an information carrier, as well as to devices for both enabling authentication as well as authentication of an information carrier.

Abstract: Implementations disclosed herein provide a network agent embodied in firmware and/or software that replays network traffic of an enterprise network to an entity outside of the enterprise network. The network agent selects and processes the network traffic according to certain policies set by the enterprise network or a third party security management system. These policies allow for a capture and replay of high-integrity data that enables threat analysis.

Abstract: A network attack defense policy sending method and apparatus are presented. The method includes receiving attack information which includes a target Internet Protocol (IP) address, and the attack information is used to indicate that a network attack packet whose destination address is the target IP address exists in a first network; determining that the network attack packet enters the first network through a first edge network device, where the first edge network device is an edge device in the first network; sending a defense policy to the first edge network device, where the defense policy is used to instruct the first edge network device to process, according to the defense policy, a packet whose destination address is the target IP address. By means of this application, network resources occupied by a network attack packet can be reduced, and an effect of defending against the network attack packet can be improved.

Abstract: A network attack defense method is provided. An access request transmitted from a client to a target server is intercepted by at least one processor of a bypass check device. The client is redirected to a target verification server, to perform verification of a verification code on the client. A verification result of the verification of the verification code performed on the client by the target verification server is obtained. The access request sent by the client is forwarded to the target server based on the verification result indicating that client verification is successful.

Abstract: Technologies for providing software code and data with in-memory protection through runtime memory encryption are described. A service comprising an integration component (an interface set) receives software program code and data that is to be protected in one or more protected areas of execution in memory. The integration component can integrate with a software development pipeline. The service (e.g. a wrapper engine component thereof) obtains the software program code and wraps the software program code and the data into a wrapped component. The service generates a secure counterpart program for executing in one or more protected areas of execution in memory (e.g., an enclave).

Abstract: In an approach to identifying users by real time contextual data, one or more processors may receive a registration information for a first user and a first biometric data for the first user. One or more processors may determine a first user behavior based on the first biometric data and the registration information for the first user. Additionally, one or more processors may store the registration information, the first biometric data, and the first user behavior in a first user profile for identification of the first user.

Abstract: A method of securing authentication in electronic communication between at least one user authentication mechanism and at least one server authentication mechanism, wherein primary authentication is performed in the first step, and during the primary authentication a secondary authentication secret is created and shared between the user authentication and the server authentication mechanisms and is valid only for the given authentication transaction, and the secondary authentication secret is subsequently used as an input for a cryptographic transformation performed by the user authentication mechanism separately on each authentication vector element while creating the first authentication vector product, wherein authentication vector (AV) is an ordered set of authentication vector elements (AVE)(i)), wherein the first authentication vector product is transferred from the user authentication mechanism to the server authentication mechanism and is evaluated by the server authentication mechanism using the seco

Abstract: Examples disclosed herein relate, among other things, to a monitoring system. The monitoring system may include a report analyzer configured to receive a report from one of a plurality of devices and determine whether the report includes at least one masked value. If the report includes at least one masked value, the report analyzer may be configured to determine, based on a plurality of reports associated with the masked value, whether an unmasking condition is satisfied, and if the unmasking condition is satisfied, to mark the masked value for unmasking.

Abstract: An architecture deployed to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system (OS) processes executed by a central processing unit (CPU). The architecture features memory configured to store a process, an OS kernel, a VMM and a virtualization module. The virtualization module is configured to communicate with the VMM and execute, at a privilege level of the CPU, to control access permissions to kernel resources accessible by the process. The VMM is configured to execute at a first privilege level of the virtualization module to expose the kernel resources to the OS kernel. The OS kernel is configured to execute at a second privilege level lower than the first privilege level of the virtualization module. The VMM is further configured to instantiate a virtual machine containing the OS kernel, where access to the kernel resources is controlled by the VMM and the virtual machine.

Abstract: Implementations disclosed herein provide a managed security service that distributes processing tasks among a number of network security modules working in parallel to process component portions of a replayed network traffic stream. If a network security module detects a potential security threat, the network security module may generate a delivery request specifying other information potentially useful in further investigation of the potential security threat. The delivery request is communicated to a plurality of other processing entities, such as the other network security modules, and any processing entity currently receiving the requested information may respond to the delivery request. Once a source of the requested information is determined, the requested information is routed to the origin of the request.