Abstract: Network-based service content protection techniques are described. In one or more implementations, content is edited locally by a computing device. The edited content is automatically encrypted without any user intervention by the computing device using an encryption credential, e.g., encryption key or other secret. The automatic encryption is performed responsive to a request to store the content at a network-based service provider such that the encrypted content can only be decrypted and accessed with the encryption credential and the encrypted content is uploaded to the network-based service provider.

Abstract: According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack.

Abstract: In one exemplary embodiment, a computer-implemented method of a secure-access gateway to a destination device in a protected computer network include the step of receiving a request from a remote user to access the destination device in the protected computer network. A session for the remote user is registered. The session includes an access to the destination device by the remote user according to a set of specified parameters controlled by the secure access gateway. The session is created. When the remote user connects and authenticates, the secure access gateway establishes the connection to the destination device on behalf of the remote user. The session is monitored according to the set of specified parameters. The session is monitored to determine if at least one specified parameters is achieved. The session between the remote user and the destination device is when terminated when the at least one specified parameters is achieved.

Abstract: Methods and systems for a scalable solution to behavioral Distributed Denial of Service (DDoS) attacks targeting a network are provided. According to one embodiment, a method to determine the scaling treatment is provided for various granular layer parameters of the Open System Interconnection (OSI) model for communication systems. A hardware-based apparatus helps identify packet rates and determine packet rate thresholds through continuous and adaptive learning with multiple DDoS attack mitigation components. The system can be scaled up by stacking multiple DDoS attack mitigation components to provide protection against large scale DDoS attacks by distributing load across these stacked components.

Abstract: A technique is provided for continuous user authentication through real-time fusion and correlation of multiple factors. Monitored data is continuously obtained from a computer. The monitored data is related to user actions on the computer of a user. A server analyzes the monitored data of the computer to execute a windowing system event sequences modality, a network footprint modality, an application specific user actions modality, and/or a forensic linguistic analysis modality for the user. The user is authenticated on the computer based on a combination of the windowing system event sequences modality, the network footprint modality, the application specific user actions modality, and/or the forensic linguistic analysis modality.

Abstract: The invention is a method for loading data into a portable secure token comprising a plurality of security domains. A first security domain comprises a first administration agent and a second security domain comprises a second administration agent. A remote application server comprises a first data to be provided to the second administration agent. A syndication server, which is distinct from the remote application server, contains a list which comprises a reference to the first data. The list is sent in response to a polling request that is sent by the first administration agent. This list is comprised in a polling response which is sent by the syndication server.

Abstract: A client includes a security agent configured to create a client certificate that corresponds to one or more client identifiers. A server includes a server certificate and is in communication with the security agent. The server is configured to facilitate establishing an initial mutually authenticated transport layer security (TLS) session with the client based on the client certificate and the server certificate. The server is also configured to extract the client certificate from the security agent once the TLS session is established. The server is configured to store the certificate as being associated with only the corresponding client identifier(s) and to categorize the association between the client certificate and the corresponding client identifier(s) as being secure but not trusted for the client until the identity of the client has been verified. Moreover, the server is configured to receive an indication that the identity of the client has been verified.

Abstract: The present invention generally relates to systems and methods for establishing trusted, secure communications from a mobile device, such as a smart phone, to an immobile device, such as a multi-function device. The disclosed techniques can include the immobile device displaying a pattern that encodes a cryptographic key. The mobile device can obtain an image of the pattern and decode it to obtain the cryptographic key. Because the mobile device obtained the image within its line-of-sight, for example, it can be assured that it communicated with the immobile device, and only the immobile device. The mobile device and the immobile device can use the cryptographic key to secure further communications.

Abstract: Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).

Abstract: Identifying a behavior of a service is disclosed. A predetermined interrogation packet that corresponds to a hypothesis is sent to a network communication port of a receiver. The predetermined packet is one of a plurality of predetermined interrogation packets sent to the network communication port. The hypothesis is consistent with a behavior of a corresponding service. The predetermined interrogation packet invites an expected action. The expected action is detected. It is determined that the behavior of the service that corresponds to the hypothesis is operating.

Abstract: A method for providing secure remote access by a controller is described. The method includes sending one or more endpoint requests. The method also includes receiving authentication service endpoint information and connection service endpoint information. The method further includes requesting authentication based on the authentication service endpoint information. Requesting authentication includes requesting license validation. The method also includes sending one or more registration messages based on the connection service endpoint information. The method further includes receiving a session request. The method additionally includes determining controller candidate link information. The method also includes sending the controller candidate link information. The method further includes receiving an automation message based on the controller candidate link information.

Abstract: An emulator on a host computer includes a static analysis module that analyzes executable code of a suspicious sample to determine whether the code identifies that a particular packing program (packer) has packed the sample. Once identified, a custom configuration file is generated that identifies particular API hooks or instructions that should be disabled (or enabled) so that the sample file cannot use these hooks or instructions to detect that it is executing within an emulator. The emulator (such as a virtual machine or sandbox) is configured using the configuration file. The suspicious sample is then executed and its behaviors are collected. The sample is prevented from detecting that it is operating within an emulator and thus prevented from terminating prematurely. Malicious behaviors are scored and a total score indicates whether or not the suspicious sample is malicious or not. Static analysis identifies signatures, instructions or strings.

Abstract: The present disclosure provides systems and methods for establishing a connection between an appliance and a home energy management device. Upon being prompted by a user, the home energy management device can create a private network for a limited period of time. Then, upon also being prompted by the user, an appliance can request to join the private network. If the appliance satisfies any required security criteria, the home energy management device can securely provide local area network access data to the appliance over the private network. After receiving such access data, the appliance can connect to the wireless local area network and establish a secure connection with the home energy management device via a router of the local area network. In one implementation, both the home energy management device and the appliance can be prompted by the user by simply pressing a button or other user-operable selector.

Abstract: User authentication is performed using a system that includes a service provider system, a device provisioning system, a user computer, and a portable mobile device. The user computer requests the service provider system for access to a remote online service. The user computer receives sign-in information from the device provisioning system. The sign-in information is transferred from the user computer to the portable mobile device, which provides the sign-in information and a unique device identifier of the portable mobile device to the device provisioning system. The device provisioning system identifies a user associated with the portable mobile device, and informs the service provider system the identity of the user. The service provider system allows the user computer to access the remote online service based on the identity of the user provided by the device provisioning system.

Abstract: A system is provided for managing protected data resources. The system includes a resource server configured to store the protected data resources and an authorization module coupled to the resource server and configured to store access protocols. The authorization module further is configured to receive a service request from a user via a client module, evaluate the service request based on the access protocols, and send an access token to the client module if the user satisfies the access protocols.

Abstract: Methods and systems for a scalable solution to behavioral Distributed Denial of Service (DDoS) attacks targeting a network are provided. According to one embodiment, a method to determine the scaling treatment is provided for various granular layer parameters of the Open System Interconnection (OSI) model for communication systems. A hardware-based apparatus helps identify packet rates and determine packet rate thresholds through continuous and adaptive learning with multiple DDoS attack mitigation components. The system can be scaled up by stacking multiple DDoS attack mitigation components to provide protection against large scale DDoS attacks by distributing load across these stacked components.

Abstract: Network-based service content protection techniques are described. In one or more implementations, content is edited locally by a computing device. The edited content is automatically encrypted without any user intervention by the computing device using an encryption credential, e.g., encryption key or other secret. The automatic encryption is performed responsive to a request to store the content at a network-based service provider such that the encrypted content can only be decrypted and accessed with the encryption credential and the encrypted content is uploaded to the network-based service provider.

Abstract: Systems and methods are disclosed for authenticating an identity of an online user. One method includes receiving from the user, through a first device, a request to access a web page associated with the user's online account; transmitting to the user an image that contains a unique ID and a URL of an authentication server; and receiving from the user, through the first device, an authentication request containing the unique ID. The method also includes receiving from the user, through a second device, a log-in ID associated with the user and the unique ID; and authenticating the identity of the user to grant the user access, through the first device, to the web page associated with the user's online account.

Abstract: An approach is provided for performing a device-level and/or an application-level security check of a device. In the device-level check, a device hash is generated based on a subscriber identity module identifier (SIM ID), a device identifier, the number of secured applications, and the names of the secured applications. A temporary device hash is generated during a booting of the device. If the device hash is determined to not match the temporary device hash, the applications are removed from the device during the booting of the device. In the application-level check, an application hash is generated based on the SIM ID, the device identifier, and the application name. A temporary application hash is generated during a loading of the application. If the application hash is determined to not match the temporary application hash, the application is removed from the device without running the application.

Abstract: A method for sharing login status between an application platform and an application, both running on a client device, is performed at a computer. In response to a login request from the client device, the computer analyzes the login request to determine whether the login request is associated with the application platform or the application. If the login request is with the application platform, the computer then establishes a first connection with an application platform server and forwards the login request to the application platform server. Upon receiving a login key from the application platform server, the computer returns the login key to the client device. If not, the computer establishes a second connection with an application server and forwards the login request to the application server. Upon receiving a login key from the application server, the computer then returns the login key to the client device.