Abstract: Disclosed are system and method for building statistical models of malicious elements of web pages. One exemplary method comprises: obtaining, by a control server, data about malicious elements of web pages; transforming, by the control server, the obtained data into at least one N-dimensional vector; creating, by the control server, at least one cluster based on elements of the at least one N-dimensional vector; and building, by the control server, the statistical model of the malicious elements of the web page based on the created at least one cluster.

Abstract: A smart process control switch can implement a lockdown routine to lockdown its communication ports exclusively for use by devices having known physical addresses, enabling the smart process control switch to prevent new, potentially hostile, devices from communicating with other devices to which the smart process control switch is connected. Further, the smart process control switch can implement an address mapping routine to identify “known pairs” of physical and network addresses for each device communicating via a port of the smart process control switch. Thus, even if a new hostile device is able to spoof a known physical address in an attempt to bypass locked ports, the smart process control switch can detect the hostile device by checking the network address of the hostile device against the expected network address for the “known pair.

Abstract: The technology encompasses new uses of already-known cryptographic techniques. The technology entails computer-based methods of sharing information securely, in particular an asymmetric method of secure computation that relies on the private-key/public key paradigm with homomorphic encryption. The methods and programmed computing apparatuses herein harness mathematical concepts and apply them to services or tasks that are commercially useful and that have not hitherto been possible. Applications of the methods and apparatus herein are far-ranging and include, but are not limited to: purchase-sale transactions such as real estate or automobiles, where some aspect of price negotiation is expected; stock markets; legal settlements; salary negotiation; auctions, and other types of complex financial transactions.

Abstract: Mechanisms are provided for accessing security vulnerability issue information. The mechanisms monitor security analyst interactions with security vulnerability issues via the security management system to generate analyst interaction log data, and generate one or more security analyst models corresponding to one or more security analysts by performing a machine learning operation on the analyst interaction log data. The mechanisms generate an analyst-issue model based on the one or more security vulnerability issue models and the one or more security analyst models, and generate an issue recommendation for a security analyst based on the analyst-issue model.

Abstract: An integrated circuit includes a core circuit and a function lock circuit. The core circuit includes at least one function block circuit. The function lock circuit is coupled to the core circuit. The function lock circuit includes a random number source, an entanglement circuit, and a memory. The random number source is configured to generate a random code. The entanglement circuit is coupled to the random number source and the core circuit and configured to generate an unlocking code according to the random code and a command signal. The memory is coupled to the entanglement circuit and configured to store the unlocking code. The at least one function block circuit of the core circuit is determined to be locked/unlocked according to a presence of the unlocking code.

Abstract: The technology encompasses new uses of already-known cryptographic techniques. The technology entails computer-based methods of sharing information securely, in particular an asymmetric method of secure computation that relies on the private-key/public key paradigm with homomorphic encryption. The methods and programmed computing apparatuses herein apply mathematical concepts to services or tasks that are commercially useful and that have not hitherto been possible. Applications of the methods within cloud computing paradigms are presented. Applications of the methods and apparatus herein are far-ranging and include, but are not limited to: purchase-sale transactions such as real estate or automobiles, where some aspect of price negotiation is expected; stock markets; legal settlements; salary negotiation; auctions, and other types of complex financial transactions.

Abstract: The present invention provides methods, systems and computer program products (software) for the reliable, attack-resistant authentication of a network-connected user to a network-connected service provider.

Abstract: Techniques are provided for client application authentication and include receiving a request to authenticate an application and, based on the received request to authenticate the application, sending a request to perform a push communication, including a short-term shared key, to a digital distribution system, wherein the digital distribution system is a distribution source of the application. The digital distribution system attempts to send the push communication including the short-term shared key to the application. The techniques may proceed by receiving a request for resources from the provider client application and determining whether the application has the short-term shared key. When it is determined that the application has provided the short-term shared key, the requested resources to the application may be provided, otherwise, the requested resources may be denied.

Abstract: A server for detecting a proxy device in a communications path may include a processor and a memory associated therewith. The processor may obtain an encrypted first portion of an encryption key from the client device. The encryption key may be based upon user-input credentials for a given user. The processor may also communicate an encrypted second portion of the encryption key to the client device based upon determining that the encrypted first portion matches a corresponding first portion of the encryption key indicative of an absence of the proxy device in the communications path. The processor may also detect a loss in connectivity between the server and the client device in response to the client device determining that the decrypted second portion of the encryption key does not match a corresponding second portion of the encryption key indicative of a proxy device in the communications path.

Abstract: A code segment executing on a compute instance may be identified as suspicious based on runtime behavior or similar behavioral analysis or the like. In order to ensure the identification and use of the most up-to-date identification and remediation tools, the compute instance may defer various remediation steps for an interval, during which the compute instance may wait for data updates from a threat management system. After the interval has passed, the compute instance may use any updated data or tools in order to address the code segment that triggered the initial malware detection.

Abstract: Disclosed embodiments relate to dynamically changing an encryption technique for encrypted data to be stored in a searchable database. Operations may include receiving encrypted data for storage in the searchable database, the encrypted data having been encrypted by a client using a cryptographic key based on an encryption alteration scheme; receiving a search query from the client, the search query comprising a plurality of search strings including at least: an encrypted version of a plaintext string that was encrypted by the client using the cryptographic key, and one or more encrypted versions of the plaintext string that were encrypted by the client using one or more other cryptographic keys; processing the search query; and returning a response to the search query to the client.

Abstract: An example operation may include one or more of: creating a document that defines procedures to create an ad-hoc group having an original peer, to add a new peer to the ad-hoc group and to remove of one or more of the original peer and the new peer; maintaining, via a memory, a cryptographic distributed ledger based on the document and peer data associated with the ad-hoc group; encrypting the document; encrypting the cryptographic distributed ledger; providing the encrypted cryptographic distributed ledger to the ad-hoc group; decrypting the encrypted document; modifying the document; decrypting the encrypted cryptographic distributed ledger; updating the cryptographic distributed ledger; encrypting the modified document to create an encrypted modified document; encrypting the updated cryptographic distributed ledger; and providing the updated encrypted cryptographic distributed ledger to the ad-hoc group.

Abstract: A device may receive a request from a first user device to access a protected device. The device may verify a user identity of a user of the first device based on user credentials and determine that an authentication code is needed to authenticate the request to access the protected device. The device may dynamically generate multiple codes and transmit the multiple codes to a second user device associated with the user identity of the user of the first device. A first code, of the multiple codes, may correspond to a correct authentication code needed to authenticate the request to access the protected device. The device may transmit a message including an instruction for identifying the correct authentication code from among the multiple codes, receive a second code from the first device, compare the second code and the first code, and selectively authenticate the request to access the protected device.

Abstract: Techniques are disclosed relating to sharing a user credential between computing devices. In some embodiments, a first computing device stores a set of user credentials usable to authenticate a user and receives, from a second computing device, a request for a user credential to be provided responsive to an authentication prompt associated with the second computing device. In such an embodiment, the request includes an indication of a service for which the authentication prompt is being presented. Based on the indication, the first computing device determines whether the stored set of user credentials includes a user credential relevant to the authentication prompt and presents a selection prompt asking a user of the first computing device to select a one of the stored set of user credentials to provide to the second computing device for authentication to the service, the relevant user credential being identified in the selection prompt.

Abstract: The use of user-specific data to process a biometric print, such that use of the biometric print is revoked by invalidating the user-specific data. The processed print is generated by performing one-way processing of the biometric print using the user-specific data. The processed print, not the biometric print, is then provided to the authentication system for later authentication of the user. During matching, the user later provides a current biometric, resulting in generation of a current biometric print. For each of multiple users, the user-specific is obtained for that user, and at least one processed print is generated for each user based on the current biometric print. The current processed prints are used by the authentication system to match against each of the enrolled processed prints. If a match is found, the user is identified as being the user associated with the matching enrolled print.

Abstract: Techniques described herein enhance information security in contexts that utilize key management systems and other providers of cryptographic services. A user of a key, management system is able to use a secret that is outside the control of the key management system combined with a secret that is cryptographically protected by the key management system (e.g., by encryption using a key managed by the key management system) to generate a message encryption key, thereby rendering the secrets individually insufficient for access to data encrypted using the message encryption key.

Abstract: Instead of specifying actual transport layer IP addresses as a basis for a secure tunnel's security association, an approach described herein specifies virtual addresses. Then suitable network appliances intercept and modify packets in order to map between the virtual addresses and actual addresses. The virtual addresses satisfy IPsec or another authentication procedure that checks packets using the security association. The actual addresses are used by transport layer protocols. This overlay approach permits a session to failover from one network connection to another without requiring restoration of the session in a newly created secure tunnel after one of the network interfaces becomes unavailable, thereby obsoleting the security association based in part on the IP address of the now unavailable interface. This innovative approach also allows the use of parallel paths and the use of one-to-many or many-to-one path topologies, which would otherwise not be permitted.

Abstract: This application is directed to a system for remotely directing a host device to perform an operation using a key. The key may include a communications circuitry for transmitting data, for example a key identifier or an instruction to perform an operation, within a personal area network created by the communications circuitry. When a host device is within the personal area network, the key may transmit data received by a transceiver on the host device. In response to receiving the data, the host device may perform an operation (e.g., an authentication operation). In some embodiments, the key may transmit data identifying an operation for the host device to perform. In some embodiments, the host device may store in memory key identification information and an associated operation which may be retrieved when the key is brought in proximity of the host device.

Abstract: Binary data relating to a movable barrier operator is converted to ternary data. The ternary data is converted into corresponding binary information in a way not mirroring the first conversion method. In one approach, this second conversion converts each ternary trit into a corresponding binary pair. Initial binary bits correspond to, for example, fixed and/or non-fixed information.

Abstract: Systems, devices, media, and methods are presented for retrieving authentication credentials and decryption keys to access remotely stored user-generated content. The systems and methods receive a first authentication credential and access a second authentication credential based on receiving the first authentication credential. The system and methods generate an authentication token and an encryption token. Based on the authentication token, the system and methods access a set of encrypted content and an encrypted content key. The systems and methods decrypt the encrypted content key using the encryption token and decrypt the set of encrypted content using the decrypted content key. At least a portion of the content is presented at the user device.