Abstract: The disclosed computer-implemented method for executing decision trees may include (i) executing a security classification decision tree that classifies an input data item, (ii) gathering, simultaneously using a gather instruction, values for both a current threshold at a parent node of the security classification decision tree and a subsequent threshold at a child node of the parent node, (iii) gathering, simultaneously using the gather instruction, values for both a current measurement at the parent node and a subsequent measurement at the child node, (iv) comparing, simultaneously using a comparison instruction, the current threshold at the parent node with the current measurement at the parent node and the subsequent threshold at the child node with the subsequent measurement at the child node, and (v) performing a security action to protect the computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present invention relates to methods, network devices, and machine-readable media for an integrated environment for automated processing of reports of suspicious messages, and furthermore, to a network for distributing information about detected phishing attacks.

Abstract: Embodiments disclosed herein provide systems and methods for digital identity management and permission controls within distributed network nodes. A network node may receive a request to generate a new digital identity record for an entity. The network node may retrieve a template based on an entity type; and receive information, reference documents, and biometric information for the new digital identity record. The network node may associate and store the received information to the data fields in the new digital identity record, generate respective one directional cryptographic hashes of the reference documents and the biometric information, and store the hashes in the new digital identity record while storing the reference documents and biometric information in a non-blockchain repository. The network node may generate a digital identity record block for the new digital identity record, encrypt the digital identity record block, and append the encrypted block to the latest valid blockchain.

Abstract: Some embodiments of reassembly-free deep packet inspection (DPD on multicore hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently.

Abstract: An FPGA hardware device obtains encrypted data of each participant of a secure computing system, where the FPGA hardware device stores at least one first key, where the at least one first key is at least one first key of all participants in the secure computing system or at least one first key of a predetermined number of trusted managers in the secure computing system, where the FPGA hardware device includes an FPGA chip. The FPGA hardware device decrypts the encrypted data of each participant by using a working key of each participant, to obtain plaintext data of each participant, where the working key of each participant is obtained based on a corresponding first key of the at least one first key. The FPGA hardware device performs computing based on the plaintext data of each participant to obtain a computing result. The FPGA hardware device outputs the computing result.

Abstract: A control system authorizes access to a networked resource. The control system includes a client agent associated with a client resource running at a user device, and a destination agent associated the networked resource. The client agent transparently injects one or more identity tokens associated with the client resource and one or more access tokens associated with the networked resource into a network request issued by the client resource and directed to the networked resource. The destination agent intercepts the network request and uses the access tokens to selectively route the network request in accordance with one or more security policies associated with the access tokens.

Abstract: A method of securely supporting at least one application for use on a wireless device, including storing a plurality of locations, storing a plurality of public asymmetric keys for encryption of the plurality of locations, providing an interface for a virtual store, providing the location of a plurality of authorization files, displaying a list of applications available for the wireless device, presenting content associated with the list of applications available for the wireless device, receiving a customer selection of an application, creating an authorization file comprising the location of the application, storing the plurality of authorization files, providing an authorization file, authorizing one of the plurality of locations based on decryption of at least one of the plurality of public asymmetric keys, and installing on the wireless device the user selected application.

Abstract: A security application for a computing device, e.g., a mobile phone, allows generation of a secret according to a unique user input (e.g., user credentials). The secret is stored in a directory such that it is retrievable when the unique user input is received via a user interface of a device on which the security application executes or is coupled with. Responsive to receiving an identifier associated with the secret, the security application prompts, e.g., via a user interface of the mobile phone, entry of the unique user input; and, subsequently, verifies the unique user input. Following such verification, the security application provides the secret for use in encoding a communication with a remote computer-based station. Entry of the user credentials may be required prior to the security application generating the secret, and may be responsive to receipt of an invitation (e.g., from the remote computer-based station) to generate it.

Abstract: Systems, methods and computer readable media are provided herein for de-identification of a dataset. Each of a plurality of anonymization techniques are assigned to a corresponding one of a plurality of anonymization categories, with each anonymization category corresponding to particular types of operations applied by the anonymization techniques. A sample dataset is generated from the dataset for each anonymization category based on a sampling technique associated with that anonymization category, wherein the sampling technique is selected based on a particular category of anonymization techniques. Each anonymization technique is applied to the sample dataset corresponding to the anonymization category assigned for the anonymization technique, and each anonymization technique is evaluated with respect to data utility based on a utility of the anonymized sample data produced.

Abstract: Systems, methods and computer readable media are provided herein for de-identification of a dataset. Each of a plurality of anonymization techniques are assigned to a corresponding one of a plurality of anonymization categories, with each anonymization category corresponding to particular types of operations applied by the anonymization techniques. A sample dataset is generated from the dataset for each anonymization category based on a sampling technique associated with that anonymization category, wherein the sampling technique is selected based on a particular category of anonymization techniques. Each anonymization technique is applied to the sample dataset corresponding to the anonymization category assigned for the anonymization technique, and each anonymization technique is evaluated with respect to data utility based on a utility of the anonymized sample data produced.

Abstract: In one embodiment, a network node of a multi-hop wireless network may receive, from a network management system associated with the multi-hop wireless network, a request for identifying information associated with the network node. The network node may then send, responsive to the request for identifying information, to the network management system, registration information associated with the network node, wherein the registration information includes cipher text encoded with a public key, wherein the encoded cipher text is configured to be decoded with a private key, and wherein the encoded cipher text includes a MAC address and an identifier assigned to the network node.

Abstract: One embodiment described herein provides a system and method for facilitating user access to encryption keys stored within a hardware module. During operation, a server coupled to the hardware module receives a key request from the user, the key request comprising a user identifier and a key identifier. The server receives a voice message from the user, extracts voice features from a voiceprint associated with the received voice message, looks up voice features stored within the hardware module based on the user identifier, and compares the extracted voice features with the voice features stored within the hardware module. In response to the extracted voice features matching the stored voice features, the server retrieves from the hardware module an encryption key based on the user identifier and the key identifier.

Abstract: In some embodiments, an apparatus includes a memory and a processor operatively coupled to the memory. The processor is configured to identify a feature vector for a potentially malicious file and provide the feature vector as an input to a trained neural network autoencoder to produce a modified feature vector. The processor is configured to generate an output vector by introducing Gaussian noise into the modified feature vector to ensure a Gaussian distribution for the output vector within a set of modified feature vectors. The processor is configured to provide the output vector as an input to a trained neural network decoder associated with the trained neural network autoencoder to produce an identifier of a class associated with the set of modified feature vectors. The processor is configured to perform a remedial action on the potentially malicious file based on the potentially malicious file being associated with the class.

Abstract: A method provides an origin certificate that can be issued as a digital certificate online. The method includes receiving an origin digital certificate and an encrypted client device private key from an offline certificate authority wherein the client device private key is encrypted according to a private key encryption key PrKEK. The method further includes receiving from the client device, a request for a client device digital certificate and the encrypted client device private key, selecting a digital certificate template for the client device, the digital certificate template having attributes that vary according to the client devices, building the client device digital certificate from the origin digital certificate and the selected digital certificate template, signing the client device digital certificate with an online certificate authority signing key, and transmitting the signed client device digital certificate and the encrypted device private key.

Abstract: A system and method for preventing hidden data being passed using steganography by performing additional steganography to obscure the hidden data such that the hidden data is unrecoverable without information regarding the method of the additional steganography. This system and method allows for preventing hidden data without having to decipher the hidden data.

Abstract: An FPGA hardware device obtains encrypted data of each participant of a secure computing system, where the FPGA hardware device stores at least one first key, where the at least one first key is at least one first key of all participants in the secure computing system or at least one first key of a predetermined number of trusted managers in the secure computing system, where the FPGA hardware device includes an FPGA chip. The FPGA hardware device decrypts the encrypted data of each participant by using a working key of each participant, to obtain plaintext data of each participant, where the working key of each participant is obtained based on a corresponding first key of the at least one first key. The FPGA hardware device performs computing based on the plaintext data of each participant to obtain a computing result. The FPGA hardware device outputs the computing result.

Abstract: Methods, non-transitory computer readable media, network traffic management apparatuses, and network traffic management systems that receive a directory service authentication request from an application. The directory service authentication request comprising a first password. The first password is compared to a stored second password received from a previously-authenticated client to determine when there is a match. A positive authentication result is returned to the application in response to the directory service authentication request, when the determining indicates that there is a match. This technology advantageously facilitates client certificate authentication for applications that only support password-based login.

Abstract: A threat management facility generates a simulated phishing threat based on one or more characteristics of users of an enterprise network and transmits the simulated phishing threat to the users of the enterprise network. Based on whether a user fails to respond appropriately to the simulated phishing threat, the threat management facility may adjust a profile of the user. Network traffic to and from an endpoint associated with the user may be processed according to the adjusted profile.

Abstract: A system for determining an entity's security rating may include a ratings engine and a security database. The security database may include a manifest and a distributed index containing security records. Each of the security records may have a key (e.g., a network identifier of a network asset) and a value (e.g., security information associated with the network asset identified by the key). The keyspace may be partitioned into multiple key ranges. The manifest may contain references to segments of the distributed index. Each segment may be associated with a key range and may index a group of security records having keys within the key range. The manifest and the segments may be stored in an object storage system. The ratings engine may determine the security rating of an entity based on security records of the entity's network assets, which may be retrieved from the database.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine readable instructions to cause the processor to access network traffic traces including a plurality of timestamps, the plurality of timestamps having an order with respect to each other. The instructions may also cause the processor to encrypt the plurality of timestamps to anonymize the plurality of timestamps while preserving the order of the plurality of timestamps with respect to each other and to store the encrypted plurality of timestamps in a data store.