Abstract: Disclosed herein are technologies regarding a communication device and server which are capable of cryptographic communication based on quantum cryptography. The communication device includes: a quantum signal generation unit configured to generate a series of first quantum signals by using a first quantum filter; an optical transmission unit configured to send the series of first quantum signals to a server; and a processor configured to select the first quantum filter based on a series of randomly generated first quantum states, and to control the quantum signal generation unit to generate the series of first quantum signals by using the first quantum filter.

Abstract: A system, method, and computer program product are provided for performing WiFi device authentication utilizing a calling line identification (CLI) as a passcode. When a request is received from a WiFi only device to access the Internet via a WiFi hotspot, a call is made to a mobile number of a mobile device that was specified in the request, wherein the call is made from a calling line identification randomly selected from a plurality of calling line identifications. The calling line identification is then usable by the WiFi only device as a passcode to access the Internet via the WiFi hotspot.

Abstract: An interactive device includes an authenticator for authenticating a user, a speech urger which urges the user to speak when the authenticator unsuccessfully authenticates the user, and an interaction controller which performs interaction according to the authenticated user when the authenticator successfully authenticates the user by a voice of the user having been urged to speak.

Abstract: Virtual private access systems and methods implemented in a clientless manner on a user device are disclosed. The systems and methods include receiving a request to access resources from a Web browser on the user device at an exporter in a cloud system. The resources are located in one of a public cloud and an enterprise network and the user device is remote therefrom on the Internet. The systems and methods also include performing a series of connections between the exporter and i) the Web browser and ii) centralized components to authenticate a user of the user device for the resources. The systems and methods further include, subsequent to authentication, exchanging data between the Web browser and the resources through the exporter. The exporter has a first secure tunnel to the Web browser and a second secure tunnel to the resources.

Abstract: The present disclosure provides a data communication method and system. The method includes: a first terminal transmitting first data to a second terminal, and starting timing from a time point when finishing transmitting the first data, the first data at least comprising data to be processed; the second terminal receiving the first data, and starting timing from a time point when finishing receiving the first data; when a value obtained by the second terminal from the timing reaches a preset value, the second terminal transmitting second data to the first terminal, the second data being data obtained by the second terminal performing data processing on the data to be processed; and when a value obtained by the first terminal from the timing is in a valid range of the preset value or reaches the preset value, the first terminal allowing to start receiving the second data.

Abstract: A method and system are provided for multifactor identification of a subject over a network using a rich credential, with selective disclosure of attributes and selective presentation of verification factors. A credential presentation application negotiates with a verifying server to agree on attributes to be disclosed and verification factors to be presented, and removes unneeded attributes and verification data from the rich credential by pruning subtrees from a typed hash tree without invalidating a signature that covers the root label of the tree. The credential presentation application proves knowledge of a private key, and as agreed upon may prove knowledge of a password and may arrange for biometric presentation applications to present one or more biometric samples to the verifier, which performs presentation attack detection and verifies the samples against verification data in the rich credential.

Abstract: A method of detecting malware in Linux platform through the following steps: use objdump-D command to disassemble ELF format benign software and malware samples to generate assembly files; traverse the generated assembly files one by one, read the ELF files' code segment and meanwhile identify whether the code segment contains main( ) function; analyze the code segment read. Divide assembly code into different basic blocks. Each basic block is marked by its lowest address. Add control flow graph's vertex to the adjacency linked list; establish the relation between basic blocks, add control flow graph's edges to the adjacency linked list and generate a basic control flow graph; extract control flow graph's features and write them into ARFF files; take ARFF files as the data set of a machine learning tool named weka to carry out data mining and construct classifier; classify the ELF samples to be tested by using the classifier.

Abstract: Approaches presented herein enable challenge-response authentication of a user based on information captured by a personal internet of things (IoT) device set associated with the user. Specifically, in one approach, a personal IoT device set comprising at least one device records and stores data associated with a user. The data is synchronized and stored to a computerized authentication system, which prompts the user with an authentication question based on the synchronized and stored data. The user may find an answer to the authentication question by reviewing data recorded and stored in the device of the personal IoT device set. The user may then enter the found answer to the authentication question, thereby authenticating the user. The personal IoT device set may comprise a single device or may comprise a plurality of devices, the information of one of which may be selected as the basis of the authentication question.

Abstract: There is described a digital agent for monitoring of cybersecurity-related events in an industrial control system. The digital agent being residable in a host. The digital agent includes a module for monitoring behavioral data of the host, such as violation of security policy, system usage metric, etc. The digital agent also includes a module for recording behavior baseline of the host, such as operating system, operating system version, firewall status etc. In addition, the digital agent includes an agent state machine for monitoring the CPU load and/or memory usage of the host. Further, the digital agent includes an agent communication module for transmitting monitored data to an analysis unit external to the industrial control system.

Abstract: A computer system and method for authenticating a user device associated with a user during the process of logging into a server. The server can generate input requests each of which is valid only during a defined time period, and displays said input requests in succession in a login screen. The user device reads in the input request displayed at the time of the login and calculates a response by using said input request, the password of the user device, and the current time. The user device transmits the calculated response to the login screen and the response is transmitted by the login screen to the server. The server confirms the authentication when the response calculated by the server matches the response transmitted by the user device.

Abstract: In an example of a system and method for time-based local authentication, an Information Handling System (IHS) may include a processor and a memory coupled to the processor. The memory may have program instructions stored thereon that, upon execution, cause the IHS to generate a first time token and to transmit the first time token to a secondary IHS via a local network, where the secondary IHS is configured to generate a second time token and to transmit the second time token to the IHS via the local network. The IHS may receive the second time token from the secondary IHS and it may determine whether the first time token matches the second time token. In response to the first time token matching the second time token, the IHS may receive access to a protected resource.

Abstract: Techniques for dynamic selection and generation of detonation location of suspicious content with a honey network are disclosed. In some embodiments, a system for dynamic selection and generation of detonation location of suspicious content with a honey network includes a virtual machine (VM) instance manager that manages a plurality of virtual clones executed in an instrumented VM environment, in which the plurality of virtual clones executed in the instrumented VM environment correspond to the honey network that emulates a plurality of devices in an enterprise network; and an intelligent malware detonator that detonates a malware sample in at least one of the plurality of virtual clones executed in the instrumented VM environment.

Abstract: The present disclosure relates to a security locking device of computers having separate key pairs, and including an encryption board inserted between a main board and a hard disk, and an encryption board being inserted into the encryption board to perform a real-time authentication process. The electronic key and the encryption board performs the real-time authentication process and hardware anti-copy self-testing process, and encrypt the data communicated between the encryption board and the electronic key. After passing the authentication process and the hardware anti-copy self-testing process, the electronic key combines an internally stored key list with the key list on the encryption board, and selects a user key to encrypt/decrypt the data on the disk according to the partition of the hard disk where the encrypted data is written to. The security locking device can assure the safety of the data, and the hardware is prevented from being copied.

Abstract: A method for obtaining an encryption/authentication key uses multiple return channels over which to send parts of the key, which parts are then combined to form the actual key. A method includes receiving an open request for a first key which is a trusted key wrapped in a public key. The open request includes an authentication request value that identifies the open request as a verified setup directory service, the public key, an email address and a specified out-of-band channel. The server sends a first reply sent directly back with a first half of the first key offset by a unique value and wrapped using the public key. The second reply is sent via email which includes a second half of the first key offset by the first half of the first key. The third reply is sent over the out-of-band channel, which includes the unique value.

Abstract: Techniques are provided for or granting authorization to restricted content on a display device from an authorizing device. In one embodiment, the display device may operate in a display mode where only unrestricted content is accessible. To access restricted content, the display device may transmit an authorization request signal to the authorizing device. The authorizing device, having received the authorization request, prompts an authorized user to enter an authentication input, such as a password or gesture, on the authorizing device. Upon verification of the authentication input, the authorizing device is authenticated. An authorization signal is transmitted to the display device, and the display device may operate in an authorized mode, having access to otherwise restricted content or functions.

Abstract: A method may include receiving an outbound communication directed to one or more recipient addresses from a communications infrastructure hosting the true address for the user. A server or similar intermediary may generate an alias address for each recipient address in an outbound communication so that each recipient may communicate with the true address using a unique reply channel. A discrete security state may be assigned as a security attribute to each such alias address. The discrete security state, which can be controlled by the user and stored, e.g., at the intermediate server, establishes rules for controlling communications from one of the recipient addresses through the communications infrastructure to the true address via one of the alias addresses. Once an alias and a security state are assigned in this manner to facilitate handling of responsive communications, the outbound communication may be forwarded to recipient addresses through the communication network.

Abstract: A first identity claim and a first attempt to prove password possession are received. As a result of determining that the first attempt to prove password possession is a match to a password in a set of passwords, but that the first identity claim is a mismatch to an identity that corresponds to the password, an authentication process that includes incrementing a counter associated with the password is performed. A second identity claim and a second attempt to prove password possession is received. As a result of determining that the second attempt to prove password possession is a match to the password, an authentication process that includes incrementing the counter associated with the password only if the second identity claim is a mismatch to the first identity claim is performed.

Abstract: An improved method for analyzing computer network security has been developed. The method first establishes multiple nodes, where each node represents an actor, an event, a condition, or an attribute related to the network security. Next, an estimate is created for each node that reflects the ease of realizing the event, condition, or attribute of the node. Attack paths are identified that represent a linkage of nodes that reach a condition of compromise of network security. Next, edge probabilities are calculated for the attack paths. The edge probabilities are based on the estimates for each node along the attack path. Next, an attack graph is generated that identifies the easiest conditions of compromise of network security and the attack paths to achieving those conditions. Finally, attacks are detected with physical sensors on the network, that predict the events and conditions. When an attack is detected, security alerts are generated in response to the attacks.

Abstract: A method for performing certification by a control device of a vehicle including generating a first signed certificate, which has at least one public key, and generating an associated private key; single-time introduction of the first signed certificate and of the associated private key into the control device; producing a second certificate; signing a further public key in the control device, using the private key and the second certificate; and making available the signed further public key together with the first signed certificate.

Abstract: A system and method are described for establishing secure communication channels. For example, one embodiment of a system includes an IoT device comprising secret/counter processing logic/circuitry to generate a master secret, the master secret to be transmitted to an IoT service. The system may include one or more IoT hubs to receive the master secret from the IoT service over a first secure communication channel. At least one of the IoT hubs can use the master secret to establish a second secure communication channel with the IoT device.