Abstract: Embodiments create and manage a device profile on a mobile device for continued authentication of the mobile device. The device profile includes a state assigned to a mobile device. The state of the device can be managed through the device profile. The mobile device is allowed to conduct payments based on the current state assigned to the mobile device. In response to a request to conduct a payment transaction using the mobile device, the state information in the mobile device profile is checked. The payment transaction using the mobile device is allowed when the state information indicates a trusted state. The payment transaction using the mobile device is limited when the state information indicates a suspended state. The payment transaction using the mobile device is prevented when the state information indicates an untrusted state.

Abstract: Embodiments of the inventive concepts disclosed herein are directed to systems and methods for providing secured communications via an avionics power bus network. The power bus network can have a plurality of power bus domains, for providing power to at least two endpoint systems. The avionics power bus network can incorporate a plurality of network access interfaces, and each of the network access interfaces may provide power bus isolation between at least two of the power bus domains, and/or network communications isolation across at least two power bus domains. A network gateway may configure communications between the two endpoint systems through one or more of the network access interfaces, and for validating credentials to permit the communications to be transmitted through some of the power bus domains. The network gateway can be accessed via a network access point to configure the communications.

Abstract: A method includes receiving a break-glass ticket scope identifying one or more secure containers of a secure container system. The secure containers are instantiated in a non-debuggable state and execute corresponding secure execution environments for contents of the corresponding secure containers. The method also includes generating a pending break-glass ticket having the break-glass ticket scope and transmitting the pending break-glass ticket to a break-glass approver for approver. In response to receiving an approved break-glass ticket from the break-glass approver, the method includes altering an access setting of the one or more secure containers defined in the break-glass ticket scope. The altered access setting allows debugging of the respective contents of the one or more secure containers executing the corresponding secure execution environments.

Abstract: A system and method are provided for detecting fraud and/or misuse of data in a computer environment through generating a rule for monitoring at least one of transactions and activities that are associated with the data. The rule can be generated based on one or more criteria related to the at least one of the transactions and the activities that is indicative of fraud or misuse of the data. The rule can be applied to the at least one of the transactions and the activities to determine if an event has occurred, where the event occurs if the at least one criteria has been met. A hit is stored if the event has occurred and a notification can be provided if the event has occurred. A compilation of hits related to the rule can be provided.

Abstract: A system includes a secure processor and an unsecure processor. The secure processor is configured to: split a secure scalar K into m2 random values ki, where i is an integer index; randomly select m1-m2 values ki for the indices m2<i?m1; select m1 mask values ?i; compute m1 residues ci based upon random residues ai, ??(i)?1, and k?(i), wherein ?(i) is a random permutation; compute m1 elliptic curve points Gi based upon random residues ai and an elliptic point to be multiplied; receive m1 elliptic curve points; and compute the elliptic curve scalar multiplication by combining a portion of the received elliptic curve points and removing the mask values ?i from the portion of the received elliptic curve points. The unsecure processor is configured to: receive m1 residues ci and elliptic curve points Gi; compute m1 elliptic curve points Pi based upon the m1 residues ci and elliptic curve points Gi; and send the m1 elliptic curve points Pi to the secure processor.

Abstract: It is determined whether a user is authorized to carry out a management operation on a plurality of information technology assets in parallel, based on a role of the user and at least one characteristic of the management operation. A risk level of the management operation, and at least one characteristic of the plurality of information technology assets, are both determined. Based on the risk level and the at least one characteristic of the plurality of information technology assets, an execution pattern for the management operation is specified. In at least some cases, the management operation is carried out on the plurality of information technology assets in parallel, in accordance with the execution pattern.

Abstract: There is provided an authentication server apparatus connected with a terminal device through a network including a storage device configured to store pattern descriptions, wherein characters used for an authentication password for authenticating a user are divided into groups, and the divided characters are associated with IDs of the respective groups in one of the pattern descriptions, a password processing unit configured to generate an authentication code composed of a string of the IDs of the groups and to store it, wherein the authentication code is generated on a pattern description—by —pattern description basis, a screen transmitting unit configured to transmit data of an authentication screen including one of the pattern descriptions to the terminal device, and an authentication unit configured to authenticate the user based on the string of the IDs corresponding to the authentication password and the authentication code corresponding to the pattern description.

Abstract: A network-connected device is identified by multiple keys for multiple security levels in a network. From the network, the device detects a request directed at the device. The device identifies, from the request, a source entity that sent the request and a security level specified by the request. Among the plurality keys that identify the device for different levels of security, the device determines one or more of the keys to identify the device according to at least the security level. In response to the security level being a high security level, the device establishes a network session with the high security level to communicate with the source entity using a set of inter-related keys among the plurality of keys.

Abstract: A plurality of keys is obtained, with each obtained key of the plurality of keys being based at least in part on an information set for the plurality of keys and at least one other key distinct from the plurality of keys. A signing key is calculated by inputting a combination of the plurality of keys into a function with the information set for the plurality of keys, and the signing key is used to evaluate whether access to one or more computing resources is to be granted, with the information set preventing access from being granted when a request for the access is submitted out of compliance with the information set for the plurality of keys.

Abstract: A technique allows a smart meter to receive a mask. The smart meter may receive the mask from a utility company or an escrow service. The smart meter may apply the mask to original metered data on a continuous schedule, on a periodic schedule, or on a determined schedule, or on a randomized schedule to conceal the original metered data. The smart meter may apply different masks at different times. The smart meter transmits the concealed metered data as augmented metered data remotely to an electric utility via a communication network.

Abstract: A system and method for protocol independent multi-flow table routing includes a first flow table, a second flow table, and a shared hash table accessible by both the first flow table and the second flow table. Upon receipt of a packet, a first secure signature of a first lookup key is generated for the first flow table, and a second secure signature of a second lookup key is generated for the second flow table. The shared hash table stores both the first secure signature in association with a first value corresponding to the first secure signature, and the second secure signature along with a second value corresponding to the second secure signature. The first and second values indicate destination information for the packet.

Abstract: A device in a network receives fingerprints of two or more network anomalies detected in the network by different anomaly detectors. Each fingerprint comprises a hash of tags that describe a detected anomaly. The device associates the fingerprints with network records captured within a timeframe in which the two or more network anomalies were detected. The device compares the fingerprints associated with the network records to determine that the two or more detected anomalies are part of a singular anomaly event. The device generates a notification regarding the singular anomaly event. The notification includes those of the fingerprints that are associated with the singular anomaly event.

Abstract: A data processing system can use a method of fine-grained address space layout randomization to mitigate the system's vulnerability to return oriented programming security exploits. The randomization can occur at the sub-segment level by randomizing clumps of virtual memory pages. The randomized virtual memory can be presented to processes executing on the system. The mapping between memory spaces can be obfuscated using several obfuscation techniques to prevent the reverse engineering of the shuffled virtual memory mapping.

Abstract: A data processing system can use a method of fine-grained address space layout randomization to mitigate the system's vulnerability to return oriented programming security exploits. The randomization can occur at the sub-segment level by randomizing clumps of virtual memory pages. The randomized virtual memory can be presented to processes executing on the system. The mapping between memory spaces can be obfuscated using several obfuscation techniques to prevent the reverse engineering of the shuffled virtual memory mapping.

Abstract: A cloud client device identifies one or more devices within a predetermined range of the cloud client device operable to communicate with the cloud client device. The cloud client device pairs with one or more of the devices. To provide secure access to the cloud client device and to other functionality provided by the paired devices, the cloud client device accepts tones as a password. The cloud client device receives a password after a prompt as one or more tones and translates the tones for comparison with the password for the cloud client device. Access is allowed if the translated tones match the password for the cloud client device.

Abstract: Systems and methods for accessing digital content using electronic tickets and ticket tokens in accordance with embodiments of the invention are disclosed. In one embodiment, a user device includes a processor, a network interface, and memory configured to store an electronic ticket, and a ticket token, and the processor is configured by an application to send a request for digital content, receive a ticket token from a merchant server, wherein the ticket token is generated by a DRM server and associated with an electronic ticket that enables playback of the requested digital content, send the ticket token to a DRM server, receive an electronic ticket that enables playback of requested digital content, request the digital content associated with the electronic ticket, and play back the requested digital content using the electronic ticket.

Abstract: Whenever users receive or transfer a copy of any of a set of documents, prior verification of the document is enforced by an administrative system, which associates verification metadata with the copy. As each copy is itself copied and transferred, updated verification metadata is included with the previous verification metadata to form a verification lineage chain, which can later be examined to determine the circumstances of any verification failure. Documents are preferably verified by comparing the digital signature of the current copy with the signature of a reference copy. Documents may be signed by submitting them as input records to a distributed, keyless, hash tree infrastructure.

Abstract: Processes and systems described herein enable a computing device to detect compromised accounts. The computing device may obtain a user credential including a user ID, and further modify the user ID. The computing device may transmit the modified user ID to a service including a database related to compromised accounts, receive a record corresponding to the modified user ID that includes information of a compromised account, and further determine whether an account of the user ID is compromised based on the received record.

Abstract: An authenticating service of a chip having an intrinsic identifier (ID) is provided. The authenticating device includes an identification (ID) engine, a self-test engine, and an intrinsic component. The intrinsic component is associated with a chip and includes an intrinsic feature. The self-test engine retrieves the intrinsic feature and communicates it to the identification engine. The identification engine receives the intrinsic feature, generates a first authentication value using the intrinsic feature, and stores the authentication value in memory. The self-test engine generates a second authentication value using an authentication challenge. The identification engine includes a compare circuitry that compares the first authentication value and the second authentication value and generates an authentication output value based on the results of the compare of the two values.

Abstract: A computer implement format preservation based masking system and method is provided. The system obtains a first set of letters and a private key, and encrypts the first set of letters to obtain an encrypted letters list using the first set and private key. The encrypted letters list comprises a set of encrypted letters. A dynamic map is generated based on the encrypted letters, which includes one or more keys, each key being specific to a letter in the first set letters. A position of each of maskable letters in a second set of letters is calculated using the dynamic map, and performs masking of the maskable letters based on the position of each of the maskable letters to obtain masked data using the dynamic map.