Abstract: In one embodiment, a node in a network detects an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic. The node determines a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector. The node selects a set of packets from the analyzed traffic based on the packet capture policy. The node stores the selected set of packets for the detected anomaly.

Abstract: A method and system is provided for detecting malicious files in a distributed network having a plurality of virtual machines. An example method includes: determining and obtaining, by a virtual machine, at least one file for performing an antivirus scan; collecting data relating to characteristics of computing resources of each virtual machine and parameters relating to the antivirus scan; determining an approximation time function of the characteristics of the computing resources and an approximation function of the one or more parameters for determining an approximation time function of effectiveness of the antivirus scan; and beased at least on the approximation time function of effectiveness of the antivirus scan, selecting one virtual machine to perform the antivirus scan in order to determine whether the at least one file is malicious.

Abstract: The longstanding problem of providing efficient and rapid online user services while maintaining user privacy is addressed. Disclosed is a system and method for providing unverified users an ability to act upon private records known to them while protecting user privacy by not reflecting private information back to the unverified user. As an unverified user inputs information related to their identity into an interface, the system searches an indexed database which may include both registered users and/or unregistered customers indexed from a single data source or from disparate data sources.

Abstract: A master apparatus includes, in an action frame for connection, acceptance policy regarding acceptance of a slave apparatus, and transmits the action frame. After establishment of connection with the slave apparatus, the master apparatus transmits a disconnection request to the slave apparatus. After having been disconnected from the master apparatus, the slave apparatus determines whether or not to reconnect to the master apparatus, on the basis of the acceptance policy included in the action frame from the master apparatus, and the disconnection request received from the master apparatus. Upon determining that reconnection is not possible, the slave apparatus does not transmit a participation request to the master apparatus.

Abstract: The present invention relates to an attack observation apparatus being a simulation environment where a malicious program such as malware created by an attacker is run, the simulation environment being built for observing the behavior and attack scheme of the malicious program. The attack observation apparatus includes a low-interactive simulation environment to execute on a terminal a predetermined response to communication coming from the malware, a high-interactive simulation environment to execute a response to the communication coming from the malware with using a virtual machine which simulates the terminal, and a communication management part to monitor an execution state of the low-interactive simulation environment with respect to the communication coming from the malware and switch the communication coming from the malware to the high-interactive simulation environment depending on the execution state of the low-interactive simulation environment.

Abstract: An encoder including a computer readable storage medium storing program instructions, and a processor executing the program instructions, the processor configured to generate a k-bit key, where k is a positive integer, estimate an upper bound of a number of eavesdropped links, encode each bit of the k-bit key using a random matrix of a selected rank, and transmit the encoded k-bit key through a network that performs linear operations on packets.

Abstract: A method includes generating a secret key for encryption and decoding data. The method includes identifying a set of data in plaintext format. The method further includes converting, by a processing device, the data in plaintext format to ciphertext using a polynomial. The method also includes sending the ciphertext to a remote device for data processing, wherein the remote device is to process the ciphertext without having the secret key. The method includes receiving processed ciphertext from the remote device. The method further includes decoding, by the processing device, the processed ciphertext based on the secret key and the polynomial to yield processed plaintext. The method also includes outputting the processed plaintext.

Abstract: To verify compliance with a data access policy, a query result including data specified by a requesting entity and a representation of a data access policy is received from a database. Based on the representation of the data access policy included in the query result, it is verified whether the requesting entity is permitted to access the data included in the query result. Transmission of the data included in the query result to the requesting entity is controlled responsive to the verification. Related methods, systems, and computer program products are also discussed.

Abstract: An apparatus including a secure module build center, configured generate modules corresponding to consumer computing systems that each run one of a plurality of operating system types and versions. The center has a coordination server that receives configuration and makefile data associated with one of the consumer computing systems, places the data in a queue, and provides a built module to the one of the consumer computing systems; and a build server that receives the data from the queue, and generates the built module based on commands within the makefile data.

Abstract: An apparatus for securely building a module for a consumer computing system, including a coordination server and a build server. The coordination server transmits an agent, where the agent executes on the consumer computing system, retrieves configuration and makefile data, and transmits the data back to the coordination server. The build server corresponds to the configuration data. The build server builds the module based on commands within the makefile data, where the build server extracts whitelist commands from the makefile data within a public root of the build server, executes the whitelist commands within a secure root of the build server to generate named object files from proprietary source files, transfers the named object files to the public root, renames the object files into renamed object files according to the whitelist commands, and links the renamed object files to generate the module.

Abstract: An apparatus for securely building a module for a consumer computing system, including a coordination server and a build server. The coordination server receives configuration and makefile data associated with the consumer computing system, places the data in a queue, and provides the module to the consumer computing system. The build server corresponds to the configuration data. The build server receives the data from the queue, and builds the module based on commands within the makefile data, where the build server extracts whitelist commands from the makefile data within a public root of the build server, executes the whitelist commands within a secure root of the build server to generate named object files from proprietary source files, transfers the named object files to the public root, renames the object files into renamed object files according to the whitelist commands, and links the renamed object files to generate the module.

Abstract: This disclosure provides a new automated threat detection using synchronized log and Snort streams. Time segments from a log stream are correlated by time to time segments from a Snort stream that have been identified as indicating “true” incidents. To determine whether a correlated time segment is “good” or “bad,” features are extracted from the correlated time segment and used to determine tuples associated therewith, each tuple containing a message type, a location, and an out of vocabulary word in the correlated time segment. A multidimensional feature vector containing a select number of the tuples is generated and provided as input to a machine learning module which determines, based on machine intelligence, whether the correlated time segment indicates a true incident.

Abstract: A method is provided for generating a public/private key pair on an IC and to provision an IoT device having the IC. In the method, a first entity manufacturers an integrated circuit (IC) for use in a device. The IC, or chip, has a root secret embedded therein. A public key is generated on the IC using a unique identifier (ID) and the root secret. The IC is provided to a second entity for manufacturing the device using the IC. A reference IC is provided to a third entity. The reference IC has the same embedded root secret as the IC. The reference IC is configured to use the unique ID of the IC and the embedded root secret to generate a derived public key. The third entity is enabled to verify that the public key of the IC is associated with the unique ID by using the derived public key of the reference IC. The method allows the IoT device to be provisioned without using a public key infrastructure.

Abstract: Systems and methods are provided for securing a private key on a mobile device for use with public key cryptography. Specifically, a private key is reduced to two partial keys where the partial keys are stored on separate electronic devices. The partial keys combine to temporarily regenerate the private key for the purposes of notarizing (digitally signing) messages or documents, and decrypting a message or document that was encrypted using the corresponding public key. The partial keys in some embodiments may be a secret key, which can be derived from an account identifier and a password, and an exclusive key, which can be derived from the secret key and the private key. The private key can be regenerated from the secret key and the exclusive key. With the partial keys stored on separate devices, another layer of practical security is provided to public key cryptography.

Abstract: Systems, apparatuses, methods, and computer readable mediums for utilizing smart components to monitor connected devices. In one embodiment, a system includes a computing device and a covering device which covers at least a portion of the computing device. The computing device includes one or more input/output (I/O) interfaces. The covering device may be a smart cover, a security screen protector, or other type of smart covering component. The covering device intercepts, via a first I/O interface, a signal generated by the computing device. The covering device analyzes the signal to determine if a security policy is being violated. The covering device performs a security action responsive to determining that a security policy is being violated. In one embodiment, the covering device covers a display of the computing device and the covering device utilizes photoresistor technology to read the display of the computing device on a pixel-by-pixel basis.

Abstract: A device-bound certificate authority binds a certificate to one or more devices by including digital fingerprints of the devices in the certificate. A device only uses a device-bound certificate if the digital fingerprint of the device is included in the certificate and is verified. Thus, a certificate is only usable by one or more devices to which the certificate is explicitly bound. Such device-bound certificates can be used for various purposes served by certificates generally such as device driver authentication and authorization of access to secure content, for example.

Abstract: Implementations disclose restricted and unrestricted states for content based on installation status of applications. A method includes receiving, by a first content platform, a request to access content via a first application executing on a client device, the first application being associated with the first content platform, determining that the first application is in an unrestricted state based on an ephermal state machine of the server device, determining an install state of a second application on the client device, the second application being associated with a second content platform, responsive to determining that the install state of the second application is uninstalled, providing the content via the first application in the unrestricted state, and responsive to determining that the install state of the second application is installed, transferring the first application to a restricted state, and providing the content via the first application in a restricted state.

Abstract: Techniques for evaluating authorization requests using cached policy data are disclosed. In one or more embodiments, a thick client receives an authorization request. The thick client evaluates the authorization request, based on partial contextual information associated with the authorization request and a local policy data cache, to generate a preliminary authorization response. The preliminary authorization response includes one of (a) denial of the authorization request and (b) non-denial of the authorization request. Responsive to the preliminary authorization response including non-denial of the authorization request, the thick client submits complete contextual information associated with the authorization request to an authorization service. The authorization service provides a final authorization result, which the thick client uses to grant or deny the authorization request.

Abstract: A method for operating an electronic device according to an embodiment of the present invention includes: entering a content sharing mode capable of sharing content with a first electronic device; outputting first content shared with the first electronic device; entering a content sharing mode capable of sharing content with a second electronic device; determining the authority to decide a display layout, with respect to the second electronic device; transmitting display layout information to the second electronic device upon determining that the second electronic device has the authority to decide the display layout; and receiving, from the second electronic device, display layout determination information including information on output positions of content shared with the first and second electronic devices. Accordingly, it is possible to provide various optimized display layouts of a screen displaying content of connected electronic devices.

Abstract: Examples relate to scaling persistent connections for cloud computing. In some examples, a data packet is used to determine connection information of the first connection. At this stage, server portion of the first connection is closed by using the connection information to send a close command to the cloud server. In response to a keepalive signal from the client computing device, the connection information is used to send a keepalive response to the client computing device to maintain a client portion of the first connection. In response to a service request from the client computing device, a service notification including the service request is sent to the client computing device, where the client computing device initiates a second connection with the cloud server to process the service request.