Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine that a secure domain has been created on a device, where keys are required to access the secure domain, obtain the keys that are required to access the secure domain from a network element, and encrypt the keys and store the encrypted keys on the device. In an example, only the secure domain can decrypt the encrypted keys and the device is a virtual machine.

Abstract: A cloaking authority system that securely and anonymously identifies a misbehaving device based on its digital certificate. The system may include a cloaking authority server that is communicatively connected to a misbehavior authority server, a pseudonym certificate authority device, and a registration authority device. In response to a request from the misbehavior authority server to identify a misbehaving device using the device's pseudonym certificate, the cloaking authority server interacts with the pseudonym certificate authority device and the registration authority device to securely obtain a representation of the linkage chain identifier that is associated with the misbehaving device, while maintaining the anonymity of the real-world identifying information for the misbehaving device. The cloaking authority server creates a cloak index that corresponds to the linkage chain identifier and that identifies the misbehaving device, and provides the cloak index to the misbehavior authority server.

Abstract: Provided herein are methods and systems for multi-person authentication and validation systems for sharing of images. The multi-person authentication and validation system may identify the respective faces of one or more individuals captured in an image, and request authorization for sharing the image from the one or more individuals captured in the image. In some instances, the multi-person authentication and validation system may provide a different image version for sharing if at least one of the one or more individuals denies authorization.

Abstract: A data processing system having a PUF and method for providing multiple enrollments, or instantiations, of the PUF are provided. A PUF segment includes a plurality of SRAM cells on an integrated circuit. A PUF response from the PUF segment is used to create a first activation code and a first PUF key. A second PUF key may be created from the PUF response. Initially, during a second enrollment, the PUF response is combined with the first activation code to reproduce a codeword. The first secret string is reconstructed by encoding the codeword. The codeword is combined with the first activation code to reproduce the PUF response. Inverse anti-aging is applied to the PUF response. Then a second secret string is generated using a random number generator (RNG). The second secret string is encoded to produce a new codeword. The new codeword is combined with the recovered PUF response to create a second activation code. The second activation coded is hashed with the second secret string to provide a second PUF key.

Abstract: Encryption is provided for a wireless network comprising a first wireless station and at least a second wireless station. First messages are exchanged between the first wireless station and the second wireless station over a first synchronous wireless link to establish a shared secret and a first session key, the first messages not being encrypted. The MAC layer of the first synchronous wireless link is then encrypted using encryption on the basis of the first session key, then further messages are exchanged between the first wireless station and the second wireless station over the first synchronous wireless link to establish a second session key, the further messages being encrypted by the encryption of the MAC layer of the first synchronous wireless link. The MAC layer of the first synchronous wireless link is then encrypted using encryption on the basis of the second session key.

Abstract: An encryption key management system includes an encryption IHS that is coupled to a network. The encryption key management system also includes a host processing system. An off-host processing system in the encryption key management system is coupled to the host processing system and is coupled to the encryption IHS through the network. The off-host processing system provides an encryption key request to the encryption IHS through the network, receives an encryption key from the encryption IHS through the network and stores the encryption key, provides the encryption key to the host processing system in response to authenticating a user, and revokes the encryption key in response to a revocation instruction received from the encryption IHS through the network. The providing the request, and the receiving, providing, and revoking the encryption key may be performed by the off-host processing system while the host-processing system is not in an operating mode.

Abstract: A system and method of executing secure communications between first and second domains includes a first logical unit and a second logical unit. The first logical unit periodically calculates timestamps and hashes. The first logical unit also transmits a web form to a node of a first domain responsive to a request and the web form is displayed to a user. The first logical unit receives data input to said web form by the user and enhances the data by adding one or more security services. The first logical unit translates the received data from a first network application level protocol to a target network application level protocol while preserving said data security enhancements and transmits the translated data across a public network. A second logical unit de-enhances the translated data and filters the translated data data. The second logical unit further authorizes the filtered data and transmits the filtered data to a node of the second domain for use in an application.

Abstract: A method and device for uploading data to a social platform. The method includes a plugin set into an application program. The plugin integrates at least one Application Program Interface (API) possessing publishing function provided by at least one social platform. A request for uploading data to a social platform is received and data to be uploaded is obtained according to the request. The data is uploaded to the corresponding social platform through an API possessing publishing function integrated by the plugin. Date may be uploaded through the plugin to one or more social platforms simultaneously without launching a client terminal of the corresponding social platforms.

Abstract: The techniques presented herein provide managing embedded and external key management systems in a data storage system. An embedded encryption key management system is selected. A first unique signature is generated using a time parameter and a randomly generated value. A backup copy of the lockbox is created, wherein access to the backup copy of the lockbox requires providing a minimum number of unique data storage system values. The encryption key management system is switched to external. A second unique signature is generated for use with the local lockbox, wherein the signature generated using a time parameter and a randomly generated value. The encryption key management system is switched back to embedded and a third unique signature is generated for use with the local lockbox, wherein the signature is generated using a time parameter and a randomly generated value.

Abstract: A system, method, and apparatus for providing secure communications to one or more users through an unclassified network. The system may include a network access management device may have a plurality of internal data network communications interfaces configured to communicate with at least one classified computing device using a National Security Agency (NSA) Commercial Solution for Classified (CSfC) comprised solution and an external data network communications interface configured to communicate with an unclassified network. A network access management device may use an inner NSA CSfC approved tunneling technology, an outer NSA CSfC approved tunneling technology, and a processor configured to perform processing and routing protocols associated with interconnecting the internal data network communications interface and the external data network communications interface.

Abstract: A cryptographic device and a secret key protection method are provided. The cryptographic device protects a secret key of the cryptographic device when processing a message. The cryptographic device includes: a secret key protection circuit, configured to generate an anti-crack protection signal according to the message and the secret key by a hash calculation circuit; and a cryptographic processor, configured to process the message and the secret key according to the anti-crack protection signal to generate an encrypted message.

Abstract: An information processing device includes a first processor, an information protection circuit, and a first communication path which connects between the information protection circuit and the first processor. The information protection circuit includes an interface circuit which connects the information protection circuit to the first communication path, a second processor, and a first memory which is inaccessible from the first processor but accessible from the second processor. When a command received from the first communication path is a command destined for the information protection circuit, the interface circuit passes the command to the second processor and the second processor executes a process related to information stored in the first memory in accordance with the command, but when the command received from the first communication path is not a command destined for the information protection circuit, the interface circuit does not pass the command to the second processor.

Abstract: The invention provides methods and apparatus for detecting when an online session is compromised. A plurality of device fingerprints may be collected from a user computer that is associated with a designated Session ID. A server may include pages that are delivered to a user for viewing in a browser at which time device fingerprints and Session ID information are collected. By collecting device fingerprints and session information at several locations among the pages delivered by the server throughout an online session, and not only one time or at log-in, a comparison between the fingerprints in association with a Session ID can identify the likelihood of session tampering and man-in-the middle attacks.

Abstract: Utilities (e.g., methods, systems, apparatuses, etc.) for use in generating and making use of priority scores for data generated by one or more data systems that more accurately prioritize those events and other pieces of data to be addressed by analysts and troubleshooters before others (e.g., collectively taking into account threats posed by origin host components and risks to impacted host components) to work the highest risk events and alarms first and to effectively and efficiently spend their alarm monitoring time.

Abstract: A method of detecting malware present on a computer system. A set of applications is predefined as benign, and profiles are provided for respective benign applications. Each profile identifies one or more procedures known to be performed by the associated benign application, each procedure being identified by a characteristic action and one or more expected actions. Behavior of the computer system is monitored to detect performance, by a running application, of a characteristic action of a procedure of a benign application. Upon detection of performance of a characteristic action, the profile provided for the associated benign application is used to detect a deviation from the expected actions of the procedure; and the detection of a deviation is used to identify the running application as malicious or suspicious.

Abstract: In embodiments, apparatuses, methods, and storage media may be described for secure broadcast of discovery information of a discoverable user equipment (UE) in a device-to-device (D2D) network. Specifically, the discovery information may be encrypted with a first encryption key, and then the result of that encryption may be re-encrypted with a second encryption key. The dual-encrypted discovery information may then be broadcast in a cell. Upon reception of the dual-encrypted discovery information, a discovering UE with the appropriate decryption keys may decrypt the message to identify the discovery information. Based on the decrypted discovery information, the discovering UE may identify the presence of the discoverable UE.

Abstract: Methods and systems for secure cloud storage are provided. According to one embodiment, file storage policies are maintained for users of an enterprise network by a trusted gateway device interposed between the network and multiple third-party cloud storage services. Responsive to receiving a request to store a local file from a user: (i) searchable encrypted data is created by the gateway corresponding to one or more of (a) content of the local file and (b) metadata associated with the local file and (ii) the searchable encrypted data is distributed by the gateway among the cloud storage services based on a storage diversity requirement defined by the user's file storage policy by uploading a subset of the searchable encrypted data to each of the cloud storage services.

Abstract: In one embodiment, a device in a network receives traffic data associated with a particular communication channel between two or more nodes in the network. The device generates a mean map by employing kernel embedding of distributions to the traffic data. The device forms a representation of the communication channel by identifying a set of lattice points that approximate the mean map. The device generates a traffic classifier using the representation of the communication channel. The device uses machine learning to jointly identify the set of lattice points and one or more parameters of the traffic classifier. The device causes the traffic classifier to analyze network traffic sent via the communication channel.

Abstract: Systems and methods for managing forwarded infectious messages are provided. Managing electronic message comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading.

Abstract: A number of events are counted in different layers of a computing environment during execution of a software application. The number of counted events can be compared to a previously generated cluster set to determine that at least one of the counted events is an outlier. Data can then be provided that characterizes the at least one of the counted events determined to be an outlier. In some cases, some or all of the functionality of the software application can be selectively disabled. Related apparatus, systems, techniques and articles are also described.