Abstract: Methods and systems for managing security in a cloud computing environment are provided. Exemplary methods include: receiving a target, the target specifying workloads of a plurality of workloads to be included in the security policy, the plurality of workloads being associated with the cloud computing environment; identifying nodes and edges in the graph database using the target, the graph database representing the plurality of workloads as nodes and relationships between the plurality of workloads as edges; getting a security intent, the security intent including a high-level security objective in a natural language; obtaining a security template associated with the security intent; and applying the security template to the identified nodes and edges to produce security rules for the security policy, the security rules at least one of allowing and denying communications between the target and other workloads of the plurality of workloads.

Abstract: Provided is a data processing system in which data are uploaded from a user terminal A to data storage server, and data are accessed from a user terminal B. User terminal A and B have a key KA and KB, respectively. Data storage server has a replacement key KA?B. User terminal A generates an authenticator tag with data M and temporary key R, generated by user terminal A, and generates a key k with temporary key R and key KA. User terminal A transmits data M, key k, and authenticator tag to the data storage server. Data storage server generates a key k? from key k and replacement key KA?B, and transmits data M, key k?, and the message authenticator tag to user terminal B. User terminal B generates temporary key R with key k? and key KB and generates an authenticator tag? to compare with the received authenticator tag.

Abstract: Techniques for application layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for application layer signaling security with next generation firewall includes monitoring application layer signaling traffic on a service provider network at a security platform; and filtering the application layer signaling traffic at the security platform based on a security policy.

Abstract: A device and method for processing a ciphertext, including determining a seed using a secret key and the ciphertext, extracting a public key candidate from the ciphertext using the seed, determining a checkvalue candidate based on the public key candidate, comparing the checkvalue candidate with a checkvalue, and further processing the ciphertext if the comparison indicates that the checkvalue candidate corresponds to the checkvalue.

Abstract: Techniques for network layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for network layer signaling security with next generation firewall includes monitoring a network layer signaling protocol traffic on a service provider network at a security platform; and filtering the network layer signaling protocol traffic at the security platform based on a security policy.

Abstract: Techniques for Diameter security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for Diameter security with next generation firewall includes monitoring Diameter protocol traffic on a service provider network at a security platform; and filtering the Diameter protocol traffic at the security platform based on a security policy.

Abstract: System and methods for generating and authenticating verifiable network traffic. Specifically, the system and methods disclosed herein describe solutions for augmenting layer-2 (L2) frames with additional verifiable information entailing, for example, hash-based message authentication code encryption or digital signature authentication. These solutions may address scenarios where evidence of tampering, through deceptive practices, of network traffic data may prove difficult to detect.

Abstract: Techniques for transport layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for transport layer signaling with next generation firewall includes monitoring transport layer signaling traffic on a service provider network at a security platform; and filtering the transport layer signaling traffic at the security platform based on a security policy.

Abstract: Described herein are methods, systems, and computer-readable storage media for managing cryptographic keys needed for peripheral devices to securely communicate with host computing devices. Techniques include receiving, at a centralized identity management resource, a first key that is part of a cryptographic key pair comprising the first key and a second key, wherein the second key is stored at a peripheral device for use by the peripheral device in encrypting data. Techniques further include identifying a first host computing device that is permitted to engage in secure communications with the peripheral device. Further, making available the first key from the centralized identity management resource to the first host computing device to enable the first host computing device to decrypt the encrypted data.

Abstract: Systems and methods to produce shared secret data are generally described. In some examples, a first device may receive a first public key from a second device. The first device may produce a first public key based on the first public key of the second device. The respective private keys of each device may be associated with the first public keys of each device. Each device may produce a second public key based of respective private keys and the other devices first public key. Each device may transmit a second public key to the other device. The first device may produce the shared secret data based on its private key and the second public key of the second device. The second device may produce the shared secret data based on its private key and the second public key of the first device.

Abstract: An information processing apparatus generates a public key pair in accordance with a certificate issuance request, generates a certificate signing request based on the public key pair and transmits an electronic certificate issuance request to an external apparatus. The information processing apparatus receives a response transmitted from the external apparatus as a response to the electronic certificate issuance request, obtains an electronic certificate included in the received response and causes an application to enable its use of the obtained electronic certificate.

Abstract: A computer-implemented method for controlling access to a computing device based on one or more facial expression configurations of a user. The method captures the one or more facial expression configurations of the user, and matches the captured one or more facial expression configurations of the user with one or more defined facial expression configurations, wherein the one or more defined facial expression configurations are associated with one or more access permissions, or actions to be performed by the computing device. The method further grants the one or more access permissions to the user based on the match, and/or performs the action associated with the match. In additional embodiments, the method may further create one or more user profiles of the user, wherein each of the one or more user profiles is configured to include one or more access permissions.

Abstract: To verify compliance with a data access policy, a query result including data specified by a requesting entity and a representation of a data access policy is received from a database. Based on the representation of the data access policy included in the query result, it is verified whether the requesting entity is permitted to access the data included in the query result. Transmission of the data included in the query result to the requesting entity is controlled responsive to the verification. Related methods, systems, and computer program products are also discussed.

Abstract: The invention provides methods and apparatus for detecting when an online session is compromised. A plurality of device fingerprints may be collected from a user computer that is associated with a designated Session ID. A server may include pages that are delivered to a user for viewing in a browser at which time device fingerprints and Session ID information are collected. By collecting device fingerprints and session information at several locations among the pages delivered by the server throughout an online session, and not only one time or at log-in, a comparison between the fingerprints in association with a Session ID can identify the likelihood of session tampering and man-in-the middle attacks.

Abstract: Described is a system for jointly generating a random value amongst a set of servers for secure data sharing. The set of servers initiates a randomness generation protocol where each server in the set of servers selects a randomly generated polynomial and broadcasts a cryptographic hash function of the randomly generated polynomial. Each server sends its value of the cryptographic hash function of the randomly generated polynomial to the set of servers. The randomness generation protocol is used in a multi-party computation protocol to ensure a set of data is securely shared electronically amongst the set of servers via a secure, authenticated broadcast channel.

Abstract: Systems, methods, devices, instructions, and media are described for generating suggestions for connections between accounts in a social media system. One embodiment involves storing connection graph information for a plurality of user accounts, and identifying, by one or more processors of the device, a first set of connection suggestions based on a first set of suggestion metrics. A second set of connection suggestions is then identified based on a second set of suggestion metrics, wherein the second set of connection suggestions and the second set of suggestion metrics are configured to obscure the first set of connection suggestions, and a set of suggested connections is generated based on the first set of connection suggestions and the second set of connection suggestions. The set of connection suggestions is then communicated to a client device method associated with the first account.

Abstract: Embodiments are directed to managing resources over a network. Objects that each correspond to a separate key container may be provided such that each separate key container includes a region key, a shard key, a nonce key. A data center and a data store may be determined for each object based on the region key and the shard key included in each separate key container such that a value of the region key corresponds to the data center and a value of the shard key corresponds to the data store.

Abstract: A method for establishing connection weights between network nodes is implemented by communicating data processing units, a public key and a private key being associated with each node, a given node being able to communicate its public key to another node, thus forming a so-called real connection (“IRL-connected”) between two nodes, and each node also being able to communicate to another node a public key received from yet another node, thus forming a so-called indirect connection between the other node and the yet another node. Each node can have a specific connection weight in relation to another node with which it has a real or indirect connection. In order to determine the connection weight of a second node in relation to a first node, the method comprises calculating a set combination of weighting factors (influence, proximity) of third nodes that are IRL-connected to the second node.

Abstract: Zero-day attacks with unknown attack signatures are detected by correlating behavior differences of a plurality of entities. An entity baseline behavior for each entity of the plurality of entities is determined 310, the entity baseline behavior includes multiple variables. An entity behavior difference for each entity is determined at a series of points in time 320. Correlations between the entity behavior differences for the plurality of entities are determined at the series of points in time 330. Based on these correlations, it is determined whether the plurality of entities is exhibiting coordinated behavior differences 340. An attack signature is determined based on the entity behavior differences and the correlations 350. A database of attack signatures is generated 360.

Abstract: A semiconductor device for provisioning secure information of a demander includes a device key storage configured to store a device key provisioned by a supplier of the semiconductor device, a master key generator configured to generate, based on the device key and demander data provisioned by the demander, a master key of the demander by using a first operation shared with the supplier and a second operation shared with the demander, and a cryptographic engine configured to perform a cryptographic operation based on the master key.