Abstract: Aspects of the embodiments are directed to systems, methods, and computer program products to program, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system; receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol, the mapping request comprising an EID tuple that includes a source identifier and a destination identifier; identify an RLOC based, at least in part, on the destination identifier of the EID tuple from the mapping database; and transmit the RLOC to the first tunneling router implementing an high level policy that has been dynamically resolved into a state of the mapping database.

Abstract: A mobile secure agent on a wireless device executes one or more authenticated data collection profiles provisioned by a private profile producer. Each data package can only be transmitted to a collector certificated by the same private profile producer. Update profiles are signed and provisioned through a tunnel initiated from the mobile secure agent. A Certificate Authority provides libraries, anchors, and certificates in a key management message module to each mobile secure agent which enables revocation and replacement of certificates. Data stored in this way on a wireless device may only be transmitted in encrypted form to an authenticated destination.

Abstract: Disclosed in a device for the secure transmission and storage of data. The device for information to be securely stored on a storage device. A first data processing device is connected using a unidirectional link to a second data processing device. The first data processing device is given information from an external source, which is then transmitted using said unidirectional link. The first data processing transmits data to the second data processing device, which in turn stores the data either internally or externally on the storage device. The second data processing device optionally signals a user if the transmission was successful.

Abstract: A method for reading or writing data at an address of a memory is disclosed. The data includes a number of consecutive words that each has a plurality of bits. The words are transferred to or from the memory in synchronization with a clock signal so that each word is transferred in one cycle of the clock signal. The bits are scrambled or unscrambled by applying a logic function to the bits of each word. The logic function is identical for the scrambling and the unscrambling and makes use of a bit-key that is dedicated to the word and is identical for the scrambling and the unscrambling. Each bit-key comes from a pseudo-random series generated based on the address.

Abstract: Embodiments include method, systems and computer program products for preventing unauthorized resource updates. In some embodiments, it may be determined that a mainframe computer is not within a service period. A control file may be obtained and decrypted. Using the decrypted control file, the mainframe computer may be determined to be authorized. An available resource update file may be selected based on a determination that the mainframe computer is authorized. An update to a resource of the mainframe computer may be facilitated based on the available resource update file.

Abstract: Exemplary systems and methods are disclosed for providing access through security key pairs. One exemplary method includes generating, by a platform, a key pair specific to a user and associated with an access period to an asset, where the key pair includes a first key and a second key associated with the first key, and storing the key pair in a data structure. The method also includes distributing the first key to an application associated with the user and distributing the second key to an access system of the asset. The method further includes receiving an access request for the asset during the access period and including the first key, identifying from the data structure the second key of the key pair based on the received first key, and transmitting a message including the second key to the access system for allowing, or not, access to the asset.

Abstract: In a resource-on-demand environment, dynamically created server instances are allowed to boot from encrypted boot volumes. Access keys to the boot volumes are provided from a key provider that authenticates new instances based on possession of a security token that has been previously shared between the key provider and the new instance through an out-of-band communication.

Abstract: A method for securing a KVM Matrix system by inserting a plurality of input security isolators, each of the input security isolators is placed between a host computer and matrix host adapter of the KVM matrix system to enforce security data flow policy that is applicable for the corresponding host computer. Additionally, a security filter is placed between peripheral devices and a matrix console adapter to enforce security data flow policy that is applicable for the corresponding peripheral devices.

Abstract: The disclosed computer-implemented method for detecting low-density training regions of machine-learning classification systems may include (i) receiving a training dataset that is used to train a classifier of a machine-learning classification system, (ii) calculating a density estimate of a distribution of the training dataset, (iii) receiving a sample that is to be classified by the classifier, (iv) using the density estimate to determine that the sample falls within a low-density region of the distribution of the training dataset, and (v) performing a security action in response to determining that the sample falls within the low-density region. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present embodiments relate to methods and apparatuses for side-band management of security for server computers. According to certain aspects, such management is directed to the security of data that is stored under the local control of the server, as well as data that flows through the network ports of the server. Such locally stored data is secured by encryption, and the encryption keys are managed by a management entity that is separate from the server. The management entity can also manage the security of network data flowing through the server using its own configuration of network security applications such as firewalls, monitors and filters.

Abstract: The present disclosure provides a method and a device for preventing DNS cache poisoning. According to an example of the method, a preventing equipment may forward a first DNS query request packet sent by a DNS server to a first authoritative DNS server. The preventing equipment may construct a second DNS query request packet including the target domain name and send the second DNS query request packet to a second authoritative DNS server when a first DNS reply packet received for the first DNS query request packet indicates a DNS cache poisoning attack occurs. When a second DNS reply packet received for the second DNS query request packet indicates no DNS cache poisoning attack occurs, the preventing equipment may generate a final DNS reply packet according to the second DNS reply packet and feed back the final DNS reply packet to the DNS server.

Abstract: A management platform that allows security and compliance users to view risks and vulnerabilities in their environment with the added context of what other mitigating security countermeasures are associated with that vulnerability and that are applicable and/or available within the overall security architecture. Additionally, the platform allows users to take one or more actions from controlling the operation of a security countermeasure for mitigation purposes to documenting the awareness of a security countermeasure that is in place.

Abstract: A system and method for providing secure private electronic communications. An exemplary method includes encrypting a hidden message using an encryption scheme; encoding the encrypted hidden message in a source message; providing the source message having the encoded hidden message by a first electronic device; and transmitting a decryption key to a second electronic device. Moreover, the second electronic device can capture the encoded hidden message provided by the first electronic device, decode the hidden message, and extract the hidden message using the decryption key so that the hidden message can be rendered by the second electronic device.

Abstract: A service receives a request from a user of a group of users to perform one or more operations requiring group authentication in order for the operations to be performed. In response, the service provides a first user of the group with an image seed and an ordering of the group of users. Each user of the group applies a transformation algorithm to the seed to create an authentication claim. The service receives this claim and determines, based at least in part on the ordering of the group of users, an ordered set of transformations, which are used to create a reference image file. If the received claim matches the reference image file, the service enables performance of the requested one or more operations.

Abstract: Techniques are disclosed for accelerating online certificate status protocol (OCSP) response distribution to relying parties using a content delivery network (CDN). A certificate authority generates updated OCSP responses for OCSP responses cached in the CDN that are about to expire. In addition, the certificate authority pre-generates cache keys in place of CDNs generating the keys. The certificate authority sends the OCSP responses and the cache keys in one transaction, and the CDN, in turn, consumes the new OCSP responses using the cache keys.

Abstract: Disclosed herein are systems and methods for a security gateway to process secure network sessions where there is a server certificate validation error. In various embodiments, varying security policies can be applied to the secure network sessions, including intercepting of network data, bypass of the security gateway, or termination of the secure sessions.

Abstract: In one embodiment, a device in a network receives domain information from a plurality of traffic flows in the network. The device identifies a particular address from the plurality of traffic flows as part of an onion routing system based on the received domain information. The device distinguishes the particular address during analysis of the traffic flows by a traffic flow analyzer that includes a domain generation algorithm (DGA)-based traffic classifier. The device detects a malicious traffic flow from among the plurality of traffic flows using the traffic flow analyzer. The device causes performance of a mitigation action based on the detected malicious traffic flow.

Abstract: In embodiments of the present invention improved capabilities are described for the steps of receiving an indication that a computer facility has access to a secure data store, causing a security parameter of a storage medium local to the computer facility to be assessed, determining if the security parameter is compliant with a security policy relating to computer access of the remote secure data store, and in response to an indication that the security parameter is non-compliant, cause the computer facility to implement an action to prevent further dissemination of information, to disable access to network communications, to implement an action to prevent further dissemination of information, and the like.

Abstract: An electronic device includes a processor and a memory functionally connected to the processor. The electronic device acquires user's biometric information through a biometric sensor, determines virtual biometric information corresponding to the acquired biometric information, and transmits the virtual biometric information to an external electronic device through communication circuitry. The electronic device may include the biometric sensor, the communication circuitry, and the memory may be electrically connected to the biometric sensor and the communication module and store instructions to be executed by the processor.

Abstract: A vehicle key programming system and method for chip reading and writing, key and remote programming and remote frequency testing. The system tracks programming usage when not connected to system servers and reports such usage upon connection. Immobilizer algorithms are used to program and such algorithms are optimized with each attempted use.