Abstract: An approach is provided for managing data duplication in cloud computing. A method comprising, sending from a first device to a data center, data encrypted with a data encryption key for storing the encrypted data at the data center; encrypting the data encryption key according to an attribute-based encryption (ABE) scheme by using identity as an attribute in a deduplication policy for the data; issuing to a second device, a personalized secret attribute key which is derived from a public key of the second device according to the attribute-based encryption (ABE) scheme, wherein the personalized secret attribute key is to be used for decrypting the encrypted data encryption key at the second device, in combination with the policy.

Abstract: A digital content delivery system transmits, to a client device, a request for a set of verification data as part of an account registrations process to verify that a user of the client device is providing accurate information regarding their identity. The digital content delivery system receives a subset of the verification data and determines that the user has provided sufficient verification data to verify that the user of the client device is providing accurate information regarding their identity. In response, the digital content delivery system generates a unique identifier for the user account, which enables the user to access digital content maintained by the digital content delivery system. The digital content is provided to the user embedded with the unique identifier for the user account.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for program execution and data proof scheme to prove that sub-logic code that was expected to be executed within a TEE was indeed executed, and that the resulting data is trustworthy. In some implementations, each sub-logic code of a plurality of sub-logic code is registered, and stored within the TEE, and a key pair (private key, public key) corresponding to the sub-logic code is generated. The client receives and stores the public key, sends requests to the TEE with an identifier of the sub-logic that is to be executed. The sub-logic code corresponding to the identifier is executed within the TEE, which signs the result using a digital signature that is generated using the private key of the sub-logic code. The client verifies the result based on the digital signature and the public key of the sub-logic code.

Abstract: A system and method for securely sharing files from a cloud storage are provided. The method includes capturing an electronic message sent by a client device, the electronic message designating at least one recipient, wherein the electronic message includes at least one attachment; identifying the at least one attachment and the at least one recipient designated in the electronic message; sending, to a cloud storage system (CSS), a list indicating the identified at least one recipient; receiving, from the CSS, a link to a shared folder, wherein the shared folder is in the CSS; replacing, in the electronic message, the at least one attachment with the received link; uploading, to the shared folder, at least one of the at least one attachment; and sending, to the at least one recipient, the electronic message with the replaced link, wherein at least one authentication procedure is applied for one of the at least one recipient upon activation of the replaced link by the recipient.

Abstract: A secure client-server connection method compatible with RESTful (REpresentational State Transfer) APIs (Application Programming Interface) that is resistant to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The server generates a token for the client and a random value which it pairs with the token. The random value is hashed. The hash value is transmitted to the client contained in the token and the random value is transmitted to the client contained in an HTTPOnly cookie. Even if an attacker steals the token and/or the hash, security is maintained, since the server verifies communications from the client by validating the token on the basis of its hash value. Validation is performed by the server hashing the random value contained in the HTTPOnly cookie paired with the token to obtain a further hash value, and checking that this further hash value matches the token's hash value.

Abstract: Methods and apparatus, including computer program products, are provided for securing data in a multi-tenant cloud-based system. In some implementations, there is provided a method. The method may include requesting access to at least one encrypted data element; obtaining, in response to the requesting, a long bit stream assigned to a client associated with the requested access; generating a key to decrypt the at least one data element, the key generated by selecting, based on a permutation, portions of the long bit stream; and decrypting, based on the generated key, the at least one data element. Related systems, methods, and articles of manufacture are also disclosed.

Abstract: A computer-implemented method includes selecting a prompt from a plurality of prompts stored in a prompt database, wherein the prompt comprises instructions to draw a mark, and wherein other prompts of the plurality of prompts comprise instructions to draw other marks different from the mark. The method also includes the steps of providing the prompt to a user as part of a logon process for an online account session, identifying behavioral characteristics of the user while the user draws the mark, comparing the behavioral characteristics to a behavioral profile previously developed based on prior behavioral characteristics of the user, and providing access to the online account session in response to determining that a variation between the behavioral characteristics and the behavioral profile is within a threshold.

Abstract: The system and methods described herein can detect and register devices. One or more processors receive a device identifier of a first device. The device identifier of the first device is authorized responsive to performing a lookup in a first set of databases using the device identifier. The processors receive a record of an event corresponding to the device identifier, the record including the device identifier, a first value associated with the device identifier, and a first event identifier identifying the event. The processors store a first entry identifying the device identifier, the first value, the first event identifier, a specification of the first device, and a first status indicating the first device is authorized. The processors assign the device identifier of the first device to a first group of the plurality of groups. The processors provide data corresponding to the first device and the first status.

Abstract: A system for changing roaming policy configuration on an authentication, authorization, accounting (AAA) system. The system comprises a processor, a non-transitory memory, and an AAA policy change application stored in the non-transitory memory. When executed by the processor, the AAA policy change application launches execution of a plurality of instances of the automation script, monitors a progress of the instances of the automation script, compares the progress of the instances of the automation script to a time remaining of a predefined maintenance time window, where the AAA policy change application is configured to halt an in-progress update of roaming policy configuration on the plurality of AAA nodes based on the comparison of the progress of the instances of the automation script being insufficient relative to the time remaining of the predefined maintenance time window, and copies roaming policy files updated by the automation script to AAA nodes.

Abstract: A data-entry device includes an upper cover to which a capacitive pad is affixed through the exterior. The capacitive pad has at least one flexible security element having at least one electrical track connected to a cut-detection module in the device. The shape and the mounting of the at least one security device is adapted to exert a force on the internal face of the upper cover.

Abstract: A system for security intelligence automation using flows is disclosed. In various embodiments, a system includes a processor configured to provide a graphical user interface for at least one visual flow for threat ranking. The processor is further configured to render, in the graphical user interface, a visual flow interface for at least one of generating and configuring the at least one visual flow. The processor is further configured to provide, via the visual flow interface, a drag and drop ranking automation flow.

Abstract: Methods and systems for developing and distributing applications and data for building security applications can be provided. A plurality of data policies can be set for access and/or filtering security data based on selected parameters. One or more modules can be generated for processing the security data, with each of the modules governed by one or more module policies. Upon receipt of a request to initiate execution of the one or more modules to access and process a selected portion or filtered set of the security data, it can be determined if the request violates the data policies and/or the module policies applicable for processing the selected portion or filtered set of the security data, and if the data policies and/or the module policies are not violated, the one or more modules can be executed to process the selected portion or filtered set of the security data.

Abstract: Techniques for authentication via a mobile device are provided. A mobile device is pre-registered for website authentication services. A user encounters a website displaying an embedded code as an image alongside a normal login process for that website. The image is identified by the mobile device, encrypted and signed by the mobile device and sent to a proxy. The proxy authenticates the code and associates it with the website. Credentials for the user are provided to the website to automatically authenticate the user for access to the website bypassing the normal login process associated with the website.

Abstract: A network apparatus according to an embodiment comprises: a storage unit configured to store apparatus information in which information on a model identifier of a terminal apparatus and use authentication information indicating that the terminal apparatus is granted a use authentication by a predetermined network operator are associated; a receiver configured to receive, from another network apparatus, information on a model identifier of a user terminal accessing a network managed by the predetermined network operator; and a controller configured to notify, based on the information on the model identifier of the user terminal and the apparatus information, the other network apparatus of information for determining whether or not to provide a communication service to the user terminal.

Abstract: Implementations of this disclosure provide an authentication system for handling authentication requests. An example method performed by a server includes receiving an access request that includes identification information to be used by the server for selecting a target authentication system, and determining that the access request does not have access permission. In response to determining that the access request does not have access permission, the server selects the target authentication system from at least two authentication systems, based on a predetermined authentication system selection policy and based on the identification information in the access request, and sends the access request to the selected target authentication system for authentication.

Abstract: A connection control apparatus is configured such that a connection count calculator calculates a TCP connection count, which is the number of TCP connections established between a server and one or more clients on a network, of each of servers on the network. The connection control apparatus is configured such that, when a determiner determines that the calculated count is larger than or equal to a predetermined threshold value, an anomalous connection detector detects anomalous connection, and a packet controller controls packet transmission and reception over the anomalous connection.

Abstract: A method of securing user data provided through a webpage includes receiving an electronic file defining a webpage displayable by a computer. The webpage is initially configured to present an input field for receiving user data from a user, and instruct the computer to transmit the user data to a defined server. The method includes executing code that causes the computer to reconfigure the webpage to present a replacement field for receiving the user data from the user instead of the input field; and upon receiving user data in the replacement field, transmit said user data to a secured server instead of the defined server. The secured server may tokenize the data. The computer receives token data from the secured server; and transmits the token data instead of the user data to the defined server.

Abstract: A method is provided for establishing a secure communication session in a communication system. The method includes providing a handshake layer functional block and providing a record layer functional block separate from the handshake layer functional block. Functionality of the record layer functional block is not duplicated in the handshake layer functional block. The record layer functional block of a first communication peer generates an ephemeral key pair. A public key of the ephemeral key pair is transmitted to the handshake layer functional block of a second communication peer via the handshake layer functional block of the first communication peer. A session key is generated from the public key of the second communication peer and a private key of the first communication peer. Messages communicated between the first communication peer and the second communication peer are protected using the session key.

Abstract: A method and apparatus of monitoring computer devices operating on a network is disclosed. One example method may include discovering and monitoring a plurality of network devices operating on a network. The method may include scanning the network to discover various network devices and determining a device type of each of the network devices. The method may also include determining attributes corresponding to each of the network devices, monitoring the attributes corresponding to each of the network devices and compiling a list of attribute information based on the monitoring operation and storing the list of attribute information in a memory. The device discovery and monitoring may be performed autonomously without user intervention allowing computer devices to be discovered and monitored as they are added to the network.

Abstract: A vehicular scalable secure gateway system for a vehicle includes a connected gateway and a secure gateway. The vehicular scalable secure gateway system provides flexibility to add and/or remove one or more particular security measures based on the need for the particular security measure or measures.