Abstract: Methods and apparatus are provided for identifying suspicious domains using common user clustering. An exemplary method comprises obtaining network event data comprising a plurality of network connections; identifying users and domains associated with the network connections in the network event data; creating a connection between each user/domain pair that communicate with one another in the identified users and the identified domains to generate a graph; connecting domains in the graph using inter-domain edges that share common users to obtain a graph of interconnected domains; identifying bi-connected components in the graph of interconnected domains, wherein the bi-connected components comprise node pairs having at least two paths in the graph of interconnected domains between them; and processing the bi-connected components to identify a plurality of suspicious domains that are likely to participate in a computer security attack.

Abstract: An information processing apparatus includes a data processing unit which executes processing for decoding and reproducing encrypted content. The data processing unit executes processing for determining whether the content can be reproduced by applying an encrypted content signature file. The encrypted content signature file stores information on issue date of the encrypted content signature file and an encrypted content signature issuer certificate with a public key of an encrypted content signature issuer. In determining whether the content can be reproduced, the data processing unit compares expiration date of the encrypted content signature issuer certificate with the information on issue date of the encrypted content signature file, and does not perform processing for decoding and reproducing the encrypted content when the expiration date is before the issue date, and performs the processing for decoding and reproducing the encrypted content only when the expiration date is not before the issue date.

Abstract: An authentication method is disclosed. To authenticate a user, a mobile device may request identification and verification from the user. Upon receiving a positive identification and verification response from the user, the mobile device may generate a cryptogram using a user identification (ID) associated with the user, a timestamp, a device ID associated with the mobile device, a service provider application ID associated with the service provider application, and a service provider device ID. The mobile device may transmit the generated cryptogram, the user ID, the timestamp, the device ID, the service provider application ID, and the service provider device ID, to a service provider computer associated with the service provider application. The service provider computer may decrypt the cryptogram and compare the decrypted data elements to the received data elements to validate and authenticate the user.

Abstract: In response to a user access request, a media object containing a plurality of media components is constructed and transmitted to the user. At least one of the media components has been categorized as having different degrees of relevance to humans from a first culture/geographical location and humans from a second culture/geographical location. The user is prompted to solve a puzzle by selecting one or more of the media components or rearranging a location, size, appearance, or orientation of one or more of the media components. A description of an action performed by the user in response to the prompting is obtained. A determination is made, based on the obtained description of the action performed by the user, whether the user is more likely to be a human from the first culture/geographical location or a machine or a human from outside the first culture/geographical location.

Abstract: A honeypot resource management service receives a request to provision one or more honeypot resources. In response to the request, the service identifies at least one computing resource service that is to be used to present the one or more honeypot resources. The service generates configuration information that is transmitted to the at least one computing resource service to cause the computing resource service to present the one or more honeypot resources to users in accordance with a set of parameters specified in the configuration information.

Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths.

Abstract: In particular embodiments, a computing device accesses a device identifier that is encoded in the hardware of the computing device. The device identifier is used to generate a device key that will uniquely identify the particular computing device. The computing device stores the device key in a data store, and sends the device key to be stored on a first computer server. The computing device subsequently requests a user action from a second computer server, and the second computing server requests user authentication. The computing device generates a first authentication code using a cryptographic hash algorithm and the device key, and sends the first authentication code to the second computer server. The computing device is authenticated based on a second authentication code generated by the first computer server using the device key.

Abstract: A device may receive an object. The device may determine object information for the object. The device may cause an internet search, based on the object information, to be performed to determine Internet search results. The object information may be provided as one or more Internet search queries for the Internet search. The device may receive the Internet search results based on causing the Internet search to be performed. The Internet search results may be related to the object information. The device may analyze the Internet search results to determine Internet-based object information. The device may store or provide the Internet-based object information to permit a determination as to whether the object is malicious.

Abstract: A computer-implemented method for detecting anomalies that are potentially indicative of malicious attacks may include (1) identifying a sequence of activities performed on a computing device, (2) calculating a cumulative influence score between pairs of activities in the sequence of activities through convolution of the sequence of activities, (3) detecting an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device, and (4) in response to detecting the anomaly, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Artificial biometric traits self-nullify due to natural physiological processes. Biometric enrollment and authentication may then be based on a life associated with the self-nullifying biometric trait. Once the life is expected to have expired, no further authentication may be performed until a new artificial biometric is applied.

Abstract: In one embodiment, a method includes establishing at a security device, a secure session for transmitting data between a client device and an end host, receiving decrypted data at the security device from the client device, inspecting the decrypted data at the security device, encrypting the decrypted data at the security device, and transmitting encrypted data to the end host. Decryption at the client device is offloaded from the security device to distribute decryption and encryption processes between the client device and the security device. An apparatus and logic are also disclosed herein.

Abstract: A system and method are provided for treating excessive or problematic computer use. In at least one embodiment, a method is employed to treat excessive or problematic computer use by acquiring information about the unwanted user activity, monitoring user activity for the unwanted behavior, controlling the behavior when it occurs, enabling the user to record self-observations and evaluating the results. This method may employ a computer based system to treat excessive or problematic computer use which includes configuring a user activity monitor with constraints, programmatically enforcing those constraints, reporting the activities monitored and restricted, and enabling a user to input self-observations. Potential constraints include a complete bar on the user activity, as well as, progressively decreasing the amount of time the user may engage in the activity, i.e. titrating the user activity.

Abstract: A computer-implemented system and method for pool-based identity authentication for service access without use of stored credentials is disclosed. The method in an example embodiment includes providing provisioning information for storage in a provisioning repository; receiving a service request from a service consumer, the service request including requestor identifying information; generating an authentication request to send to an authentication authority, the authentication request including requestor identifying information; receiving validation of an authenticated service request from the authentication authority; and providing the requested service to the service consumer.

Abstract: A computer-implemented method for detecting anomalies in DNS requests comprises receiving a plurality of DNS requests generated within a predetermined period. The predetermined period includes a plurality of DNS data fragments. The method further includes receiving a first DNS request and selecting a plurality of second DNS requests from the plurality of DNS requests such that each of the second DNS requests is a subset of the first DNS request. The method also includes calculating a count value for each of the DNS data fragments, where each of the count values represents a number of instances the second DNS requests appear within one of the DNS data fragments. In some embodiments, the count values for each of the DNS data fragments can be normalized. The method further includes determining an anomaly trend, for example, based on determining that at least one of the count values exceeds a predetermined threshold value.

Abstract: A method and system for processing network metadata is described. Network metadata may be processed by dynamically instantiated executable software modules which make policy-based decisions about the character of the network metadata and about presentation of the network metadata to consumers of the information carried by the network metadata. The network metadata may be type classified and each subclass within a type may be mapped to a definition by a unique fingerprint value. The fingerprint value may be used for matching the network metadata subclasses against relevant policies and transformation rules. For template-based network metadata such as NetFlow v9, an embodiment of the invention can constantly monitor network traffic for unknown templates, capture template definitions, and informs administrators about templates for which custom policies and conversion rules do not exist.

Abstract: Web-based single sign-on can enable a user to log in to a single interface (such as through a web browser or thin client) and then provide SSO services to the user for one or more web applications. The web-based SSO system can be extended to support one or more different access control methods, such as form-fill, Federated (OIF), SSO Protected (OAM), and other policies. The web-based SSO system can include a user interface through which the user can access different web applications, systems, etc. and manage their credentials. Each SSO service can be associated with a web interface allowing the SSO services to be accessed over the web. The web interfaces can provide CRUD (create, read, update, delete) functionality for each SSO service. To support different access policy types, the web-based SSO system can include an extensible data manager that can manage data access to different types of repositories transparently.

Abstract: Contact information associated with a user is identified. Temporary contact information, exclusive of the contact information, is generated and associated with the user. Termination controls, configured to prevent use of the temporary contact information after the occurrence of an event, are generated and associated with the temporary contact information.

Abstract: A computing system may be protected from revoked system updates. A computing system receives an object and scans it for revocation updates to a security structure of the computing system. The security structure is a monotonically nondecreasing collection of segments containing data on whether a system update is revoked and a system update's status as revoked signifies the revoked system update can no longer be used by the computing system. Based upon scanning the object, the computing system identifies and validates a revocation update. The computing system resolves the revocation update by applying the revocation update to the security structure, by adding or changing one or more segments of the security structure identified by the revocation update, in response to determining that the revocation update is valid, or by denying application of the revocation update to the security structure in response to determining that the revocation update is invalid.

Abstract: An apparatus comprises a processing platform configured to communicate with a plurality of IoT devices over at least one network. The processing platform implements a security-as-a-service portal accessible to the IoT devices, the portal comprising an analytics engine configured to assign trust scores to respective ones of the IoT devices. The security-as-a-service portal provides authentication leveling functionality for the IoT devices based at least in part on the assigned trust scores. In accordance with the authentication leveling functionality, a first one of the IoT devices accesses the security-as-a-service portal to identify a level of authentication to be applied by the first IoT device in authenticating a second one of the IoT devices. The security-as-a-service portal may determine the authentication level to be applied by the first IoT device in authenticating the second IoT device based at least in part on the trust score assigned to the second IoT device.

Abstract: An evaluation system includes a network device, a gateway device, a policy evaluation device, and first and second control devices. The network device copies a packet received from the first control device and transmits to the gateway device and the policy evaluation device. The gateway device receives the copied packet, performs a first filtering based on the policy stored in a first policy storage unit, transmits the packet to the second control device while storing the result of the first filtering, and transmits the result of the stored first filtering to the policy evaluation device. The policy evaluation device receives the copied packet, performs a second filtering based on the policy stored in a second policy storage unit, stores the result of the second filtering, and evaluates the policy stored in the second policy storage unit based on the results of the two filterings.