Abstract: A relay apparatus includes a memory that stores right information indicating a right to access a service providing apparatus, a first retrieval unit that retrieves, from a client apparatus, identification information of a user registered in the service providing apparatus that is a target of an access request from the client apparatus, and an access unit that accesses the service providing apparatus as the target using the identification information retrieved by the first retrieval unit instead of the right information stored on the memory if the right information to access the service providing apparatus as the target is not valid.

Abstract: Methods of detecting anomalous behaviors associated with a fabric are presented. A network fabric can comprise many fungible networking nodes, preferably hybrid-fabric apparatus capable of routing general purpose packet data and executing distributed applications. A nominal behavior can be established for the fabric and represented by a baseline vector of behavior metrics. Anomaly detection criteria can be derived as a function of a variation from the baseline vector based on measured vectors of behavior metrics. Nodes in the fabric can provide a status for one or more anomaly criterion, which can be aggregated to determine if an anomalous behavior has occurred, is occurring, or is about to occur.

Abstract: A method and system is provided for securing content from malicious shaders. The method includes determining the content the shader is to execute. A signature of the shader is verified in response to the shader attempting to execute on protected content. In response to the shader being verified, it is verified that the shader has not been modified. The shader is executed in response to not being modified.

Abstract: Methods, apparatus, and systems for securing the interactions of a user with an application using a Bluetooth enabled authentication device are disclosed.

Abstract: Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.

Abstract: There are provided a rule-set analyzer and a method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field. The method comprises: upon specifying atomic elements constituting an extrinsic space corresponding to the at least one extrinsic field, partitioning, by a processor, the extrinsic space into two or more equivalence classes, wherein each atomic element in the extrinsic space belongs to one and only one equivalence class; mapping, by the processor, said equivalence classes over the rule-set; and analyzing, by the processor, the security rule-set using the results of mapping said equivalence classes over the rule-set.

Abstract: A proxy server creates an index of keywords, receives an encrypted record, decrypts the received encrypted record as decrypted data and, when a keyword in the index is encountered in the decrypted data, associates in the index an encrypted record location identifier with the encountered keyword. The proxy server receives a search query and uses the keyword index to retrieve encrypted records from the server. The encrypted records are decrypted and sent as search results in response to the search query.

Abstract: A service provider device includes key generation means, which generates a service public key for encrypting data and a secret key, and proxy key generation means, which inputs the service public key and the secret key and generates a proxy key. A data registration device includes encrypted data generation means, which generates encrypted data upon input of the service public key and data, and stores the generated encrypted data in a database. Proxy devices each includes encrypted portion statistical data generation means, which generates encrypted portion statistical data upon input of the proxy key with respect to the encrypted data stored in the database. An integrated data generation device includes encrypted statistical data generation means, which inputs the encrypted portion statistical data from each of the proxy devices, generates encrypted statistical data, and stores the generated encrypted statistical data in an integrated data storage device.

Abstract: One embodiment provides a system that facilitates redistribution of content objects with a different name without requiring re-computation of the original authentication information. During operation, the system determines, by a content producing device, an original manifest which indicates at least an original name associated with a content object, wherein the name is a hierarchically structured variable length identifier (HSVLI) which comprises contiguous name components ordered from a most general level to a most specific level. The system renames the content object with a new name. The system also creates a new manifest which indicates the new name, wherein the new manifest includes original authentication information associated with the original manifest.

Abstract: According to an embodiment, a generating device includes a first key generator, a second key generator, an output unit, and an update unit. The first key generator is configured to generate a first key that is a sequence of bits according to a first key rule on the basis of a random number. The second key generator is configured to generate multiple second keys that are sequences of bits partially having correlation with one another according to a second key rule on the basis of the first key. The output unit is configured to output the first key and at least one of the second keys. The update unit is configured to generate update information for updating a second key by updating a partial sequence of the second key, the partial sequence having no correlation with the other second keys not to be updated.

Abstract: Concepts and technologies are disclosed herein for personal virtual core networks. A processor executing a network access service can determine if the user device should be isolated from a core network that provides devices at a location with connectivity. If the processor determines that the user device should be isolated, the processor can identify resources supporting the connectivity. The resources can include network resources and the core network. The processor can create a virtual core network to support the connectivity, and activate the virtual core network.

Abstract: A method for issuing a certificate signing request (CSR) certificate in a vehicle-to-anything (V2X) communication environment includes: receiving, at a first server, a certificate issuance request message including vehicle identification information transmitted from a communication module of the vehicle; determining, by a second server, whether a CSR certificate corresponding to the vehicle identification information has already been issued with reference to a database; and determining, by the second server, whether to issue the corresponding CSR certificate or whether to generate an error message, based on the determination of whether the corresponding CSR certificate has already been issued.

Abstract: A computer-implemented method for identifying malware may include (1) determining, for multiple commands within bytecode associated with a malware program, whether each command constitutes an invocation command, (2) filtering, based on the determination, invocation commands from the bytecode, (3) adding, for each invocation command filtered from the bytecode, an opcode, a format code, and a function prototype to a collection of opcodes, format codes, and function prototypes, (4) generating a digital fingerprint of the collection including the opcode, the format code, and the function prototype for each invocation command filtered from the bytecode, and (5) performing, by a computer security system, a remedial action to protect a user in response to detecting the presence of a variant of the malware program by determining that the digital fingerprint matches a candidate instance of bytecode under evaluation. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: While cloud services can offer processing from personal devices or synthesized data from multiple sources, many users prefer their data to remain private. According to some embodiments, private user data may be processed in the cloud without revealing the user identity to the cloud service provider. Only the user or an authorized agent of the user and the service's hardware platform have access to certain keys. The service application software and operating system only have access to encrypted data.

Abstract: Techniques and mechanisms to detect and compensate for drift by a physically uncloneable function (PUF) circuit. In an embodiment, first state information is registered as reference information to be made available for subsequent evaluation of whether drift by PUF circuitry has occurred. The first state information is associated with a first error correction strength. The first state information is generated based on a first PUF value output by the PUF circuitry. In another embodiment, second state information is determined based on a second PUF value that is output by the PUF circuitry. An evaluation of whether drift has occurred is performed based on the first state information and the second state information, the evaluation including determining whether a threshold error correction strength is exceeded concurrent with a magnitude of error being less than the first error correction strength.

Abstract: A request handler may be configured to receive an enforcement request for enforcement of an obligation required as a condition for a previously-granted first resource access request. n obligation enforcer may be configured to enforce the obligation, based on the enforcement request, and a compliance manager may be configured to obtain certification of execution of the obligation from an obligation certification service, and to provide the certification as a basis for granting a second resource access request.

Abstract: A method and system for utilizing target browsers. A client program is executed, which includes: (i) receiving a selection of at least one target browser by a user at a user interface at a first terminal, wherein the user interface displays two or more target browsers for each group of target browsers of two or more groups of target browsers from which the user has selected the at least one target browser; (ii) generating a message that includes the selected at least one target browser; and (iii) sending the message to a server.

Abstract: Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.

Abstract: Portable information handling systems dynamically allocate resources to anti-malware functions based upon available resources and threat status. Dynamic allocation of resources to anti-malware functions provides a timely and targeted response to specific threats with resources dedicated based upon availability and the impact on other information handling system functions. An adaptive mobile integrity validation system interfaces with plural portable information handling systems to selectively update anti-malware settings as threats emerge.

Abstract: An example technique is provided for authenticating a first communication session. The technique includes receiving an indication that a first network device has established a first communication session with a user-side device. A second network device authenticates the first communication session by establishing a second communication session via session initiation protocol (SIP) or voice over Internet protocol (VoIP) communication with the user-side device before the user-side device directs a user password to the first network device in the first communication session. Also, private identification information of the user is retrieved from a database and sent to the user-side device in the second communication session. The user-side device compares the private identification information received in the second communication session to locally stored private identification information to determine whether the received private identification information matches.