Abstract: Embodiments of the present invention provide a service allocation method and apparatus. The method includes: firstly, generating, by a core network side device, a first dedicated network identifier according to an association relationship sent by user equipment UE, where the first dedicated network identifier is used to identify the association relationship; secondly, sending, by the core network side device, the first dedicated network identifier to the UE; receiving, by the core network side device, a service request message sent by the UE; and finally, allocating a service to the UE according to the service request message and the first dedicated network identifier. Because each wireless router has a unique first dedicated network identifier, the core network side device can provide, according to the first dedicated network identifier, a targeted service or tariff policy for UE corresponding to each wireless router.

Abstract: The present disclosure relates to technologies for sensor networks, machine to machine (M2M) communication, machine type communication (MTC), and Internet of Things (IoT). The present disclosure may be utilized for intelligent services based on the above technologies (smart homes, smart buildings, smart cities, smart or connected cars, health care, digital education, retail businesses, security and safety-related services). The present invention relates to a method and apparatus that, when a user equipment notifies its identification information using an unsecured connection, enable the user equipment to notify the identification information in a secure manner using a one-time password (OTP) algorithm and proximity authentication and to receive services customized to user needs.

Abstract: Methods, apparatus, systems and articles of manufacture manage credentials in hyper-converged infrastructures are disclosed. An example method includes establishing, by executing an instruction with at least one processor, a communication between a software defined data center manager of the hyper-converged infrastructure and a component of the hyper-converged infrastructure using first credentials included in a known hosts file. The example method also includes generating, by executing an instruction with the at least one processor, second credentials at the component in response to a power-on event detected by the software defined data center manager. The example method also includes recording, by executing an instruction with the at least one processor, the second credentials at the known host file.

Abstract: A device assists an embedded Universal Integrated Circuit Card (eUICC) resident in the device with verification of public key information or of security materials. The verification provided by the device can be configured by the user and/or by the eUICC. The verification includes checking for expiration of public key information or presence of an associated public key in a trusted list. The trusted list in some instances includes pinning hash values. The device can warn an end user and/or an infrastructure entity, of an issue if the verification fails. An extension of certificate revocation lists includes a logical indication of at least one new public key in a CRL list. A CRL data field may also indicate a previous CRL, where the previous CRL is the most recent CRL containing a public key listing with at least one new entry.

Abstract: A router system includes a router, a memory storing a client program, and a processor configured to execute the client program. The client program is configured to enable a user to transfer a file from a source to a destination, determine whether data within the file includes sensitive information, determine a probability that transmission of the data from the source to the destination would violate a policy, send normal data packets to the router based on the file, and send a stop data packet to the router when the probability exceeds a threshold. The router forwards the normal data packets to the destination until the router receives the stop data packet.

Abstract: The disclosed technology is generally directed to secure transactions. In one example of the technology, a secure encrypted communication tunnel between the enclave and a hardware security module (HSM) may be established and used. Establishing the tunnel includes the following steps. A session public/private enclave key pair, including a session enclave private key and a session enclave public key, may be derived from the public/private key pair of the enclave. The session enclave public key may be sent to the HSM. A session HSM public key may be received from the HSM. Additional information may be encrypted with the session HSM public key. The encrypted additional information may be sent to the HSM. Further encrypted information may be received from the HSM. The further encrypted information may be decrypted with the session enclave private key.

Abstract: The disclosed technology is generally directed to secure transactions. In one example of the technology, a secure encrypted communication tunnel between the enclave and a hardware security module (HSM) may be established and used. Establishing the tunnel includes the following steps. A session public/private enclave key pair, including a session enclave private key and a session enclave public key, may be derived from the public/private key pair of the enclave. The session enclave public key may be sent to the HSM. A session HSM public key may be received from the HSM. Additional information may be encrypted with the session HSM public key. The encrypted additional information may be sent to the HSM. Further encrypted information may be received from the HSM. The further encrypted information may be decrypted with the session enclave private key.

Abstract: A method for user credential location using prefix matching is described. In one embodiment, the method may include enabling a user to generate remotely a cryptographic hash of a user credential of the user, receiving a portion of the cryptographic hash from the user, comparing the portion of the cryptographic hash with a plurality of cryptographic hashes of user credentials stored at a database, determining whether a match exists between the portion of the cryptographic hash and at least one of the plurality of cryptographic hashes, and transmitting a notification to the user indicating whether the user credential is stored at the database based at least in part on a result of the comparing.

Abstract: Embodiments of the present invention provide systems, methods, and computer storage media directed to facilitate identification of security policies for documents. In one embodiment, content features are identified from a set of documents having assigned security policies. The content features and corresponding security policies are analyzed to generate a security policy prediction model. Such a security policy prediction model can then be used to identify a security policy relevant to a document.

Abstract: Techniques for detecting suspicious file access requests indicative of potential insider threats are described. A suspicious access detection module (SADM) determines, based on access data describing a access requests issued on behalf of multiple users, groups of the users having similar patterns of accesses to folders, a set of the folders accessed by each of the user groups, and ones of the user groups that are to be considered nearby others of the user groups based on having a threshold amount of folder access similarities. The SADM causes an alert to be generated responsive to a determination that a subsequent access request is suspicious because it accesses a file of a folder that is not within the set of accessed folders of the issuing user's user group, and because the folder is not within the sets of accessed folders of any nearby user groups.

Abstract: The invention provides a system for encryptedly storing product data of a product having an attached tag centrally on a product data server, and reading out the centrally stored product data by production stations which are to process the product. The product data are encrypted with a document key which in turn is encrypted with a public key of the tag. The tag contains access information for the centrally stored product data. When a production station accesses product data on the product data server, the tag carries out a re-encryption of the document key from the key system of the tag to that of the accessing production station.

Abstract: A system for controlling accesses to network enabled devices includes a network interface over which a hub communicates with network enabled devices, a processor, and a multilayer access control layer. The access control layer includes instructions that, when executed by the processor, cause the processor to detect, at the hub, a request representing an attempt by an application executing on a remote host device to access a network enabled device communicatively coupled to the hub, characterize the request according to a user of the remote host device, the application making the attempt, and the network enabled device, and determine whether to allow or deny the request based upon the characterization and a plurality of rules. The rules may include definitions of access rights, with respect to the network enabled device, for users, applications, commands or queries made by applications, remote host devices, and network domains.

Abstract: In general, some embodiments described herein relate to using agile or dynamic addresses for multicasting that may be difficult or impossible for a malicious actor to predict. Such agile addresses may prevent a malicious actor from attacking a single static multicast address and may prevent the architecture of the multicast network from propagating the attack. Data sent to invalid (e.g., expired, revoked, and/or otherwise depreciated addresses) can be filtered out and dropped from the network. For example, a first group key associated with a first time period can be calculated based on a first shared secret and a second group key associated with a second time period can be calculated based on a second shared secret. At any given time at least one group key can be an accepted group key. When a multicast address includes a currently accepted group key, the data can be sent to a group.

Abstract: An information processing system includes a client device and a server device. The client device includes a transmitter that transmits, to the server device, a request to acquire information for connecting to an external device that provides an external service. The server device includes a storage that stores attributes of accounts of the external service, and the information for connecting to the external device by using the accounts; a receiver that receives the acquisition request from the client device; an identifier that identifies candidate accounts to be used when the client device receives the external service, the candidate accounts being identified based on information elements and the attributes, the information elements being included in the acquisition request and identifying the accounts; and a transmitter that transmits, to the client device, the information for connecting to the external device by using the identified candidate accounts.

Abstract: A memory alignment randomization method of a memory heap exploit is provided, memory alignment of objects inside a heap area is randomly performed to mitigate the exploits of the vulnerability of the software memory heap area The heap exploit is powerfully mitigated by aligning randomly obtained memory addresses instead of aligning memory addresses at multiples of 4 or 8 when the memory alignment for the objects inside the heap area.

Abstract: In one embodiment, a computing device receives an image that has been signed with a first key, wherein the image includes a first computational value associated with it. A second computational value associated with the image is determined and the image is signed with a second key to produce a signed image that includes both the first and second computational values. Prior to loading the dual-signed image, the computing device attempts to authenticate the dual-signed image using both the first and second computational values, and, if successful, loads and installs the dual-signed image.

Abstract: Systems, methods, and computer program products to perform an operation comprising receiving, from an application executing on a system, a request to access a data file, receiving data describing the request, wherein the data describing the request includes data from a runtime stack of the application, wherein the data from the runtime stack includes a program statement number, identifying, in a protected memory block, a first rule for accessing the data file, wherein the first rule specifies a program statement number permitted to access the data file, and upon determining that the program statement number from the runtime stack does not match the program statement number specified in the first rule, restricting access to the data file by the application.

Abstract: Methods and a first node, a second node and a network node for managing traffic characteristics of one or more packets on a connection are disclosed. The first node exchanges, with the network node, traffic characteristic semantics and a common key for encryption of a traffic characteristic value to be applied for the one or more packets on the connection, wherein the traffic characteristic semantics include the traffic characteristic value and an associated characteristic for the one or more packets. Moreover, the first node sends the traffic characteristic value and the common key to the second node. The network node checks and applies the traffic characteristics value according to service policies of the network node. Next, the first node exchanges, with the second node, payload which includes one or more packets over the connection. Information about the traffic characteristic value is included in a transport header of each packet carrying the payload.

Abstract: A control circuit causes a first cryptographic module to perform a dummy operation in a command processing period and a data processing period in which a second cryptographic module performs a normal operation while the first cryptographic module does not perform a normal operation.

Abstract: Method and apparatus for allowing the changing of security values and consent data is provided. The security values allow for dynamically changing the security level and ease of access associated with performing specific transactions on specific accounts. The consent data may be pushed or pulled and when stored, may be used for future transactions, of both the same or a different type. The changing of security levels and consent data may be accomplished over the internet using mobile devices over both secure and non-secure networks.