Abstract: Systems and methods for joining a device to a fabric using an assisting device include an indication to add a joining device to a fabric. If the joining device supports network-assisted fabric pairing, a first connection is established between a commissioning device and the assisting device. The assisting device also connects to a joining device. Through the assisting device, the commissioning device and the joining device establish a communication channel over which fabric credentials may be sent.

Abstract: A novel key management approach is provided for securing communication handoffs between an access terminal and two access points. As an access terminal moves from a current access point to a new access point, the access terminal sends a short handoff request to the new access point. The short handoff request may include the access terminal ID; it does not include the access point ID. The new access point may then send its identifier and the access terminal's identifier to the authenticator. Using a previously generated master transient key, the access point identifier and the access terminal identifier, an authenticator may generate a master session key. The master session key may then be sent to the access point by the authenticator. The access terminal independently generates the same new security key with which it can securely communicate with the new access point.

Abstract: A novel key management approach is provided for securing communication handoffs between an access terminal and two access points. An access terminal establishes a secure communication session with a first access point based on a first master session key based on a master transient key. The access terminal obtains a second access point identifier associated with a second access point and sends a message associated with a handoff to either the first access point or the second access point. The access terminal generates a second master session key based on at least the master transient key and the second access point identifier. The second master session key is used for secure communications with the second access point in connection with an intra-authenticator handoff from the first access point to the second access point. The access terminal then moves the secure communication session to the second access point.

Abstract: A security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores.

Abstract: Provided is an authentication apparatus that performs user authentication, using a wearable terminal worn by a user, whereby allowing a high security to be achieved. It includes a storage part that stores a piece of authentication information in which a piece of terminal information that identifies the wearable terminal worn by the user is registered, a communication part that makes communication with the wearable terminal worn by the user to acquire a piece of terminal information, and an authenticating part that performs user authentication in the case where the same piece of terminal information as that registered in the authentication information has been acquired by the communication part.

Abstract: A rewrite detection system, a rewrite detection device and an information processing device can detect unauthorized rewrite to a program or data stored in a storage unit of the information processing device. A rewrite detection device generates a random seed and transmits it to an ECU and a server device. The ECU calculates a hash value using a predetermined hash function on the basis of the received random seed and the storage content of the storage unit, and transmits the hash value to the rewrite detection device. The server device transmits an expectation in response to an inquiry from the rewrite detection device. The rewrite detection device determines whether unauthorized rewrite to a program or data in the ECU has been performed or not in accordance with whether the expectation received from the server device and the hash value received from the ECU coincide with each other or not.

Abstract: Systems and methods for hardware hardened advanced threat protection are described. In some embodiments, an Information Handling System (IHS) may include a processor; and a Basic Input/Output System (BIOS) coupled to the processor, the BIOS having BIOS instructions stored thereon that, upon execution, cause the IHS to: launch an Extensible Firmware Interface (EFI) gateway module; and determine, using the EFI gateway module, whether the BIOS instructions include malware.

Abstract: A system and method enabling information access control of the sensitive information, based on a trust computing platform is provided. The trustworthiness of the information seekers is computed and accordingly the information owner is capacitated to decide upon sharing the information completely or sharing with some perturbation. The objective is to provide the information owner with the ability to decide on sharing its private data with respect to a parameter so that the decision is less subjective. This invention allows minimum leakage of sensitive data and makes information owner aware of the risk of privacy breach when private data is shared.

Abstract: Systems, computer program products, and methods are described herein for a model framework and system for cyber security services. The present invention is configured to determine one or more access paths to the internal computing device from an external computing device; determine one or more controls associated with each access path; determine one or more types of access that may be made via one or more of the access paths by the external computing device to access the internal computing device; determine whether the one or more controls associated with the at least one of the one or more access paths is capable of detecting the access; determine one or more tools configured to regulate the one or more controls; and incorporate the one or more tools within the network to regulate the one or more controls to detect and monitor the access.

Abstract: Methods and systems are provided for facilitating the secure entry of a user's PIN for electronic transactions such as merchant checkout, payment authorization, or access authorization. A physiological response of the user can indicate which one of a random sequence of numbers is a number of the user's PIN. For example, the user can blink, wink, or make a subtle facial movement to provide the indication.

Abstract: Techniques for detecting device type spoofing. The techniques include: receiving a communication from a client device different from the at least one computer; identifying from the communication an asserted type of the client device; and verifying the asserted type of the client device at least in part by: interacting with the client device to obtain additional information about the client device, and determining whether the additional information about the client device is consistent with the asserted type of the client device.

Abstract: Virtual smart card system includes a virtual smart card server (VSS) which controls access to content respectively associated with a plurality of virtual smart cards. A remote client computer system includes a system level agent which establishes the client computer machine to the VSS as a trusted computer system. A user level agent at the client computer system responds to a request for a virtual smart card operation by causing the client computer system to obtain user authentication information, negotiate with the system level agent to obtain a cookie, and initiate a request to the VSS for the virtual smart card operation. The VSS will perform the virtual smart card operation provided that a security policy is satisfied and will communicate the results to the user level agent.

Abstract: A system for authentication of paper sheet and other articles includes an optical sensor configured to generate an image of a first side of an article and a processor operatively connected to the optical sensor. The processor is configured to generate an image of the article with the optical sensor, the image including features that are illuminated by an external illumination source through the article, and generate an output indicating if the article is authentic in response to the features corresponding to a predetermined plurality of features that are generated from another image of the article corresponding to features in the generated image and in response to a cryptographic signature corresponding to feature data that are extracted from the other image corresponding to a valid cryptographic signature of a predetermined party.

Abstract: A method and system utilizing proximity information in managing digital rights is provided. An example method includes receiving a request to access a content item at an electronic device, determining proximity information using at least one processor, the proximity information indicating proximity of the electronic device to a designated base electronic device and using the proximity information for granting or denying access to the content item.

Abstract: A processing device (10) includes a policy evaluation module (131) for evaluating policies associated with an item of data or an application and a dynamic context determination module (133) for determining contextual information associated with the current context of operation of the device and for providing the thus determined contextual information to the policy evaluation module. The device (10) further includes a policy enforcement module (135) for enforcing the evaluation specified by the policy evaluation module (131), wherein the device is operable to cause the policy evaluation module to evaluate a policy associated with an item of data or an application whenever the associated item of data or application is invoked and, additionally, whilst the associated item of data or application is active on the device and a notification of a change in the determined contextual information is received by the policy evaluation module.

Abstract: A delegation request is submitted to a session-based authentication service, fulfilment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

Abstract: A method of operation of a social network system includes: receiving a service request for accessing a peripheral device revealed through a social graph of a social platform; determining a request type for matching the service request to a device service provided by the peripheral device; authorizing the device service through the social graph for accessing the peripheral device; and generating a service command based on the request type of the device service authorized for executing the device service for the peripheral device.

Abstract: Some embodiments are directed to a cryptographic method for providing an electronic first device, an electronic second device and an electronic intermediary device, the cryptographic method establishing a cryptographically protected communication channel between the first device and the second device. The method comprises establishing a session identifier (SID) between the first device and the intermediary device. The first device sends the session identifier and a first key element to the second device over an out-of-band channel. The second device sends a registration message comprising the session identifier to the intermediary device. The first and derived at the first and second device.

Abstract: A method (and system) for detecting intrusions to stored data includes creating a point-time-copy of a logical unit, and comparing at least a portion of the point-time-copy with a previous copy of the logical unit. The method (and system) monitors access to a data storage system and detects an intrusion or any other intentional or unintentional, unwanted modification to data stored in the data storage system. The method (and system) also recovers data once an intrusion or other unwanted modification is detected.

Abstract: Techniques for Domain Generation Algorithm (DGA) behavior detection are provided. In some embodiments, a system, process, and/or computer program product for DGA behavior detection includes receiving passive Domain Name System (DNS) data that comprises a plurality of DNS responses at a security device; and applying a signature to the passive DNS data to detect DGA behavior, in which applying the signature to the passive DNS data to detect DGA behavior further comprises: parsing each of the plurality of DNS responses to determine whether one or more of the plurality of DNS responses correspond to a non-existent domain (NXDOMAIN) response.