Abstract: Apparatus and methods for enabling protected premises networking capabilities. In one embodiment, a white list of devices authorized to access a premises network and a black list of device not authorized to access a premises network are utilized. The black and white lists may be stored at a database in communication with an authorization manager or may be stored at the manager itself. When a client device is connected to a premise, the manager determines, based on the premises and/or device identity, whether the device is entitled to access. The authorization manager makes this determination based on whether the device is on the white or black list. If the device is on neither list, the manager may add the device to the white list upon appropriate verification. The manager may also facilitate removal of a device from the white list to the black list upon request or automatically.

Abstract: A method for authenticating a first device is disclosed. In one embodiment, the method includes the steps of: receiving a helper bit string from a second device that is remote from the first device; measuring a first response bit string of a physical unclonable function of the first device with respect to a challenge bit string; subtracting the first response bit string from the helper bit string; reconstructing a random matrix using a pseudo-random number generator initialized with a seed; and decoding a result of the subtraction using the random matrix, the shared secret bit string being provided from the decoding if the helper bit string was encoded using a previously measured second response bit string that is within a threshold level of similarity to the first response bit string, the decoding outputting an error value otherwise.

Abstract: A cyber-physical system may have a plurality of monitoring nodes each generating a series of current monitoring node values over time representing current operation of the system. A data-driven features extraction computer platform may receive the series of current monitoring node values and generate current data-driven feature vectors based on the series of current monitoring node values. A residual features extraction computer platform may receive the series of current monitoring node values, execute a system model and utilize a stochastic filter to determine current residual values, and generate current residual-driven feature vectors based on the current residual values. An abnormal detection platform may then receive the current data-driven and residual-driven feature vectors and compare the current data-driven and residual-driven feature vectors with at least one decision boundary associated with an abnormal detection model.

Abstract: A management method for managing an identity of a first user during communication between a first web browser installed on a communication terminal of the first user and a second web browser installed on a communication terminal of a second user is disclosed. The method includes the first user obtaining at least one first data item characteristic of the second user. The method also includes associating an identity of the first user with the at least one first data item characteristic of the second user. The method also includes making the identity of the first user associated with the at least one first characteristic data item available to the second user on condition that the second user holds at least one second data item corresponding to the first data item characteristic of the second user.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media are provided. One of the methods include: obtaining a request for collecting information associated with an Internet address; obtaining, in response to the request, the information from the Internet address; encrypting the information to obtain a digest; storing the digest in a block on a blockchain and the information in a cloud storage space associated with an access address; and sending, to a sender of the request, the digest and the access address associated with the cloud storage space.

Abstract: The disclosed embodiments include systems and methods for implementing least-privilege access to, control of, and/or code execution on target network resources. Operations may include identifying a prompt associated with a least-privilege requesting identity to initiate a remote session on a target network resource; executing, in response to the prompt, a first agent; retrieving, from a secure storage location, a second agent; initiating, by the first agent, execution of the second agent on the target network resource, wherein the second agent executes using a least-privilege credential or using least-privilege permissions associated with the least-privilege requesting identity; and instructing the second agent to perform an action remotely on the target network resource through the remote session using the least-privilege credential or using the least-privilege permissions.

Abstract: Implementations efficiently verify an identity claim for an entity. An example method includes receiving a query key and a property identifying an entity and identifying a possible match for the property from graph access records, the possible match being a node in an identity chain. The method also includes verifying a complete chain from the possible match to a genesis node in the chain. The query key is used to find a next node in the chain. Failure to identify the genesis node results in an unsuccessful verification. The method also includes generating a response that indicates a successful verification request responsive to locating the genesis node and generating a response that indicates an unsuccessful verification request otherwise.

Abstract: A system for accessing data includes and interface and a processor. The interface is configured to receive a request to move stored data to a new location and requestor information. The stored data comprises sensitive data. The processor is configured to determine whether read access, storage access, and deletion access are allowed based at least in part on the requestor information; in the event that read access, storage access, and deletion access are allowed: read the sensitive data at an original location using an original token, store the sensitive data to the new location and receive a new token associated with the new location, and delete the original token and the sensitive data at the original location.

Abstract: Examples for detecting a compromised device are described. A set of threat detection rules can instruct an application on the client device how to detect whether the client device is compromised. The rules can be updated dynamically and without updating the application that is performing the compromise detection. The rules can be encoded in an interpreted scripting language and executed by a runtime environment that is embedded within the application.

Abstract: A Domain Name System (DNS) provider that is not a registrar of a domain name may nonetheless request a registry (possibly via an API request from the registrar to the registry, or via a call directly to the registry) to alter a Delegation Signer (DS) record in a DNS parent zone or other data controlled by the registry. The registry preferably confirms that the DNS provider has control over a nameserver for the domain name. Using Public Key Infrastructure (PKI), the DNS provider may sign the request with a private key and store the public key in a location that confirms the DNS provider has control over the domain name or over the nameservers for the domain name. After successfully confirming the DNS provider, the registrar or registry may change the DS record so that the domain name supports Domain Name System Security Extensions (DNSSEC) or update other data with the registry.

Abstract: A method for securely registering a removable electrical device includes steps consisting in: a) prior to the installation of a new removable electrical device within an electrical system in order to replace a faulty removable electrical device, acquiring a first security certificate for the new device, this first certificate being signed by an authority known to the system; b) verifying the authenticity of the first acquired security certificate, this verification being carried out by the electronic control module; c) generating a second security certificate for the new removable electrical device, including a key generated by the electronic computer of the new device; d) obtaining a signature for the second security certificate from a trusted certification authority, the new device then being registered within the system only if this signature is obtained.

Abstract: Methods and systems for identifying a network vulnerability. The system may gather data regarding a new or previously unknown network device, and compare the gathered data to one or more known devices that are scanned by a vulnerability assessment device. The vulnerability assessment device may then scan the previously unknown device upon a processor determining the previously unknown device shares at least one feature with a known device that is scanned.

Abstract: Provided is a method and apparatus for providing a cryptographic security function for the operation of a device, and to an associated computer program (product). The method for providing a cryptographic security function for the operation of a device carries out the following steps: receiving a request to provide such a security function, providing an interface to a point providing such a security function, said point being called a trust anchor, wherein said interface determines context information in accordance with the application initialing the request, providing the requested security function for the application initiating the request, wherein the determined context information influences the provision of said security function.

Abstract: Managed real-time communications between user devices may be provided. Upon receiving a request to instantiate a communication connection from an application, a secure session may be established between the application and a remote application. Input from a user of the application may be received, subjected to at least one management policy, and transmitted to the remote application.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for securely performing cryptographic operations. One of the methods includes receiving biometric information associated with a user and a request to perform one or more cryptographic operations based on one or more cryptographic keys stored in a memory of an identity cryptographic chip (ICC); comparing the biometric information associated with the user with biometric information pre-stored in the memory of the ICC as pre-stored biometric information; and in response to determining that the biometric information matches the pre-stored biometric information, authorizing the one or more cryptographic operations to be performed.

Abstract: A system may include a first network device configured to communicate via an encrypted session, and a second network device configured to communicate with the first network device via the encrypted session, where the second network device may be configured to perform operations to facilitate communication via the encrypted session. The operations may include receive a first set of data from a device other than the first network device, where the first set of data is used to communicate via the encrypted session. The operations may also include combine peer-to-peer information to be used by the first network device to communicate via the encrypted session to an encrypted packet, where the peer-to-peer information is combined with the encrypted packet in an unencrypted form. The operations may additionally include send the encrypted packet with the peer-to-peer information to the first network device.

Abstract: The disclosed computer-implemented method for protecting passwords may include (i) intercepting network traffic indicating an attempted login procedure at a workload device to login to a protected resource, (ii) prompting a user, in response to intercepting the network traffic, and at an authentication device that has been registered to the user, to indicate whether to approve the attempted login procedure, (iii) collecting, at the authentication device, a credential for the attempted login procedure that was stored in a protected vault of the authentication device, (iv) providing, by the authentication device to the workload device, an authentication decision based on the collected credential, and (v) injecting, at the workload device, the authentication decision into a browser session to enable the user to complete the attempted login procedure to login to the protected resource. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and system for the deployment of deceptive decoy elements in a computerized environment to identify data leakage processes invoked by suspicious entities are presented. The method includes generating at least one deceptive decoy element; and deploying the generated at least one deceptive decoy element in a folder in a file system of the computerized environment, wherein the deployment is based on a sensitivity level of the folder, wherein the at least one deceptive decoy element is configured to provide an indication of unauthorized access upon an attempt by an unauthorized entity to access the folder.

Abstract: A segmentation server generates and distributes management instructions for enforcing a segmentation policy. The segmentation server discovers a network configuration of workloads including an identification of workloads that are behind network address translation modules. The segmentation server generates management instructions for enforcing the rules in a manner dependent on the detected network configuration. Furthermore, the segmentation server monitors traffic flows and generates a traffic flow graph in a manner dependent on the detected network configuration.

Abstract: The invention relates to a system for protecting IoT devices from malicious code, which comprises: (a) a memory extracting module at each of said IoT devices, for extracting a copy of at least a portion of the memory content from the IoT device, and sending the same to an in-cloud server; and (b) an in-cloud server for receiving said memory content, and performing an integrity check for a possible existance of malicious code within said memory content.