Abstract: A disclosed method includes determining modifications have been made to a program and deriving data flow seeds that are affected by the modifications. The method includes selecting one of the data flow seeds that are affected by the modifications or data flow seeds that are not affected by the modifications but that are part of flows that are affected by the modifications and performing a security analysis on the program. The security analysis includes tracking flows emanating from the selected data flow seeds to sinks terminating the flows. The method includes outputting results of the security analysis. The results comprise one or more indications of security status for one or more of the flows emanating from the selected data flow seeds. At least the deriving, selecting, and performing are performed using a static analysis of the program. Apparatus and program products are also disclosed.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: A service controller includes a network interface for coupling to a local area network of a hospitality establishment, and one or more processors coupled to the network interface. The one or more processors are configured to detect a device identifier of a user device on a local area network of a hospitality establishment, determine whether a guest of the hospitality establishment is associated with the device identifier, and automatically activate a service for the user device at the hospitality establishment in response to detecting the device identifier on the local area network when a guest of the hospitality establishment is determined to be associated with the device identifier.

Abstract: An improved approach for classifying computer files as malicious (malware) or benign (whiteware) is disclosed. The invention classifies any computer file as malware or whiteware after using Bayes Theorem to evaluate each observable feature of each file with respect to other observable features of the same computer file with reference to statistical information gathered from repositories of known whiteware and malware files.

Abstract: An industrial automation system comprising a digital fingerprint that is allocated to a unit requesting access to the automation system and which is based on one or more parameters of a communication between the unit and a fingerprint-determining component of the automation system, wherein the industrial automation system additional comprises the fingerprint-determining component which, during the operation of the automation system, grants the requesting unit access to the automation system and compares the determined fingerprint of the requesting unit with a stored fingerprint.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for configuring secure wireless networks. One of the methods includes receiving, at a security system management device, protocol and key information for establishing a connection as a client device to the wireless IP device, wherein the protocol and key information is received in response to a user transmitting an identifier for the IP device to a service provider system; establishing communication with the wireless IP device, wherein the wireless IP device is acting as an access point device; exchanging keys with the wireless IP device; rebooting the security system management device to become an access point for the secure wireless network; and establishing communication with the wireless IP device, wherein the wireless IP device has become a wireless client.

Abstract: Trustworthy systems require that code be validated as genuine. Most systems implement this requirement prior to execution by matching a cryptographic hash of the binary file against a reference hash value, leaving the code vulnerable to run time compromises, such as code injection, return and jump-oriented programming, and illegal linking of the code to compromised library functions. The Run-time Execution Validator (REV) validates, as the program executes, the control flow path and instructions executed along the control flow path. REV uses a signature cache integrated into the processor pipeline to perform live validation of executions, at basic block boundaries, and ensures that changes to the program state are not made by the instructions within a basic block until the control flow path into the basic block and the instructions within the basic block are both validated.

Abstract: The embodiments of the present invention relate to controlling interactions between one or more components of a computer system, where each component is assigned a fixed security level and all currently active and newly requested interactions between components of the system are monitored.

Abstract: Techniques for managing network connections are described. An apparatus may comprise a communications component operative to manage a connection for a client, the connection routed over a network and a traffic analysis component operative to determine one or more characteristics of the routing of the connection. Other embodiments are described and claimed.

Abstract: Generally, this disclosure describes a system and method for trusted data processing in the public cloud. A system may include a cloud server including a trusted execution environment, the cloud server one of a plurality of cloud servers, a cloud storage device coupled to the cloud server, and a RKM server including a key server module, the RKM server configured to sign the key server module using a private key and a gateway server configured to provide the signed key server module to the cloud server, the trusted execution environment configured to verify the key server module using a public key related to the private key and to launch the key server module, the key server module configured to establish a secure communication channel between the gateway server and the key server module, and the gateway server configured to provide a cryptographic key to the key server module via the secure communication channel.

Abstract: The computer system includes: a controller; a switch configured to perform, on a received packet complying with a flow entry set by the controller, a relay operation regulated by the flow entry; and a host terminal configured to be connected to the switch. The switch notifies the controller of transmission source address information of a received packet which does not comply with a flow entry set for itself. The controller judges, when legal address information of a host terminal does not coincide with the transmission source address information, that a transmission source address of the received packet is spoofed.

Abstract: A mobile information terminal includes a mode acquisition section adapted to acquire the mode of the mobile information terminal; a sample filling section adapted to, when the number of gripping feature samples acquired in a mode is insufficient, fill in lacking gripping feature samples with gripping feature samples acquired in another mode; a gripping-feature sample acquisition section adapted to acquire gripping feature samples; a switch adapted to switch the mobile information terminal between a learning state and an authentication state; a template learning section adapted to learn an authentication template in each mode using the gripping feature samples when the mobile information terminal is in the learning state; an authentication section adapted to compare the learned authentication template with gripping feature samples in each mode to perform authentication; and a locking section adapted to lock some or all of functions of the mobile information terminal when the authentication fails.

Abstract: An authentication platform comprises an authentication unit configured to authenticate the user based on received input data, and a control unit configured to enable communication between a client device and an authentication host as a consequence of successful authentication of the user by the authentication unit.

Abstract: Disclosed are various embodiments for synchronizing authentication sessions between applications. In one embodiment, a first authentication token is received from a first application in response to determining that the first application is authenticated with a service provider. A second authentication token is requested from a token exchange service associated with the service provider. The second authentication token is requested using the first authentication token. The second application is configured to use the second authentication token in order to access a resource of the service provider.

Abstract: A computer-implemented method for applying data loss prevention policies to closed-storage portable devices may include (1) injecting a data loss prevention component into at least one application process that is running on a computing device, (2) intercepting, via the data loss prevention component, an attempt by the application process to transfer a file to a closed-storage portable device that is connected to the computing device, (3) identifying a data loss prevention policy that applies to the attempt by the application process to transfer the file, (4) determining that the attempt by the application process to transfer the file violates the data loss prevention policy, and (5) performing a security action in response to determining that the attempt by the application process to transfer the file violates the data loss prevention policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer network and corresponding method for providing, as part of a web portal session, access for a user to a web application running on a server. The network includes first and second traffic managers connected via an intermediate web server. The first traffic manager includes an interface for receiving from the user, as part of the portal session, a request for access to the web application and for passing the request to the intermediate web server; and for forwarding to the second traffic manager. The second traffic manager includes an interface for receiving the request from the first traffic manager via the intermediate web server and for passing the received request to the web application.

Abstract: A secure communication forum is established through use of a network resource that is available to a host user and one or more forum users. The host user is validated and assigned a master key for his or her forum. Individual users who are to participate in the forum are assigned users keys that are validated with the master key. The forum is maintained for ongoing use for the users.

Abstract: A method and system to provide an effective, scalable and yet low-cost solution for Confidentiality, Integrity and Replay protection for sensitive information stored in a memory and prevent an attacker from observing and/or modifying the state of the system. In one embodiment of the invention, the system has strong hardware protection for its memory contents via XTS-tweak mode of encryption where the tweak is derived based on “Global and Local Counters”. This scheme offers to enable die-area efficient Replay protection for any sized memory by allowing multiple counter levels and facilitates using small counter-sizes to derive the “tweak” used in the XTS encryption without sacrificing cryptographic strength.

Abstract: Methods, apparatus, and articles of manufacture to encode auxiliary data into text data and methods, apparatus, and articles of manufacture to obtain encoded data from text data are disclosed. An example method to embed auxiliary data into text data includes selecting a portion of auxiliary data to be encoded into text data, mapping the portion of auxiliary data to a first set of one or more encoded characters representative of the portion of the auxiliary data, mapping a position of the portion of auxiliary data within the auxiliary data to a second set of one or more encoded characters representative of the portion of the auxiliary data, and generating encoded data by including the first set of encoded characters and the second set of encoded characters in the text data.

Abstract: Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associated with the recipient. The received data is used to perform a validity check related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user.