Abstract: A method, computer usable program product or system for automatically sharing a set of sensitive data in accordance with a set of predetermined policy requirements including receiving across a network a set of certified policy commitments for a node; authenticating the set of certified policy commitments; utilizing a processor to automatically determine whether the set of certified policy commitments satisfies the set of predetermined policy requirements; and upon a positive determination, transmitting across the network the set of sensitive data to the node.

Abstract: An Enhanced Ethernet Network Interface Card (EENIC) interfaces with a host and a network. The EENIC includes an internal network interface controller (NIC), a field programmable array (FPGA) in electrical communication with the internal network interface controller, and a peripheral component interconnect express (PCIe) controller, in independent electrical communication with the field programmable array or the internal network interface controller. The FPGA is configured to intercept data from either the host, or from the network, or from a combination thereof. Additionally, the configured interception is undetected by the host, or by the network, or a combination thereof.

Abstract: A smart remote control system includes multiple terminals and a server. Each terminal is accessible by an electronic device through use of a registered account/password set. Upon receipt of an association request and a to-be-associated account/password set, one of the terminals is operable to transmit the to-be-associated account/password set to the server. In turn, the server determines whether the to-be-associated account/password set conforms with one of a plurality of user account/password sets stored therein, and enables the one of the terminals to be accessible by the electronic device through use of the to-be-associated account/password set when the determination is affirmative.

Abstract: A system and method for controlling manufacturing of one or more items may include providing a first 3D design representation, the first 3D design representation usable by a manufacturing device for manufacturing the item; encrypting the first 3D design representation to produce an encrypted 3D design representation; associating a set of tokens with the encrypted 3D design representation and providing the encrypted 3D design representation. A method or system may include obtaining a token and including the token in a request to manufacture the item; using the token to determine whether or not to provide a decryption key; and, if determining to provide the decryption key, using the decryption key to produce a second 3D design representation, the second 3D design representation usable by a manufacturing device for manufacturing the item.

Abstract: An improved method and system for processing network metadata is described. Network metadata may be processed by dynamically instantiated executable software modules which make policy-based decisions about the character of the network metadata and about presentation of the network metadata to consumers of the information carried by the network metadata. The network metadata may be type classified and each subclass within a type may be mapped to a definition by a unique fingerprint value. The fingerprint value may be used for matching the network metadata subclasses against relevant policies and transformation rules. For template-based network metadata such as NetFlow v9, an embodiment of the invention can constantly monitor network traffic for unknown templates, capture template definitions, and informs administrators about templates for which custom policies and conversion rules do not exist.

Abstract: Techniques for bridging a honey network to a suspicious device in a network (e.g., an enterprise network) are disclosed. In some embodiments, a system for bridging a honey network to a suspicious device in an enterprise network includes a device profile data store that includes a plurality of attributes of each of a plurality of devices in the target network environment; a virtual clone manager executed on a processor that instantiates a virtual clone of one or more devices in the target network environment based on one or more attributes for a target device in the device profile data store; and a honey network policy that is configured to route an internal network communication from a suspicious device in the target network environment to the virtual clone for the target device in the honey network.

Abstract: Methods and systems provide embeddable user interface widgets to third-party applications so that the widgets can be securely embedded in, and securely used from within, the third-party applications. An embeddable widget may be authorized to access a first-party cloud storage system from a third-party application based on the cloud storage system authenticating a request received from the widget. The authentication may be based on an application identifier, an origin identifier, and/or one or more document identifiers received from the third-party application through the embedded widget. The disclosed methods and systems may significantly mitigate security concerns caused by embedding software in third-party sites, such as clickjacking.

Abstract: A machine may be configured to detect an anomalous event based on metrics pertaining to a production system. For example, the machine analyzes a time series of values associated with a metric pertaining to a production system. The machine identifies a pattern associated with the time series based on the analysis of the time series. The pattern may describe an occurrence of particular values at particular timestamps of the time series. The machine determines a range of potential values for a next timestamp in the time series based on the pattern. The machine assigns a score value to an actual value associated with the metric and corresponding to the next timestamp. The assigning of the score value may be based on a comparison of the actual value and the range of potential values. The machine identifies the actual value as a candidate for an alert based on the score value.

Abstract: Methods and systems for dynamic threat protection are disclosed. An example method for dynamic threat protection may commence with receiving real-time contextual data from at least one data source associated with a client. The method may further include analyzing the real-time contextual data to determine a security threat score associated with the client. The method may continue with assigning, based on the analysis, the security threat score to the client. The method may further include automatically applying a security policy to the client. The security policy may be applied based on the security threat score assigned to the client.

Abstract: A certificate authority service receives a request to issue a long-duration digital certificate from an entity for validation purposes between the entity and the service. Upon issuance of the long-duration digital certificate, the entity submits a request to the service for issuance of a short-duration digital certificate that includes a shorter validity period than the long-duration digital certificate. The service may utilize the long-duration digital certificate to validate the entity and, upon validating the entity, issues the short-duration digital certificate to the entity. The entity may subsequently utilize the short-duration digital certificate to enable a user client to authenticate the entity and securely communicate with the entity.

Abstract: Techniques for monitoring a controller area network bus are described herein. In one example, a system comprises a processor that is to detect a message from a source electronic control unit in a vehicle and calculate a location of the source electronic control unit based on at least two arrival times, the arrival times indicating a distance between a first monitor and the source electronic control unit. The processor can also detect that the message corresponds to a function controlled by a second electronic control unit and generate a warning that the message from the source electronic control unit is malicious.

Abstract: A method, apparatus and system for detecting a malicious process behavior. A detection apparatus monitors a process to obtain behavior information about a target process behavior, and then sends the behavior information to a server, which determines whether the target process behavior is a malicious process behavior. The detection apparatus can receive first operation indication information returned by the server according to a detection result of the target process behavior, and perform an operation on the target process behavior according to the first operation indication information. The target process behavior is subjected to a comprehensive detection by the server according to the behavior information, rather than depending on a specified feature analysis of a single sample of the target process behavior by the detection apparatus, so that malicious process behavior can be detected in time, thereby improving the security performance of the system.

Abstract: An operation apparatus includes a message expansion unit, a state data initiation unit, a state data generation unit, and a chain variable update unit. The message expansion unit generates a plurality of expanded messages using a message. The state data initiation unit generates the initial value of state data using chain variable data. The state data generation unit generates the final value of the state data by iterating a combination function and a step function using the state data and the plurality of expanded messages. The chain variable update unit updates the chain variable data using the state data of the final value.

Abstract: A firewall system determines whether a protocol used by an incoming data packet is a standard protocol compliant with Request For Comment (RFC) standards. In the event the protocol is RFC compliant, the firewall transmits the packet to the recipient according to firewall policies regarding the standard protocol. If the protocol is not that of an RFC standard, the firewall determines whether the protocol matches an RFC-exception protocol in a RFC-exception protocol database. If the protocol does match an RFC-exception, the firewall may transmit the packet to the recipient according to firewall policies regarding the RFC-exception protocol. If it does not match an RFC-exception, the firewall may transmit the packet or protocol to a support system where it may be quarantined until it is approved based on a decision that the protocol is safe and/or widely adopted.

Abstract: A method, operated by a Software Defined Networking (SDN) controller associated with an Autonomous System (AS) with one or more peering points, each peering point with an associated router communicatively coupled to the SDN controller, the method for detecting and defending against Distributed Denial of Service (DDoS) attacks, and the method includes receiving data from the one or more peering points; detecting malicious traffic at the one or more peering points; determining a peer quality measurement for the one or more peering points; and communicating the peer quality measurement and other data associated with the malicious traffic to one or more other SDN controllers, associated with Autonomous Systems connected through the one or more peering points, to facilitate convergence of the peer quality measurement back to a nominal level.

Abstract: A method and system for authenticating a service to access data respective of a user on a low-end mobile device. The method includes sending, from a telephone-to-web adapter, a first authentication token over a first communication path to the low-end mobile device, wherein the telephone-to-web adapter is a separate entity from the low-end mobile device; receiving, at the telephone-to-web adapter, a second authentication token over a second communication path, wherein the second authentication token is received from a host server hosting the service, wherein the first communication path is performed with a first method of communication and the second communication path is performed with a second method of communication; comparing, at the telephone-to-web adapter, the first authentication token to the second authentication token; and allowing access to data upon determining that the first authentication token matches the second authentication token.

Abstract: A method for managing users' digital rights to documents protected by digital rights management (DRM), comprising the steps of a rights management system (RMS) server receiving a request from a user for accessing a DRM-protected document, and the RMS server executing a user centric adaptor (UCA) module to check in a UCA database under the user's identification (ID) whether one of a limited number of predetermined policies of digital rights is added to the user's ID, whereas if the user's rights to the document is not revoked by deletion of a predetermined policy under the user's ID in the UCA database, then the UCA module does not block granting the user's request.

Abstract: The disclosed subject matter provides for code repository intrusion detection. A code developer profile can be generated based on characteristic features present in code composed by the developer. Characteristic features can be related to the coding propensities peculiar to individual developers and, over sufficient numbers of characteristic features, can be considered pseudo-signatures. A target code set is analyzed in view of one or more developer profiles to generate a validation score related to a likelihood of a particular developer composing a portion of the target code set. This can serve to confirm or refute a claim of authorship, or can serve to identify likely author candidates from a set of developers. Where the target code set authorship is determined to be sufficiently suspect, the code set can be subjected to further scrutiny to thwart intrusion into the code repository.

Abstract: Computer systems and methods in various embodiments are configured to determine whether a file is likely to be malware-free or include malware.

Abstract: Systems, methods, and non-transitory computer-readable medium are provided to secure data centers and cloud computing. A method receives network identifiers for functions, requests a network key for each function, allocates network interfaces, requests a virtual network interface controller allocation, requests a network key for each cloud function, receives storage identifiers for functions, requests a storage key for each cloud function, allocates virtual storage disks, requests a storage interface controller allocation, requests a storage key for each cloud function. Methods secure migration of a virtual machine from a source to a target server. A server includes multiple cores where each core is dedicated to a compute function and a unique key encrypts data of each compute function. A non-transitory computer-readable medium encodes programs that execute the above methods.