Abstract: Techniques are provided for determining a reputation of a source address based on analytics of interaction history. In an embodiment, computers store interaction data that indicates a plurality of interactions between users and an online entity. For each interaction of the plurality of interactions, the interaction data indicates a source address of a user. For each source address of a plurality of source addresses indicated in the interaction data, the computers determine an aggregate measurement indicating aggregate behavior of users associated with an aggregate subset of interactions of the plurality of interactions. Each interaction of the aggregate subset is associated with said source address. The computers determine a negative measurement indicating negative behavior of users that are associated with a negative subset of interactions of the aggregate subset. The computers generate, based on the negative and aggregate measurements, a score that indicates a reputation of said each source address.

Abstract: Log entries are provided with unique entry identifiers, which may be sequenced in an incremental or decremental order, to create or to update a distributed log which may be replicated and distributed to multiple servers in a network. The entry identifiers may be appended to their respective log entries. Files, records or data which are identified by their respective log entries may be transmitted regardless of the sequence of the entry identifiers.

Abstract: This disclosure describes an approach to handle packets that arrive at a network security device, such as a router. At a data plane of the security device, packet identifiers included in an incoming packet not currently belonging to an IP session of the device are compared to packet identifiers stored in a table stored in a memory of the security device. The incoming packet identifiers includes a source IP, a destination IP, a protocol, a destination port, and a source port while the identifiers stored in the table do not include the source port. A new session is established for the incoming packet in response to the set of packet identifiers matching one of the entries in the table.

Abstract: A computer-implemented data processing method comprises: executing a recurrent neural network (RNN) comprising nodes each implemented as a Long Short-Term Memory (LSTM) cell and comprising links between nodes that represent outputs of LSTM cells and inputs to LSTM cells, wherein each LSTM cell implements an input layer, hidden layer and output layer of the RNN; receiving network traffic data associated with networked computers; extracting feature data representing features of the network traffic data and providing the feature data to the RNN; classifying individual Uniform Resource Locators (URLs) as malicious or legitimate using LSTM cells of the input layer, wherein inputs to the LSTM cells are individual characters of the URLs, and wherein the LSTM cells generate feature representation; based on the feature representation, generating signals to a firewall device specifying either admitting or denying the URLs.

Abstract: An embodiment: (a) receives a request for a measurement of a hypervisor from at least one computing node that is external to the at least one machine; (b) executes a previously measured measuring agent to measure the hypervisor, after the hypervisor is measured and booted, to generate a measurement while: (b)(i) the at least one machine is in virtual machine extension (VMX) root operation, and (b)(ii) the measuring agent is in a protected mode; (c) attest to the measurement, based on at least one encryption credential, to generate an attested measurement output; and (d) communicate the attested measurement output to the at least one computing node. The hypervisor does not include the at least one encryption credential while the measuring agent is measuring the booted hypervisor. Other embodiments are described herein.

Abstract: Disclosed are a method and a device for identifying a virus APK. The method comprises: presetting a virus database comprising virus characteristic codes; detecting that a designated file in a target Android installation package APK contains at least one of the virus characteristic codes; and determining that the target Android installation package APK is a virus APK. In the application, the virus APK and a variation thereof can be rapidly, accurately and effectively identified, thereby improving the security of an APK application.

Abstract: An application executing on a user device can receive a request to access a remote computer system. The application can automatically obtain an authentication code that is generated based at least in part on a seed value, which can be stored in the user device. The application can automatically generate an authentication request based at least in part on the access information and the authentication code, and transmit the authentication request to remote computer system.

Abstract: A method includes receiving, at an access server, a communication from a network management device. The communication is sent from a mobile device via an unsecured wireless connection of a first network to an access point, from the access point to the network management device, and from the network management device via a second network to the access server. The communication includes first encrypted data and is associated with a request by the mobile device to access the second network. The method further includes transmitting, from the access server, an encryption key to the access point based on the first encrypted data to enable the access point to establish a secure wireless connection between the access point and the mobile device. The method further includes transmitting signals to the network management device, the signals indicating that the mobile device is authorized to access the second network.

Abstract: A computing device and method for managing file access control policies on a computing device are disclosed. The method includes maintaining file-access policies in user space, receiving, at a kernel level, from a user in user space, a request to access a file, and directing the request from the kernel level to a file-policy manager in user space. At least one of the of the file-access policies is enforced in user space with the file-policy manager to grant or deny access to the file, and file operations are performed on the file using only kernel-level calls when access to the to the file is granted.

Abstract: A mobile communication device including a wireless transceiver and a controller is provided. The wireless transceiver performs wireless transmission and reception to and from a service network. The controller determines whether the service network is an Isolated E-UTRAN Operation for Public Safety (IOPS) network, and transmits a first ATTACH REQUEST message including an IOPS indicator to the service network via the wireless transceiver in response to the service network being an IOPS network. Also, the controller receives a first ATTACH ACCEPT message including encrypted mapping information from the service network via the wireless transceiver, and transmits a first ATTACH COMPLETE message to the service network via the wireless transceiver.

Abstract: A method, an apparatus, and a device for detecting an E-mail attack. The device receives a data flow; obtains an E-mail traffic parameter of each statistic period within a predetermined number of statistic periods, where within each statistic period, the E-mail traffic parameter of each of the statistic periods is determined according to a protocol type of the received data flow; and determines that an E-mail attack is detected when the E-mail traffic parameter of each statistic period within the predetermined number of statistic periods matches a first threshold. By applying the disclosed embodiments, a detection result of the E-mail attack is more accurate.

Abstract: Static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.

Abstract: Use machine learning to train a classifier to classify entities to increase confidence with respect to an entity being part of a distributed denial of service attack. The method includes training a classifier to use a first classification method, to identify probabilities that entities from a set of entities are performing denial of service attacks. The method further includes identifying a subset of entities meeting a threshold probability of performing a denial of service attack. The method further includes using a second classification method, identifying similarity of entities in the subset of entities. The method further includes based on the similarity, classifying individual entities.

Abstract: The present disclosure is directed towards systems and methods for scanning of a target range of IP addresses to verify security certificates associated with the target range of IP addresses. Network traffic may be monitored between a plurality of clients and a plurality of servers over an IP address space. Traffic monitors positioned intermediary to the plurality of client and the plurality of servers can identify a target range of IP addresses in the address space for targeted scanning. The target range of IP address may be grouped into a priority queue and a scan can be performed of the target range of IP addresses to verify a security certificate associated with each IP address in the target range of IP addresses. In some embodiments, a rogue security certificate is detected that is associated with at least one IP address in the target range of IP addresses.

Abstract: A method for controlling an execution of a software application on an execution platform in a first local network comprises: determining a first environment fingerprint including a first network fingerprint characteristic for the first local network using predetermined rules; generating a license including the first environment fingerprint and defining terms of allowed execution of the software application; and controlling the execution by: determining a second environment fingerprint including a second network fingerprint of a local network in which an execution platform for the software application is included using the predetermined rules; comparing the second environment fingerprint with the first environment fingerprint of the license; allowing execution of the software application according to the terms of the license where the second environment fingerprint complies with the first environment fingerprint, and preventing the execution of the software application where the second environment fingerprint

Abstract: Methods, network nodes, and user equipment nodes are disclosed that control the operation of applications on user equipment nodes. A method includes receiving user information that identifies a user of the user equipment node (120) and application information that identifies an application that the user has selected for installation on the user equipment node. A user profile is retrieved from a user profile repository (106) using the user information, and an application profile is retrieved from an application profile repository (104) using the application information. Settings configuration information is generated responsive to the user profile and the application profile, and indicates what permissions are to be granted to the application while operating on the user equipment node.

Abstract: Provided is an information processing apparatus including a message generating unit that generates messages of N times (where N?2) based on a multi-order multivariate polynomial set F=(f1, . . . , fm) defined on a ring K and a vector s that is an element of a set Kn, and calculates a first hash value based on the messages of N times, a message providing unit that provides a verifier with the first hash value, an interim information generating unit that generates third information of N times using first information randomly selected by the verifier and second information of N times, and generates a second hash value based on the third information of N times, an interim information providing unit that provides the verifier with the second hash value, and a response providing unit that provides the verifier with response information of N times.

Abstract: In the present specification, a methodology for incremental security policy specification at varying levels of abstraction is disclosed. The method maintains strict equivalence with respect to authorization state and is based on the group-centric secure information sharing (g-SIS) domain, which is known in the art. A g-SIS authorization policy is specified statelessly, in that it focuses solely on specifying the precise conditions under which authorization can hold in the system while only considering the history of actions that have occurred. The policy supports join, leave, add, and remove operations, which may have either strict or liberal semantics. The stateful application policy is then specified using linear temporal logic. The stateful specification is authorization equivalent to the stateless specification, and may enforce well-formedness constraints.

Abstract: An e-mail firewall applies policies to e-mail messages transmitted between a first site and a plurality of second sites. The e-mail firewall includes a plurality of mail transfer relay modules for transferring e-mail messages between the first site and one of the second sites. Policy managers are used to enforce and administer selectable policies. The policies are used to determine security procedures for the transmission and reception of e-mail messages. The e-mail firewall employs signature verification processes to verify signatures in received encrypted e-mail messages. The e-mail firewall is further adapted to employ external servers for verifying signatures. External servers are also used to retrieve data that is employed to encrypt and decrypt e-mail messages received and transmitted by the e-mail firewall, respectively.

Abstract: The invention proposes a method for cloning a first secure element from a backup secure element of a user, said backup secure element comprising at least credentials of said user. The method comprises a preliminary phase of checking the authenticity of the first secure element using a second secure element, said second secure element being able to be paired with a third secure element.