Abstract: A method for building an advanced storage key includes: storing, in a mobile device, at least (i) device information associated with the mobile device, (ii) program code associated with a first program including an instance identifier, and (iii) program code associated with a second program including a first key; generating a device fingerprint associated with the mobile device based on the device information via execution of the code associated with the first program; generating a random value via execution of the code associated with the first program; building a diversifier value based on the generated device fingerprint, the generated random value, and the instance identifier included in the code associated with the first program; and decrypting the built diversifier value using the first key stored in the code associated with the second program via execution of the code associated with the second program to obtain a storage key.

Abstract: A user who is currently unauthorized to access a resource sends a request to access the resource. It is determined whether a number of authorized users of the resource who have indicated that the user should be permitted to access the resource satisfies the threshold condition. If the number of authorized users who have indicated that the user should be permitted access satisfies the threshold condition, the user is permitted to access the resource. The threshold condition can be based on replies received responsive to messages sent to the authorized users of the resource asking whether the user should be permitted to access the resource. The threshold condition can be based on public digital keys of the authorized users from the user.

Abstract: A bot detection engine to determine whether hosts in an organization's network are performing bot-related activities is disclosed. A bot detection engine can receive network traffic between hosts in a network, and/or between hosts across several networks. The bot engine may parse the network traffic into session datasets and discard the session datasets that were not initiated by hosts in a given network. The session datasets may be analyzed and state data may be accumulated. The state data may correspond to actions performed by the hosts, such as requesting a website or clicking ads, or requesting content within the website (e.g. clicking on a image which forms a HTTP request/response transaction for the image file).

Abstract: Implementations provide for a secure shell (SSH) proxy for a Platform-as-a-Service (PaaS) system. A method of the disclosure includes receiving, by a processing device executing a Secure Shell (SSH) proxy server, a request to establish an SSH connection with a component of an application of a multi-tenant Platform-as-a-Service (PaaS) system, the component is separate from the SSH proxy server, authenticating credentials provided as part of the request, establishing the SSH connection with a device originating the request, receiving, in view of authenticating the credentials and establishing the SSH connection, routing information for the application, the routing information comprising a location of a node of the multi-tenant PaaS system executing the application, establishing an internal communication session with an executing proxy of the node, and forward information conveyed over the SSH connection to the executing proxy via the internal communication session.

Abstract: Techniques for user authentication are disclosed. In one embodiment, the techniques may be realized as a method including during registration of a user, receiving a first captured image of a physical key having a blade; identifying from the captured image a plurality of features associated with the blade of the physical key; associating the identified plurality of features with the user as key feature data; in response to a subsequent access request by the user requiring authorization of the user, prompting the user to present the physical key; receiving a second captured image in response to prompting the user; analyzing the second image to determine if the key feature data is represented in the second image; and in response to determining that the key feature data is represented in the second image, authorizing the user's access request.

Abstract: High conversion rate content can be displayed with primary content from one or more publishers in order to determine whether the content is being displayed to human users or provided to automated processes such as robots. Convertible content such as advertising will generally result in conversions or other actions within an expected range of occurrences. Convertible content performing significantly below the range can be indicative of robotic traffic. Such determinations can be difficult for publishers with low volume traffic, however, as there may not be sufficient data to make an accurate determination. For such publishers, or users viewing content for such publishers, high conversion rate content can be displayed that will allow such determinations to be made with fewer data points. The rates can be used to determine robotic users, which can be blocked, as well as to determine poorly performing placements of the content by the publishers.

Abstract: A device forwards a set of packets between a first network device, associated with a first network, and a second network device, associated with a second network. The set of packets may be associated with permitting access, by a set of mobile devices connected to the first network, to the second network. The device may generate and store configuration information, identifying the set of mobile devices, based on the set of packets. The device may receive, from a third network device, a request associated with establishing a communication session between the third network device and a fourth network device associated with the second network, may determine, based on the configuration information, whether a particular mobile device, associated with the request, is permitted to establish the communication session, and may selectively create the communication session based on determining that the particular mobile device is permitted to establish the communication session.

Abstract: An optical security method for object authentication using photon-counting encryption implemented with phase encoded QR codes. By combining the full phase double-random-phase encryption with photon-counting imaging method and applying an iterative Huffman coding technique, encryption and compression of an image containing primary information about the object is achieved. This data can then be stored inside of an optically phase-encoded QR code for robust read out, decryption, and authentication. The optically encoded QR code is verified by examining the speckle signature of the optical masks using statistical analysis.

Abstract: A method of providing access to secure features of a device includes detecting motion of a secured device during entry of first access credentials on the secured device, storing first motion data in association with the first access credentials, the first motion data indicating a pattern of the detected motion, and granting access to a secured feature of the secured device when a user enters user access credentials matching the first access credentials accompanied by detected motion that produces user motion data matching the first motion data to a degree within a defined valid data range of the first motion data.

Abstract: Techniques are disclosed for protecting the privacy and security of data associated with a web document. A web browser is configured to manipulate the URL, which contains an access token, of a preview web page document before the browser loads external resources (e.g., web page content) linked from the preview web page document. For example, the browser may change a current page URL containing the access token to another sacrificial URL that does not include the token. In addition, the browser will send the sacrificial URL, rather than the original URL, as a referrer to the various resources that provide the web page content, which prevents exposure of the access token to those resources while the web page content is loading. After the web page content is loaded into the browser, the current page URL of the browser is changed back to the original URL.

Abstract: A computer-implemented method for detecting malicious files may include (1) identifying a length of at least one line within a textual file, (2) assessing, based at least in part on the length of the line within the textual file, a likelihood that at least a portion of the textual file has been encrypted, (3) determining, based on the likelihood that at least a portion of the textual file has been encrypted, a likelihood that the textual file is malicious, and (4) performing a remediation action based at least in part on determining the likelihood that the textual file is malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Provided are facilities for secure execution of an encrypted executable comprising an encrypted instruction. The secure execution includes obtaining the encrypted instruction, decrypting the encrypted instruction using a decryption key being maintained in a secure location within a processor, and storing the decrypted instruction to a secure storage for execution, where the decryption key remains in the secure location during the decrypting and the storing to facilitate maintaining security of the decryption key.

Abstract: Mapping and obscuring digital representations of a number of user accounts on a social network map includes identifying a primary user account from a number of user accounts of a social network, determining, based on metadata associated with the user accounts, a relationship for each of the user accounts relative to the primary user account, mapping, based on the relationship for each of the user accounts relative to the primary user account, a digital representation of each of the user accounts to a territory on a social network map, determining, based on the relationship for each of the user accounts relative to the primary user account, an obscurity level for each of the user accounts, and obscuring, based on the obscurity level, the territory associated with the digital representation of each of the user accounts on a social network map from the primary user account.

Abstract: Mapping and obscuring digital representations of a number of user accounts on a social network map includes identifying a primary user account from a number of user accounts of a social network, determining, based on metadata associated with the user accounts, a relationship for each of the user accounts relative to the primary user account, mapping, based on the relationship for each of the user accounts relative to the primary user account, a digital representation of each of the user accounts to a territory on a social network map, determining, based on the relationship for each of the user accounts relative to the primary user account, an obscurity level for each of the user accounts, and obscuring, based on the obscurity level, the territory associated with the digital representation of each of the user accounts on a social network map from the primary user account.

Abstract: An apparatus includes a memory; and a processor coupled to the memory and configured to generate a first common key whose key value varies based on a first elapsed time when a notification of the first elapsed time after a start-up of another apparatus to which a data frame to be encrypted is to be transmitted has been made, generate a second common key whose key value varies based on a second elapsed time after a start-up of the apparatus when a notification of the first elapsed time has not been made, and encrypt the data frame by any one of the first common key and the second common key as a common key and transmit the encrypted data frame to the another apparatus.

Abstract: The present disclosure describes methods, systems, and computer program products for providing secure identity propagation in a cloud-based computing environment. One computer-implemented method includes receiving, from a user, a first security response message, transmitting, to the user in response to receiving the first security response message, a second security response message, wherein the second security response message comprises a Token Granting Token (TGT), receiving, from a cloud application, a Service Token (ST) request, wherein the ST request comprises the TGT, verifying the ST request based on the TGT, generating, in response to the verifying, a ST, wherein the ST is used to validate an access request to access a backend system, and transmitting the ST to the cloud application.

Abstract: Methods and systems are disclosed for detecting a security threat. The methods and systems comprise detecting that a first device is coupled with the first I/O interface, responsive to the detection that the first device is coupled with the first I/O interface, temporarily disabling data communication between the first and second I/O interfaces, acquiring a file from the detected first device via the first I/O interface, determining whether the acquired file poses a security threat, and responsive to a determination that the acquired file does not pose a security threat, enabling the data communication between the first and second I/O interfaces.

Abstract: Techniques are disclosed for rapidly securing a server in response to request for a high-assurance digital certificate. As described, a CA may issue a basic tier certificate after performing a verification process to confirm that a party requesting a certificate for a given network domain, in fact, has control of that domain. Once issued and provisioned on the server, the server can establish secure connections with clients. At the same time, the CA continues to perform progressive identity verification processes for progressively higher tiers of certificates. Once the identity verification process at each tier is complete, the CA issues a new certificate for the corresponding tier, which may then be provisioned on the server. After performing all of the identity verification processes, the server can issue the requested high-assurance certificate.

Abstract: A device is configured to receive an alarm message from a particular device that received a radio resource control request from a client device. The alarm message may indicate that a threshold access limit to an operator network is satisfied by the client device or that a particular protocol is being used by the client device. The device may determine a policy associated with the client device. The policy may indicate a policy rule associated with a policy action to be taken if the policy rule is violated. The device may determine the policy rule is violated based on the alarm message received from the particular device. The device may instruct the particular device to perform the policy action, by accepting or rejecting the radio resource control request, based on the policy rule being violated.

Abstract: Technologies are generally described for generating obfuscated message data. In some examples, a method performed under control of a server may include calculating co-occurrence probabilities of a plurality of combinations, each of which includes at least two elements that are included in original message data; extracting, from the original message data, a first data set that includes at least one combination that has a first co-occurrence probability from among the plurality of combinations and a second data set that includes at least one combination that has a second co-occurrence probability from among the plurality of combinations; generating dummy data by using the first data set and the second data set; and adding the generated dummy data to the original message data to generate obfuscated message data.