Abstract: A server-based system for generation of heuristic scripts for malware detection includes an automatic heuristics generation system for generating heuristic scripts for curing malware infections; a log database containing logs of events from user computers, including detection of known malicious objects and detection of suspicious objects; a safe objects database accessible containing signatures of known safe objects; a malicious objects database containing signatures of known malicious objects. The system retrieves suspect object metadata from the log database and generates the heuristic script based on data from the safe and malicious objects databases. For multiple computers having the same configuration and having the same logs, only one log common to all the multiple computers is transmitted and only one heuristic script is distributed to the multiple computers. A different and specific heuristic script is distributed to those computers that have a different log than the common log.

Abstract: A system and a method for detecting anomalous attacks in Internet network flow operate by counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count; computing a running average of the number of messages that are detected as anomalous attacks; and comparing the count to the running average to provide an anomalous attack alarm if the count is greater than a multiple of the running average. The attacks can include at least one of spoofing attacks or denial of service attacks. A computer readable storage medium stores instructions of a computer program, which when executed by a computer system, results in performance of steps of the method.

Abstract: An improved technique for verifying a license of a software product includes performing license checks with a server and passing to the server, as part of the license checks, a drifting digital code. The drifting code forms a particular drift pattern, which the server detects over the course of multiple license checks. The drift pattern is typically unique, or relatively unique, to the machine on which the software product is run, and changes in a manner that is difficult for malicious users to replicate on other machines. If a second copy of the software is installed, e.g., if the software is pirated, the second copy will produce a drifting code that has its own drift pattern, which differs from that of the initial copy. The server detects the duplicate copy by observing a divergence in the codes it receives during license checks.

Abstract: A DRM system is provided wherein a policy can be established such that the DRM system controls access to a protected content unit, wherein the policy evaluates a condition so that the DRM system adaptively varies the actions that a user is authorized to perform with the protected content unit in response to changes in the condition. The techniques described herein enable a protection level for a protected content unit to be varied in response to changes in one or more condition, such as environmental conditions and/or an historical usage conditions. The techniques described herein also enable a set of policies to be established for a DRM system such that the DRM system controls access to multiple protected content units in accordance with the set of policies. Pursuant to these policies, the DRM system can adaptively vary access to multiple protected content units in response to one or more conditions.

Abstract: An approach for reutilizing transport layer security (TLS) connections among separate application is provided. In one aspect, a computing system establishes a a transmission control program/Internet protocol (TCP/IP) connection between a first application of a first endpoint and a second application on a second endpoint. The computing system further performs a TLS handshake over the established TCP/IP connection. The computing system also transmits a request from a third application of the second endpoint to transfer a TLS context from the second application on the second endpoint. In response to the second application on the second endpoint accepting the transfer request, the second application utilizing via the one or more computer processors, a predetermined method of providing a TLS context to the third application, wherein the third application of the second endpoint and the first application of the first endpoint communicate securely.

Abstract: An approach for reutilizing transport layer security (TLS) connections among separate application is provided. In one aspect, a computing system establishes a a transmission control program/Internet protocol (TCP/IP) connection between a first application of a first endpoint and a second application on a second endpoint. The computing system further performs a TLS handshake over the established TCP/IP connection. The computing system also transmits a request from a third application of the second endpoint to transfer a TLS context from the second application on the second endpoint. In response to the second application on the second endpoint accepting the transfer request, the second application utilizing via the one or more computer processors, a predetermined method of providing a TLS context to the third application, wherein the third application of the second endpoint and the first application of the first endpoint communicate securely.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for performing multi-factor authentication. In one aspect, a method includes determining that the identity of a user has been successfully proven using a first of two or more authentication factors, allowing updates or requests for updates to be initiated after the identity of the user has been successfully proven using the first authentication factor, logging the updates or requests for updates that are initiated after the identity of the user has been successfully proven using the first authentication factor, determining that the identity of the user has not been successfully proven using a second of the two or more authentication factors, and reverting the updates, or discarding the requests for updates, based on determining that the identity of the user has not been successfully proven using the second authentication factor.

Abstract: A routing module in a secure routing and communication architecture to receive and transmit data of varied protocols, convert the data protocols to an internet protocol for routing on a local area network. Components of the input/output module comprise a processor, a cryptomodule, a field programmable gate array, all of which communicate in internet protocol. The routing module has a number of interfaces through which SATCOM protocol, UHF-VHF protocol, digital data protocols, serial data protocols, common data link protocols, push-to-talk data protocols, analog voice and voice internet protocol, and other internet protocol data can be received, routed, and transmitted. Hardware, firmware, and software logic within the components convert analog or other digital data to internet protocol, verify the classification level of data, protect the classification level of the data, encrypt the data for routing through a secure routing system a destination interface.

Abstract: One or more network devices receive user criteria for providing anonymization of data from a user device and generate a default workflow for achieving the user criteria. The network devices provide, to the user device, the default workflow and receive user input to the default workflow. The network devices generate and send, based on the user input, final workflow instructions for transmitting data from the user device. The network devices also receive anonymized data transmitted from the user device based on the final workflow instructions. The network devices can provide trend observations of the anonymized data for use by third parties without granting access to the anonymized data.

Abstract: A system, method, and computer program product are provided for content metadata and authorization exchange between content providers and service providers. In use, content metadata from each of a plurality of content providers is stored in a central repository for use in identifying to each of a plurality of service providers content of the content providers that is accessible to the service provider. Furthermore, communications between the content providers and the service providers associated with authorizations for content access are proxied via a central proxy.

Abstract: A security information and event management (SIEM) system includes a data storage sub-system that stores (1) security data pertaining to security-related events and states of a production computer system, (2) security business objects (SBOs) as an abstraction layer over the security data, and (3) workflows which each include a set of the SBOs organized in a workflow-specific manner. Each SBO represents a security-related aspect of the production system and includes data queries to generate output data pertaining to the security-related aspect. Each workflow embodies a complex multi-step security analysis operation. In operation, security users of the SIEM system execute the workflows including the respective security business objects, resulting in a set of result data which identifies security threats and vulnerabilities of the production computer system.

Abstract: A system and method for detecting malware on a limited access mobile platform in a mobile network. The system and method uses one or more feature sets that describe various non-executable portions of malware-infected and malware-free applications, and compares a application on the limited access mobile platform to the features sets. A match of the features in a suspect application to one of the feature sets provides an indication as to whether the suspect application is malware-infected or malware-free.

Abstract: An apparatus and method are described for implementing a trusted dynamic launch and trusted platform module (TPM) using a secure enclave. For example, a computer-implemented method according to one embodiment of the invention comprises: initializing a secure enclave in response to a first command, the secure enclave comprising a trusted software execution environment which prevents software executing outside the enclave from having access to software and data inside the enclave; and executing a trusted platform module (TPM) from within the secure enclave, the trusted platform module securely reading data from a set of platform control registers (PCR) in a processor or chipset component into a memory region allocated to the secure enclave.

Abstract: Systems and methods for configuring security policies based on cloud are provided. According to one embodiment, security parameters are shared on cloud by security devices. A first network appliance may fetch one or more security parameters shared by a second network appliance from a cloud account. Then the first network appliance automatically creates a security policy that controlling a connection between the first network appliance and the second network appliance based at least in part on the one or more security parameters.

Abstract: A method, system, and computer-readable storage media for granting a device access to a managed group are disclosed. Identification information may be exchanged between a management device in the managed group and a managed device through a secure first channel. If the identification information is verified by the management device, the managed device may be granted access to the managed group through the secure first channel. If access is granted, the managed device may access the managed group through a secure communication session on a network. If the identification information is not verified, the management device may send a cryptographic key to the managed device through the secure first channel. The cryptographic key may be used to create an encrypted communication session between the managed device and management device over the network.

Abstract: A method of updating/recovering a configuration parameter of a mobile terminal having stored thereon a public key of a public-key cryptosystem and a current terminal identifier, the method comprising determining an updated configuration parameter by an update/recovery server in response to a received current terminal identifier from the mobile terminal; generating an update/recovery data package by a central signing server, the update/recovery data package including the current terminal identifier, the updated configuration parameter, and a digital signature based on a private key, where the digital signature is verifiable by said public key; storing the current terminal identifier and the updated configuration parameter by the central signing server; sending the update/recovery data package by the update/recovery server to the mobile terminal causing the mobile terminal to verify the received update/recovery data package and to store the! updated configuration parameter of the verified update/recovery data p

Abstract: Disclosed are an apparatus and methods of performing a secure backup of at least one data file via an agent application. According to one example, the method may include determining the at least one data file requires a mirror backup file, and determining that the at least one data file is a candidate for de-duplication based on at least one data file characteristic. The method may also include creating a filekey based on at least a portion of the content of the at least one data file, and transmitting the filekey to a database query handler associated with a database to determine if the file has been de-duplicated.

Abstract: According to an embodiment, a communication apparatus includes a finding unit; a negotiating unit; and a communicating unit. The finding unit is configured to, in response to a request from an application that makes use of key information, find out a key generating device that generates the key information. The negotiating unit is configured to perform a negotiation operation with respect to the key generating device to determine conditions for key information that is to be generated. The communicating unit is configured to receive, from the key generating device, the key information that is generated based on the conditions determined in the negotiation operation, and send the received key information to the application.

Abstract: A system discovers peer nodes in a failover system, establishes a secure channel between at least two of the peer nodes, and exchanges state information over the secure channel.

Abstract: A transmission apparatus capable of transmitting a first content stored in a first storage area to a receiving apparatus includes a determination unit configured to determine whether the receiving apparatus has authority to access a second storage area storing a second content associated with the first content, a storage unit configured to store the second content in a third storage area different from the second storage area in a case where the receiving apparatus does not have authority to access the second storage area, and a transmission unit configured to transmit to the receiving apparatus access information for accessing the third storage area storing the second content by the storage unit.