Abstract: Embodiments of a cryptographic key management system for cached data that efficiently re-encrypts cached data encrypted with a compromised encryption key by receiving a request to access a cached data block encrypted with an original encryption key. Upon determining that the original encryption key is compromised or destroyed, thus resulting in the requested data block being invalid, evicting the requested data block from the cache storing the cached data. The data block is re-encrypted using a new encryption key upon receipt of a new request to access the cached data. Any remaining cached data encrypted with the original encryption key is evicted from the cache through a defined cache eviction policy.

Abstract: A computer implemented method of access control for a user device having at least one component for determining behaviors of the user. The method including accessing a first machine learning classifier trained based on at least one prior behavior of the user using the device, the classifier classifying user behavior as compliant or non-compliant. The method further including, in response to a determination that a subsequent behavior is classified as non-compliant, accessing a second machine learning classifier trained based on at least one prior behavior of the user using the device where the prior behavior is classified as non-compliant by the first classifier. The method further including, in response to a determination that the subsequent behavior is classified as non-compliant by the second classifier, requesting a credential-based authentication of the user and constructively training one of the machine learning classifiers based on the credential-based authentication result.

Abstract: The present disclosure relates to a system and method for monitoring system calls to an operating system kernel. A performance monitoring unit is used to monitor system calls and to gather information about each system call. The information is gathered upon interrupting the system call and can include system call type, parameters, and information about the calling thread/process, in order to determine whether the system call was generated by malicious software code. Potentially malicious software code is nullified by a malicious code counter-attack module.

Abstract: In an aspect, a network supporting client devices includes one or more network nodes implementing network functions. Such network functions enable a client device to apply a security context to communications with the network when the client device is not in a connected mode. The client device obtains a user plane key shared with a user plane network function implemented at a first network node and/or a control plane key shared with a control plane network function implemented at a second network node. The client device protects a data packet with the user plane key or a control packet with the control plane key. The data packet includes first destination information indicating the first network node and the control packet includes second destination information indicating the second network node. The client device transmits the data packet or control packet.

Abstract: In one embodiment, a method includes receiving, by a WebAuthn proxy, login prompt information from a browser. The WebAuthn proxy and the browser are installed on a device. The method also includes generating, by the WebAuthn proxy, a WebAuthn credential request based on the login prompt information and communicating, by the WebAuthn proxy, the WebAuthn credential request to a WebAuthn authenticator. The method further includes receiving, by the WebAuthn proxy, a WebAuthn response from the WebAuthn authenticator and communicating, by the WebAuthn proxy, the WebAuthn response to the browser.

Abstract: Detection of phishing messages in network communications is performed by receiving a transmitted message and detecting characteristics of the message. A determination is made if the message matches a pattern of a phishing message in a database, and classifies the message as a phishing or spam message accordingly. If the message does not match a known phishing message pattern, the message is checked for common signs of phishing or spam by determining the severity of a threat embodied by the message, and the message is categorized as having phishing characteristics and according to the severity of threat. In response the user responses to determinations of threats, criteria for detection of phishing characteristics is adjusted, thereby automatically revising criteria for future decisions as to whether the message represents suspected phishing.

Abstract: A method and apparatus for providing IP address filtering. The method identifies one or more suspicious Uniform Resource Locators (URLs) and resolves the one or more suspicious URLs to one or more suspicious IP addresses. A suspicious IP address list is created containing the one or more suspicious IP addresses. The suspicious IP address list may be used to facilitate a security response to filter one or more of the IP addresses in the suspicious IP address list.

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.

Abstract: A multifunction peripheral (MFP) includes user selectable functions that call home applications on the device that direct it to work cooperatively with cloud service providers. To avoid requiring users to login to each cloud service each time they use it, they are registered with an authorization server to establish and grant identity and authorization tokens. When a user logs in to an MFP, they are redirected to login to the authorization server which then sends tokens to the MFP identifying the user and their permissions and licenses. Home applications associated by the tokens are displayed for selection. Each time a home application using a cloud service is selected, a background application sends the user's session tokens with a service request to an associated cloud service resource server. The resource servers processes authenticated requests and return the result to the MFP which completes the selected home application function.

Abstract: Methods, apparatus, systems and articles of manufacture (e.g., physical storage media) for software defined silicon guardianship are disclosed.

Abstract: Apparatus and methods disclosed herein provide technical solutions improving the security of email messages. An email message may be encrypted so that a predetermined passcode is not required to access the email message. Apparatus and methods may route email messages through a remote portal. The email message may only be transmitted to the recipient via the portal. In some instances, the contents of an email message may not be transmitted from the portal to the recipient. Rather, the recipient may only access the email message from within the portal. Such restricted access may be preferably less complex because the recipient's computer terminal may automatically connect to the portal.

Abstract: Apparatus and methods for reverse identification and authentication are provided. The apparatus and methods may include a server receiving a request from a user device to authenticate an entity, forming a communication channel between the entity and the user device, requesting the entity provide authentication credentials, and authenticating the entity. When the entity is authenticated, the server may notify the user through the authentication channel, a mobile device application, or another method. An entity may proactively authenticate itself to a user through the central server, in anticipation of a communication between the entity and user.

Abstract: A telecommunications network server system provides a digital identifier to a user device. The digital identifier may include identification data corresponding to a user of the user device. In addition, the telecommunications network server system receives, from one or more third-party systems, requests to authenticate the user for an electronic transaction with the respective third-party system. The telecommunications network server system provides a unique electronic transaction code to each third-party system. Responsive to receiving from the user device one of the unique electronic transaction codes, the telecommunications network server system provides, to the respective third-party system, authentication of the user.

Abstract: Provided are methods and apparatuses for hardening a communication device, which methods and apparatuses make it possible to identify a use of at least one port, by which port a request is submitted to the communication device by a message, and to output a signal for blocking the at least one port if, after a specifiable time period, either the use of the port in question is detected as low or no use of the port in question is detected. Embodiments can be used to harden communication devices in a production line, in a hospital and/or in a power supply network.

Abstract: Techniques for distributed offload leveraging different offload devices are disclosed. In some embodiments, a system, process, and/or computer program product for distributed offload leveraging different offload devices includes receiving a flow at a firewall of a security service (e.g., a cloud-based security service); inspecting the flow at the firewall to determine meta information associated with the flow; and offloading the flow to an offload entity (e.g., a SmartNIC, software executed on a Network Interface Card (NIC), and/or a network device, such as a network router and/or network switch) based on the meta information associated with the flow (e.g., an application identification associated with the flow determined using deep packet inspection) and based on a policy.

Abstract: Disclosed herein is an identity network that provides a universal, digital identity for users to be authenticated by an identity provider for relying parties upon sign-in to the relying party. The identity network receives the sign-in request from a relying party for a user using a user device. The identity network can provide a session identifier to the relying party for the request and launch an identity provider application associated with the user via a software development kit in the relying party application. The user may sign-in to the identity provider via the software development kit, thereby authenticating the user for the relying party. Additionally, the identity provider may generate a risk validation score and provide it to the relying party that provides a confidence value that the user is validly using the user device and a risk score based on device activity on the identity network.

Abstract: Systems, methods, and software products provide increased trust in authentication of a user to an authentication server when a trusted witness client device witnesses the authentication of the user on the user's root client device. Both the root and the witness client devices cooperate to present the user with an interactive task during the authentications and each client device independently captures movement of the user performing the interactive task, during which, the user is authenticated to the root client device. An increased level of trust in the authentication of the user is achieved by the authentication server when the captured movements match expected movements of the user performing the interactive task and the authentication server has proof that the witness client devices witnessed a successful authentication.

Abstract: A system for data security includes a processor and a computer-readable storage medium having instructions stored thereon that cause the processor to perform operations including: (i) logging data access events initiated by a user; (ii) generating a user profile of the user, the user profile including a size and a type of data accessed by each data access event; (iii) receiving a new data access event initiated by the user including a size and a type of data requested by the new data access event; (iv) comparing the size and the type of the requested data of the new data access event to the user profile; (v) determining that the new data access event initiated by the user does not correspond to the data included in the user profile; (vi) restricting the requested data associated with the new data access event; and (vii) transmitting the restricted data to the user.

Abstract: An electronic message analysis and marking system comprising: a gateway computer system in communications with a message transport system adapted to receive an original incoming electronic message from a sender message system prior to the original incoming electronic message extending into a perimeter of a recipient message system, analyze the original incoming electronic message according to a set of warning criteria, and modify the original incoming electronic message to provide a modified incoming electronic message; and, a gatekeep service in communications with the gateway computer system and a recipient's computer service wherein the gatekeeper service is adapted to receive the modified incoming electronic message, retrieve a trigger from the modified incoming electronic message and perform one or more actions according to the trigger.

Abstract: An information processing device includes an element extraction unit that extracts elements relating to actions of an attacker from each input log, a generation unit that generates a parser based on definition information defining the actions of the attacker in a formal grammar, the parser detecting, from a log, a log string having a feature corresponding to an action defined by the definition information, a parsing unit that detects, from a log consisting of the elements extracted by the element extraction unit, log strings having features corresponding to the actions defined by the definition information by using the parser, and a reconstruction unit that reconstructs the log strings detected by the parsing unit, adds a label indicating an action defined by the definition information to each of the reconstructed log strings, and outputs the labeled log strings as a log corresponding to a series of actions of the attacker.