Abstract: Fast string search and matching is critical for many security tasks in particular if these have “gate functionality” for instance as found in access control applications, firewalls, routers, and load balancers. The fast matching of strings is essential to impose and enforce access control policies without creating bottlenecks. Firewalls protect networks by monitoring the traffic crossing the network perimeter. The number of packet matching rules firewalls can effectively handle is limited by the matching time and space complexity of the algorithms employed. A new approach implements matching independent of the number of rules and linear in the length of the rule to be matched. A data structure used in this approach is referred to as a “Bipartite Concatenated Representation” (BCR). The space complexity of the BCR within this application scenario scales as O(N log2 N) where N is the number of rules.

Abstract: A method for configuring a mobile terminal to control vehicle functions of a vehicle, where the mobile terminal and the vehicle each have a short-range radio system, includes receiving a request to a server to issue a vehicle key for the use of vehicle functions of the vehicle for a mobile terminal. The method also includes generating the vehicle key by the server, transmitting the vehicle key to a secure element of the mobile terminal, and storing the vehicle key in the secure element of the mobile terminal.

Abstract: A method for masking content to be displayed on the electronic device is provided. The method includes receiving, by a processor in the electronic device, the content to be displayed on the electronic device, determining, by the processor, that at least one portion of the content is objectionable content based on a semantic signature of a content filter, and masking, by the processor, the at least one portion of the content displayed on the electronic device based on the detection.

Abstract: A computer and data protection system include a peripheral sharing device that is communicatively linked to an onboard internet server and a separate user computer. The onboard internet server is connected to a first communication port for communicating with the separate user computer, and a second communication port for communicating over the internet. A switch selectively transitions the system between a protected operating mode wherein the second communication port is disabled or disconnected, and an open operating mode wherein the first communication port is disabled or disconnected. The system includes an authentication unit having an input/output device for communicating with a removable key. The authentication unit functioning to provide system access only upon successful comparison of a user password that is stored on the physical key with a corresponding user password that is stored in the authentication unit.

Abstract: A secure element (SE) with a notion of time useful for checking secure items is disclosed herein. Methods of obtaining time information by the SE include push, pull, opportunistic, local interface, and multi-check methods. Time information can be obtained from a root certification authority (CA) and one or more subordinate CAs, which are associated with and subordinate to the root CA. The SE uses the time information for time management of time values stored in the SE. The SE also uses the time information in cooperation with certificate revocation lists (CRLs) and/or online certificate status protocol (OCSP) stapling procedures.

Abstract: An identity authentication method is provided, including: obtaining a virtual-resource data processing request sent by a mobile terminal, the virtual-resource data processing request carrying a prestored digital fingerprint, and the digital fingerprint being generated by using device information and user information; performing virtual-resource data processing authentication on the virtual-resource data processing request according to a pre-established user value transfer behavior model; after virtual-resource data processing authentication succeeds, generating a value transfer token according to the digital fingerprint, and returning the value transfer token to the mobile terminal; receiving a value transfer request sent by the mobile terminal, the value transfer request carrying the value transfer token; and checking whether the value transfer token is valid, if the value transfer token is valid, identity authentication succeeding; otherwise, identity authentication failing.

Abstract: Systems, methods, and software can be used to process a resource request. In some aspects, a method, comprising: transmitting, from a mobile device, an encrypted request to a proxy server, wherein the encrypted request comprises a Hypertext Transfer Protocol (HTTP) request, the HTTP request is addressed to an application server that provides service to an application on the mobile device, and the encrypted request is encrypted using an application-specific credential that is associated with the application; and receiving, at the mobile device, an encrypted response in response to the encrypted request, wherein the encrypted response comprises an HTTP response generated by the application server.

Abstract: A hearing instrument includes: a radio for reception of a broadcasted signal having a message, at least a part of the message has been encrypted with a first key, wherein the first key has been encrypted with a second key; an authenticator configured for authentication of the message by decrypting the first key with a third key, and decrypting the at least a part of the message with the first key; and a processing unit for converting the message into an acoustic signal for transmission towards an eardrum of a user of the hearing instrument.

Abstract: A computer-implemented method is provided for authenticating an identity of a user requesting access to a computerized resource via a client computing device. The method includes receiving, by the client computing device, a request to authenticate the identity of the user, determining, by the client computing device, a time period of the request, determining, by the client computing device, an approximate geolocation of the user, and determining, by the client computing device, one or more network characteristics associated with a current network of the client computing device. The method further includes transmitting, by the client computing device to an authentication device, authentication data including the request, the time period of the request, the approximate geolocation of the user and the one or network characteristics.

Abstract: A user-promotion process allows a service provider to grant the security roles associated with a target user account to a requester by obtaining approvals from a quorum of approving users. The quorum requirements and the identity of the approving users may be established by the target user or an account manager. Upon receiving, from a promotion candidate, a request to assume security roles of a target user, the service provider identifies the approving users from the target user's account record. Approvals are requested from the approving users, and if a quorum of approvals is received by the service provider, the promotion candidate is allowed to assume the roles of the target user. If a quorum of approvals is not received, then substitute approving users may be identified based at least in part on those approving users that did not respond to the approval request.

Abstract: Systems and methods for optimizing system resources by selectively enabling various scanning functions of a network security device are provided. According to one embodiment, information specifying a set of reputable websites deemed to be trustworthy by one or more web filtering services is received by a network security device protecting a private network. One or more directives are received by the network security device from a network administrator via a GUI of the network security device identifying one or more security features that are to be disabled for the set of reputable websites. Network traffic is intercepted by the network security device from an external network. When it is determined by the network security device that the external network is among the set of reputable websites, the network security device foregoes application of the one or more identified security features to the network traffic.

Abstract: A method, computer program product and system for generating false data for suspicious users. A suspicious user is identified. Actions of the user are then tracked. The user attempting to access sensitive information is detected. Relevant false sensitive information corresponding to the sensitive information is then detected. The relevant false sensitive information is then mapped to the sensitive information. The relevant false sensitive information is provided to the suspicious user. In response to user input, at least one command is executed, where the at least one command includes the relevant false sensitive information and not the sensitive information.

Abstract: A computer data security system, useful in protecting audit logs, includes symmetric key based techniques, requires only a small-constant number of cryptographic hash operations at the signer side sending a prospective audit log or other computer record data to a primary repository to achieve forward-secure and append-only authentication. The verification is performed by independent parties sharing parts of the symmetric key, wherein the presence of single honest party among all verifier parties ensures a conditional non-repudiation. It also ensures that an active adversary cannot generate authentication tags on behalf of the signer, unless it compromises all verification parties.

Abstract: An information processing apparatus that makes it possible to avoid useless processing for registering an event which cannot be received. The information processing apparatus has a personal firewall function and receives an event registered concerning a network service. It is determined whether or not a reception address for receiving an event is a reception restriction target at which reception is rejected by the personal firewall. In a case where it is determined that the reception address is a reception restriction target before making a request to be registered as a recipient of an event, the registration is caused to fail without transmitting the request.

Abstract: A method of filtering authenticated synthetic transactions comprises receiving over a network, at a server providing a first networked application, a plurality of requests for the first networked application, wherein the plurality of requests includes a first synthetic transaction. The method further comprises analyzing a respective header of each of the plurality of requests; identifying a synthetic token in the respective header of the first synthetic transaction in response to analyzing the respective header of each of the plurality of requests; determining that the identified synthetic token corresponds to the first networked application; and bypassing usage monitoring for the first synthetic transaction in response to determining that the identified synthetic token corresponds to the first networked application.

Abstract: A first collection including an analytical feature vector and a Q&A feature vector is constructed. A second collection is constructed from the first collection by inserting noise in at least one of the vectors. A third collection is constructed by crossing over at least one of vectors of the second collection with a corresponding vector of a fourth collection, migrating at least one of the vectors of the second collection with a corresponding vector of a fifth collection. Using a forecasting configuration, an analytical feature vector of the third collection is aged to generate a changed analytical feature vector containing analytical feature values expected at a future time. The changed analytical feature vector is input into a trained neural network to predict a probability of the cyber-attack occurring at the future time.

Abstract: After receiving a qualification acquisition request sent by an end-user device, a service platform can return a block generation rule to the end-user device, instead of returning the block generation rule only when a predetermined moment arrives. Even if the end-user device sends the qualification acquisition request to the service platform before the predetermined moment, the service platform still returns the block generation rule. The service platform can separate, in terms of time, users who participate in obtaining service qualification, so that some users can obtain the block generation rule before the predetermined moment, and then participate in a service based on the obtained block generation rule when the predetermined moment arrives. Access pressure faced by the service platform when the predetermined moment arrives is relieved, and normal running of the service platform after the predetermined moment arrives is ensured.

Abstract: A computer data security system, useful in protecting audit logs, includes symmetric key based techniques, requires only a small-constant number of cryptographic hash operations at the signer side sending a prospective audit log or other computer record data to a primary repository to achieve forward-secure and append-only authentication. The verification is performed by independent parties sharing parts of the symmetric key, wherein the presence of single honest party among all verifier parties ensures a conditional non-repudiation. It also ensures that an active adversary cannot generate authentication tags on behalf of the signer, unless it compromises all verification parties.

Abstract: When a security authentication request sent by a terminal is received, an identity authentication solution includes acquiring network environment information and user behavior data according to the security authentication request, then determining, according to the network environment information and the user behavior data, whether a current operation is a machine attack, and acquiring a CAPTCHA of a predetermined type according to a predetermined policy and delivering the CAPTCHA to the terminal if the current operation is a machine attack, to perform identity authentication, or determining that security authentication succeeds if the current operation is not a machine attack.

Abstract: A Timed Attestation Process (TAP) utilizes a CPU bus cycle counter/timer to accurately measure the time needed to calculate a specific function value for an attestation query in an embedded system. The attestation query takes into account embedded software and the hardware data path. An attestation value database stores the unique timing and function data associated with each hardware design element in the embedded device, which each have unique timing characteristics. By utilizing the CPU bus cycle counter/timer of the client device, the TAP increases the time accuracy to the smallest tolerance possible relative to a particular CPU (typically +/?one instruction cycle). The integrity of the embedded software contained in the permanent storage elements and the hardware timing to access each component is verifiable against the unique timing characteristics stored in the database. With this timing characteristic, each hardware element is linked to a specific software configuration.