Abstract: A flexible aes instruction for a general purpose processor is provided that performs aes encryption or decryption using n rounds, where n includes the standard aes set of rounds {10, 12, 14}. A parameter is provided to allow the type of aes round to be selected, that is, whether it is a “last round”. In addition to standard aes, the flexible aes instruction allows an AES-like cipher with 20 rounds to be specified or a “one round” pass.

Abstract: Techniques for content item instance access control are described herein. A computing service provider may host execution of a plurality of instances of an interactive content item, such as a video game. Each content item instance may be accessible to a respective set of one or more authorized clients that are associated with the respective content item instance and that are authorized to access the respective content item instance. Additionally, in one embodiment, each content item instance may be inaccessible to one or more unauthorized clients, such as clients that are not associated with the respective content item instance and that are not included in the set of authorized clients. By limiting access to a content item instance to authorized clients, the content item instance may be protected from malicious users, such as hackers, DoS and DDos attackers, and other malicious users.

Abstract: A method and system for decentralized biometric signing of a digital contract. A digital identity including a private key is created. The private key was encrypted on a mobile device via use of captured biometric data. A digital hash of the digital contract is generated. A user using biometric data is authenticated. Usage of the biometric data is authorized. Responsive to the usage of the biometric data being authorized, the encrypted private key is decrypted. The digital hash is signed with the decrypted private key. The signed digital hash is stored in a blockchain.

Abstract: A magnetic random access memory (MRAM) physically unclonable function (PUF) device that uses the geometric variations in magnetic memory cells to generate a random PUF response is described herein. Within the MRAM, one or more magnetic memory cells can be used for the PUF. The PUF response is generated by destabilizing the one or more magnetic memory cells and then allowing them to relax. The MRAM PUF has also a relatively small footprint among all other silicon PUFs. Timing and control signals for the MRAM PUF are also described along with power and delay characteristics for use with field and spin transfer torque driven destabilization operations.

Abstract: A computer program product having a computer readable non-transitory storage medium. The storage medium having encoded thereon a computer code for instructing at least one hardware processor to automatically: (a) intercept a plurality of data packets transported over a computer network; (b) analyze said plurality of data packets to identify at least one secure connection request to an unsecure domain hosted on at least one web server; (c) retrieve a digital security certificate for the unsecure domain from a trusted certification authority; (d) associate the digital security certificate with the unsecure domain, thereby converting the unsecure domain to a secure domain; (e) send the digital security certificate to at least one second client terminal. Thereby the computer program product facilitates a secure connection between the at least one second client terminal and the secure domain.

Abstract: The present application discloses a method and a system for detecting malicious code. The method comprises receiving a testing sample; testing the sample with a plurality of malicious code detectors to obtain a plurality of testing results; determining a credibility scale and a reputation value of each of the testing results, wherein the credibility scale indicates whether the testing result is malicious or safe, and the reputation value indicates a quantified trust level corresponding to the credibility scale; and determining a final detection result of the testing sample based on the determined credibility scales and the reputation values of the testing results. According to the technical solution of the present application, the testing results obtained from various malicious code detectors are rationally utilized to improve the testing accuracy for the malicious code.

Abstract: Techniques described herein may allow for an enhanced authentication of a user of a user device, such as a mobile telephone. Some such techniques may be applicable when transitioning the user device from a locked state to an unlocked state. The user device may determine an orientation associated with the user device (e.g., a magnetic declination, which may be expressed in terms of degrees from north), and may output the direction to an authentication server. The authentication server may determine whether the orientation matches a previously stored orientation, and may indicate to the user device whether the user device should activate a public mode or a private mode. The authentication server may also notify one or more application servers regarding the mode of the user device. In private mode, the presenting, sending, or receiving of certain types of data (e.g., sensitive data) may be restricted.

Abstract: One embodiment provides a method comprising, in a training phase, receiving one or more malware samples, extracting multi-aspect features of malicious behaviors triggered by the malware samples, determining evolution patterns of the malware samples based on the multi-aspect features, and predicting mutations of the malware samples based on the evolution patterns. Another embodiment provides a method comprising, in a testing phase, receiving a new mobile application, extracting a first set of multi-aspect features for the new mobile application using a learned feature model, and determining whether the new mobile application is a mutation of a malicious application using a learned classification model and the first set of multi-aspect features.

Abstract: One or more computing devices, systems, and/or methods for verifying a user of a service are provided. That is, the service (e.g., a social network, an email service, a website, etc.) may attempt to verify that a user is an owner of an account with the service by sending a verification code to a device registered by the user with the service, such as through a text message. Because the service may be hosted across multiple data centers for resiliency against failure, the verification code and a verification attempt counter may be stored within a particular data store. An identification of the data store may be encoded into the verification code. In this way, the verification code may be sent to the device, such that when the user submits the verification code back to the service, the verification code is routed to the correct data store for verification.

Abstract: Concepts and technologies disclosed herein are directed to privacy-preserving location corroborations. According to one aspect, a localized corroborator system can receive a message digest from a user device. The message digest can be generated by the user device using a cryptographic hash function based upon bitwise XOR of a user identifier and a location proof identifier. The location proof identifier can uniquely identify a location proof to be created by the system. The system can concatenate a corroborator identifier, a location, a time, and the message digest to create a concatenated message. The system can sign the concatenate message using a private key to create the location proof and can send the corroborator identifier and the location proof to the user device. The user device can use the location proof to prove that the user was located at the location at the time.

Abstract: Aspects of the present invention provide systems and methods that facilitate computations that are publically defined while assuring the confidentiality of the input data provided, the generated output data, or both using homomorphic encryption on the contents of the secure distributed transaction ledger. Full homomorphic encryption schemes protect data while still enabling programs to accept it as input. In embodiments, using a homomorphic encryption data input into a secure distributed transaction ledger allows a consumer to employ highly motivated entities with excess compute capability to perform calculations on the consumer's behalf while assuring data confidentiality, correctness, and integrity as it propagates through the network.

Abstract: A data transfer process can include multiple verification features usable by a “source” device to ensure that a “destination” device is authorized to receive a requested data object. The source device and destination device can communicate via a first communication channel (which can be on a wide-area network) to exchange public keys, then use the public keys to verify their identities and establish a secure session on a second communication channel (which can be a local channel). The data object can be transferred via the secure session. Prior to sending the data object, the source device can perform secondary verification operations (in addition to the key exchange) to confirm the identity of the second device and/or the locality of the connection on the second communication channel.

Abstract: A system for configuring and executing a secure communication network for authorizing access to safeguarded resources is provided. In particular, the system uses person-to-person (P2P) authentication technology to securely transmit resources between users. In this way, an efficient way to for users to manage resources is provided.

Abstract: A reconnaissance and assessment (RA) tool can receive base information about the network, such as basic network information and details about an entity and personnel associated with network. The RA tool can utilize the base information to perform reconnaissance procedures on the network to identify the attack surface of the network. The RA tool can perform reconnaissance on the network, itself, and on other external sources, such as third party databases, search engines, and partner networks. Once the attack surface is identified, the RA tool can automatically perform appropriate security assessments on the attack surface. Additionally, if additional information is determined about the network during the security assessments, the RA tool can perform additional reconnaissance and security assessments based on the additional information.

Abstract: Computer-implemented systems, methods, and computer-readable media are provided for causing an action to be performed in response to a network communication, such as a malicious network communication. In accordance with some embodiments, a first network communication sent from a client device is received, and a protocol used in the first network communication is determined. Once the protocol is determined, the protocol may be implemented to enable a second network communication with the client device. An action to be performed based at least in part on the protocol may be identified, and an instruction may be sent to the client device in the second network communication.

Abstract: The present disclosure describes systems and methods for reducing rule set sizes via statistical redistribution throughout a plurality of network security appliances. A rule set may be generated for each security appliance that includes (i) a first set of rules based on known attacks, identified as rules for mandatory inclusion in the rule set; and (ii) a subset of the second set of rules, identified as rules for potential inclusion in the rule set, selected randomly according to a distribution percentage, score, or weight for each potentially included rule. Higher scored rules, which may be more likely vectors for potential attack, may be distributed to a greater number of appliances; while lower scored rules that may be less likely or represent more speculative attacks may be distributed to fewer appliances.

Abstract: The present disclosure generally relates to the field of network authentication. More specifically, the present disclosure relates to a technique of determining a set of authentication protocols for authentication between a terminal and an authentication server of a communication network. A method embodiment includes obtaining information related to at least one of the terminal, an access network via which the terminal is connected to the communication network, and at least one gateway node or intermediate network via which the terminal is connected to the communication network. The method further includes determining, based on the obtained information, from a plurality of authentication protocols available for authentication between the terminal and the authentication server, at least one of a set of authentication protocols to be offered towards the terminal and a set of authentication protocols to be supported by the terminal for authentication between the terminal and the authentication server.

Abstract: A centralized framework for managing the data encryption of resources is disclosed. A data encryption service is disclosed that provides various services related to the management of the data encryption of resources. The services may include managing application policies, cryptographic policies, and encryption objects related to applications. The encryption objects may include encryption keys and certificates used to secure the resources. In an embodiment, the data encryption service may be included or implemented in a cloud computing environment and may provide a centralized framework for effectively managing the data encryption requirements of various applications hosted or provided by different customer systems. The disclosed data encryption service may provide monitoring and alert services related to encryption objects managed by the data encryption service and transmit the alerts related to the encryption objects via various communication channels.

Abstract: A method for shared key generation with authentication in a gateway node includes generating, generating a first set of pseudo-random data corresponding to expected transmissions from a first node that communicates with a second node through a shared communication medium, identifying, with the gateway node, bits transmitted from the second node based on a signals received by the gateway node corresponding to simultaneous transmissions from the first node and the second node, identifying, with the gateway node, expected bit values for the bits from the second node based on a combination of shared secret data stored in a memory of the gateway node with another set of random or pseudo-random data generated by the second node, and authenticating the second node in response to the plurality of bits transmitted from the second node matching the plurality of expected bit values.

Abstract: A computer-implemented method, computer program product and computing system for importing threat data from a plurality of threat data sources, thus generating a plurality of raw threat data definitions. The plurality of raw threat data definitions are processed, thus generating a plurality of processed threat data definitions. The plurality of processed threat data definitions are processed to form a master threat data definition. The master threat data definition is provided to one or more client electronic devices.