Abstract: A method, in a server, implementing a moving target defense against cross-site scripting includes receiving a request for a web page, wherein the server has N versions of the web page each with a mutated version of JavaScript; selecting a web page of the N versions; and sending an indication of the mutated version of JavaScript associated with the web page in response to the request. Another method, in a client device, using a moving target defense against cross-site scripting includes requesting a web page; receiving an indication of a mutated version of JavaScript for the web page; and adjusting a JavaScript interpreter based on the mutated version of JavaScript for the web page.

Abstract: A cloud-based method, a behavioral analysis system, and a cloud-based security system can include a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion; and a behavioral analysis system communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes; wherein the plurality of nodes each comprise a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content.

Abstract: The invention described herein generally relates to systems and methods of securely storing data so that the data contains information about the data and/or the encryption of the data, systems and methods of providing secure access to real world data through data transformations, and systems and methods of managing security parameters for data.

Abstract: Methods and arrangements in a WSAN Gateway (15), a WSAN Manager (16) and a WSAN sensor for attaching an additional sensor (39) to a WSAN (12) comprising at least one existing WSAN sensor (33). The additional sensor emits an indication of its private identity after insertion in the WSAN, and the indication is received by the existing sensors in the WSAN and forwarded to the WSAN Gateway, after an eligibility check. Thereafter, the WSAN Gateway sends an authentication request to the WSAN Manager, which computes an authentication vector and transmits to the WSAN Gateway for the authentication of the new sensor.

Abstract: One embodiment of the present invention provides a system that improves security during web-browsing. During operation, the system can receive a URL from a user. Next, the system can determine an IP address for the URL by querying a DNS server. The system can then determine a public-key associated with the URL. Next, the system can encrypt a string using the public-key to obtain an encrypted-string. The system can then send the encrypted-string to a remote-system which is associated with the IP address. Next, the system can receive a response from the remote-system. The system can then determine whether the DNS server has been compromised using the string and the response. If the system determines that the DNS server has been compromised, the system can alert the user, and in doing so, improve security during web-browsing.

Abstract: Lists of keywords by type are collected that are associated with fake antivirus software. One more rules are created including the keywords that likely indicate fake antivirus software. The keywords and rules are stored in a local database on a computer. Each executing process of a computer is scanned using the rules. A match indicates that the scanned process is likely fake antivirus software. A check is then performed to determine if the scanned process is actually legitimate antivirus software (using a digital certificate, a white list, or a call to a function). If the check fails a determination is made that the identified process is fake antivirus software. The process may then be displayed, cleaned, quarantined, or permanently removed from the computer. The cursor may be dragged into the window of an executing process in order to selectively scan that process only. Or, any number of executing processes may be selected to be scanned by the rules.

Abstract: A resilient device authentication system and method comprising: one or more verification authorities (VAs) including a memory loaded with a complete verification set that includes hardware part-specific data, and configured to create a limited verification set (LVS) therefrom; one or more provisioning entities (PEs) each connectable to at least one of the VAs, including a memory loaded with a LVS, and configured to select a subset of data therefrom so as to create an application limited verification set (ALVS). Also disclosed is a device comprising a controller, device memory, input/output capable of communicating with the authentication system, and a physically-unclonable function associated with hardware part-specific information corresponding to hardware part-specific data in the loaded CVS. Further disclosed is an authentication system including hardware security modules.

Abstract: Mechanisms are provided for allowing pluggable encryption in an operating system. Modules such as proprietary cipher modules connect to a kernel cryptographic framework using cryptographic cipher adapters. Supported cryptographic ciphers as well as proprietary cryptographic ciphers can be used in a transparent manner during file system access, key management, and metadata maintenance operations. Proprietary cipher modules interact with the cryptographic cipher adapters as though the cryptographic cipher adapters are the kernel cryptographic framework. The kernel cryptographic framework interacts with the cryptographic cipher adapters as though the cryptographic cipher adapters are proprietary cipher modules.

Abstract: This invention is directed to acquisition of a communication path for a mobile communication apparatus in a case of occurrence of communications beyond the capacity of a radio base station due to a communication trouble or the like. A communication relay apparatus comprises: a wireless connection unit that connects with a mobile communication apparatus via a wireless communication path; a wired connection unit that connects with a wired communication path; and an authentication unit that permits, based on a first authentication, the connection of the mobile communication apparatus to the wired communication path and that permits, based on the establishment of a second authentication, the said connection if the first authentication is not established and further if information for permitting the said connection has been registered.

Abstract: A system and method of authenticated ID-based key exchange and remote login with insecure token and PIN number can provide an authenticated key agreement protocol based on an elliptic curve bilinear type-3 pairing. A server acts as an Authentication Service to Clients and a Trusted Authority (TA) issues identity based secret numbers to Clients and Authentication Services. Included in the system and method is the capability for the Client to split their secret number into two parts, a Client selected PIN number, and the larger number, the Token.

Abstract: A user authentication service for a communication network authenticates local users before granting them access to personalized sets of network resources. Authentication agents on intelligent edge devices present users of associated end systems with log-in challenges. Information supplied by the users is forwarded to an authentication server for verification. If successfully verified, the authentication server returns to the agents authorized connectivity information and time restrictions for the particular authenticated users. The agents use the information to establish rules for filtering and forwarding network traffic originating from or destined for particular authenticated users during authorized time periods. An enhanced authentication server may be engaged if additional security is desired. The authorized connectivity information preferably includes identifiers of one or more virtual local area networks active in the network.

Abstract: Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request.

Abstract: An approach is provided for the secure exchange of multimedia content through a mobile telephony device. A docking station receives a control signal from a media headset, and in response thereto determines to establish a communication link. The docking station selects one of a plurality of communication options corresponding to different networks based on the type of the communication link. The docking station initiates an authentication procedure for the communication link according to the selected communication option. Subsequent to successful authorization, the docking station receives multimedia content over the authenticated communication link, and transmits the received media signal to the media headset.

Abstract: Techniques are shown for providing third-party applications access to user resources based on user actions and processes that provide the third-party applications with the correct security tokens. The scope of access granted in various implementations of the disclosure is all documents which the user has already opened with the third-party application.

Abstract: A password processing method is provided. According to an embodiment, an object is displayed, and moved in at least one direction according to the user's motion. The password is processed in accordance with a combination of motions of the object in the at least one direction.

Abstract: A method for carrying out an application with the help of a portable data carrier, wherein the data carrier includes two separated communication interfaces. According to the method, a user transmits via a first terminal specified input data for processing by the application to a server via a first data connection between the first terminal and the server. Then, authentication data for authenticating the application based on the input data of the server are transmitted via a second data connection between the server and the data carrier which is connected via the first communication interface with the first terminal. The authentication data are then transmitted from the data carrier via a third data connection to the second terminal. The third data connection is realized by means of the second communication interface.

Abstract: An encrypted resource is stored in association with an access control list. A request to retrieve the resource is received. The wrapped key and the authentication credentials are sent, from the application server system, to a key server system. An unencrypted version of the resource encryption key is received from the key server system if the key server system determines that the authentication credentials correspond to a user in the group of users identified by the group identifier. The stored encrypted resource is decrypted using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource. The unencrypted version of the resource is sent, from the application server system, to the client application.

Abstract: A portable electronic device is provided. The portable electronic device includes a data interface module that processes files associated with a user, the data interface module receives and validates a password from a user of the portable electronic device before the user is allowed access to files processed by the data interface module, an encryption key formed by the data interface module upon validation of the password, the encryption key further comprising the password, a hard coded private string and a serial number of the portable electronic device and a data storage area that stores files received from the data interface module the stored files are encrypted using the encryption key and where neither the encryption key or the password are stored in an unencrypted format anyplace within the portable electronic device.

Abstract: An embodiment of the invention includes a method of authenticating a second device connected to a first device. The method includes transmitting a first data string from the first device to the second device and receiving a second data string at the first device from the second device. The method also includes generating a third data string using an alteration key at the first device and comparing the third data string and either the first data string or the second data string. The method further includes authenticating the second device if the compared data strings match.

Abstract: A system and method where the “dealer” of a split Master Secret becomes the Master Key Server, whose role is to initially compute the Master Secret, create and distribute shares of the Master Secret to two Distributed Private Key Generators (D-PKG), initialize and route the inter-process communication between the nodes, co-ordinate and computationally participate in the User System's IBE Private Key generation process.