Abstract: A method may include determining that a non-constant value of a variable corresponding to a variable node of the abstract syntax tree flows into an operator node in the abstract syntax tree. The method may further include adding, to the abstract syntax tree, a check taint node including functionality to: make a taint status determination that the non-constant value is tainted, and return the non-constant value to the operator node. The operator node generates a result value by executing an operator using the non-constant value. The method may further include adding, to the abstract syntax tree, a set taint node that stores, based on the taint status determination, the result value in a second tainted object, and performing, using the abstract syntax tree, a taint analysis of the source code to identify a vulnerability in the source code.

Abstract: Technologies for detecting cyber-attacks against electrical distribution devices include a controller. The controller includes circuitry to determine a first measured value of a first operational parameter of a transformer based upon one or more signals received from one or more sensors of the transformer. The circuitry is also to determine a second measured value of a second operational parameter of the transformer based upon one or more signals received from the one or more sensors of the transformer, calculate a first expected value of the first operational parameter based on the second measured value of the second operational parameter and a model of the transformer that relates the first and second operational parameters, compare the first measured value of the first operational parameter to the first expected value of the first operational parameter, and identify when a difference between the first measured value and the first expected value exceeds a first threshold.

Abstract: In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator take over some network services from a router, and automatically install the network regulator as gateway to the local network. The network regulator then carries out an automatic device discovery procedure and distribute device-specific utility agents to the protected client systems. An exemplary utility agent detects when its host device has left the local network, and in response, sets up a virtual private network (VPN) tunnel with a security server to maintain protection of the respective device.

Abstract: A first correspondence table in a terminal device stores a correspondence between an identifier of a process running on the terminal device and an identifier of a data stream created by the process, a second correspondence table stores a second correspondence between an identifier of an application and an identifier of a process created by the application. The terminal device receives an identifier, sent by a network security device, of a first data stream. The terminal device can find, in the first correspondence table, a first record storing the identifier of the first data stream to obtain an identifier of a process. The terminal device can find in the second correspondence table, a second record storing the identifier of the process in the first record to obtain an identifier of an application from the second record. The identifier of the application is then sent to the network security device.

Abstract: An apparatus for Internet of Things (IoT) registration includes a beacon frame transmitting unit for transmitting a beacon frame to a plurality of stations, an authentication unit that receives an authentication request frame from the plurality of stations in a first method, and an association unit that transmits an authentication response frame or an association response frame to the plurality of stations in a second method.

Abstract: A method and system. An instruction to encrypt plaintext to generate encrypted data from the plaintext is received. The encrypted data is to be stored in a database device in response to a first request received from a client terminal to store the plaintext in the database device. The first request includes the plaintext. Ciphertext is generated by applying both an initialization vector and an encryption key directly to the plaintext. An embedding rule used to generate the encrypted data is selected from a sequence of embedding rules. The encrypted data is stored in the database device, A second request to receive the plaintext data is received from the client terminal. The plaintext is obtained from the encrypted data, by separating the encrypted data into the ciphertext and the initialization vector; and generating the plaintext by decrypting the ciphertext that was separated from the encrypted data.

Abstract: An example client device includes a processor configured construct a key to be used to encrypt or decrypt data of a communication session between the client device and a server device, partition the key into a plurality of key partitions, send data representative of the key and a location of the client device to the server device, send data representative of each of the plurality of key partitions to a respective key verification server device of a plurality of key verification server devices, and after receiving an indication from the server device that the key has been verified using data representative of the key, the location of the client device, and the plurality of key partitions, encrypt or decrypt data exchanged with the server device using the key.

Abstract: A method of managing a node in a cluster of nodes in an SDN network. The method comprising receiving from the node a request to join the cluster and a list of references authenticating the node. The references are verified and if the referenced passed the verification the node is allowed to join the cluster. Then a trust level of the node is calculated based on the number of verified references, wherein a role of the node in the cluster depends on the trust level of said node.

Abstract: The present disclosure provides systems and methods for processing operation. An exemplary method for processing operation, implementable by a terminal, may comprise: displaying a target web page, wherein the target web page comprises a first control element and a second control element, the first control element is configured to acquire an account identifier for an account, and the second control element is configured to correlate the account identifier and an operation request for executing the operation request without logging in the account after the operation request is correlated with the account identifier; acquiring the account identifier in response to a trigger action on the second control element; and sending the account identifier and the operation request that is correlated by the second control element to a server corresponding to the target web page.

Abstract: The method for implementing mechanisms for Layer 7 context accumulation for enforcing Layers 4, 7, and verb-based rules is presented. The method comprises: receiving stream data, and identifying a packet in the stream. If the packet includes Layer 7 headers: for each Layer 7 header: determining content of the packet identified by a Layer 7 header's identifier; and parsing the content to extract firewall input data. If one or more rules at least partially match the firewall input data, determining that a particular rule also includes additional information that cannot be found in the firewall input data; performing a DPI on the content to determine whether at least a portion of the additional information is found in the content; extracting additional input data from the content and adding it to the firewall input data; and applying the rules to the firewall input data to process the packet.

Abstract: A device, system and method for managing access authorization is provided. A request to alter access authorization of one or more devices assigned to a user is received at a computing device. The computing device determines at least one contextual condition associated with at least one of the one or more devices. The computing device determines, based on the at least one contextual condition, a subset of the one or more devices for which the access authorization is to be altered to include at least one other user. The computing device alters the access authorization of the subset of the one or more devices to include the at least one other user, such that the at least one other user is granted access to the subset of the one or more devices.

Abstract: A method may include running virtual sessions on a virtualization server for a plurality of client devices associated with respective users, with the virtual sessions being responsive to traffic from the client devices. The method may further include generating baseline traffic patterns for the users based upon the traffic from respective client devices during the virtual sessions, monitoring traffic during a new virtual session for a given client device and detecting an anomaly therein relative to at least one of the baseline traffic patterns, and generating an anomaly alert based upon detecting the anomaly.

Abstract: The present invention relates to a method for transmitting a message sequence via a data bus. The method comprises the transmission of an informational message containing an informational signal during an active phase, the transmission of a security message for initiating a rest phase and the transmission of rest messages containing a rest signal at the interval of a rest cycle time during the rest phase, wherein the informational signal and the rest signal differ from each other and wherein the security message and the rest messages differ from each other. Furthermore, the invention relates to a device for transmitting a message sequence via a data bus as well as a method and a device for detecting an attack on a message sequence transmitted via a data bus.

Abstract: An example operation may include one or more of evaluating a proposed membership conversion submitted by a client application (App) on a client subject to a first membership services provider (MSP1), evaluating the validity of the client according to channel membership rules, placing a transaction certificate in a creator field of a client transaction request, using fabric-attribute-based authentication to authenticate the client that submitted the membership conversion proposal, consulting a membership table to determine access rights of the client, and passing the access rights information to an application membership credential generator compliant with a second membership services provider (MSP2).

Abstract: Generally described, one or more aspects of the present application correspond to a content validation system. A content validation service receives visual secret request information from user devices. The content validation service provides visual secret information to be rendered with received content. The content validation service then receives a snapshot of content to be rendered including a representation of the visual secret information to validate the content.

Abstract: At an authorization manager, an indication is obtained that a request pre-processing tool has been designated as a validator for a category of requests directed to a network-accessible service. The authorization manager determines, based at least in part on a validation result set indicated in a request of the category, that the request pre-processing tool has verified that the request meets an authorization requirement. The authorization manager approves one or more operations indicated in the request.

Abstract: The present approaches generally relate to the encryption of data within a database in such a way that the encrypted data may still be easily accessed and utilized by an application. The present approach provides the ability to encrypt and decrypt data at an application layer though the data remains in an encrypted state at the database layer and when in transit.

Abstract: A tokenization system tokenizes sensitive data to prevent unauthorized entities from accessing the sensitive data. The tokenization system accesses sensitive data, and retrieves an initialization vector (IV) from an IV table using a first portion of the sensitive data. A second portion of the sensitive data is modified using the accessed initialization vector. A token table is selected from a set of token tables using a third portion of the sensitive data. The modified second portion of data is used to query the selected token table, and a token associated with the value of the modified second portion of data is accessed. The second portion of the sensitive data is replaced with the accessed token to form tokenized data.

Abstract: A vehicle computer includes a watermark memory and a watermark processor programmed to execute instructions stored in the watermark memory. The instructions executed by the watermark processor include receiving an image captured by a camera, selecting a set of random pixel locations, generating a random watermark, and embedding the random watermark into the image at the set of random pixel locations. Another vehicle computer includes a validation memory and a validation processor programmed to execute instructions stored in the validation memory. The instructions executed by the validation processor include receiving a watermarked image, determining a random watermark, detecting an embedded watermark in the received watermarked image by selecting a set of random pixels and analyzing the selected set of random pixels for the random watermark, and authenticating the watermarked image as a result of determining that the watermarked image includes the random watermark at the set of random pixel locations.

Abstract: Disclosed are methods and systems that include receiving updated operating system information, encrypting the updated operating system information, and updating a map file. The updated operating system information is received at an encryption virtual machine. The encrypting the updated operating system information results in the encrypted updated operating system information. The encrypting the updated operating system information is managed by the encryption virtual machine. The updated operating system information is encrypted in response to receipt of the updated operating system information. The updated operating system information is encrypted using an encryption key.