Abstract: Secure communication in mobile digital pages is provided. The system receives an electronic document and validates the electronic document for storage in a cache server. The system receives a request for the electronic document and provides it to a viewer component on a client computing device. The viewer component loads the electronic document in an iframe. The viewer component executes a runtime component to receive, via a secure communication channel, a tag from the electronic document. The system receives the tag and selects a data value for transmission to the viewer component. The viewer components provides the data value to cause the runtime component to execute an action with the data value.

Abstract: Techniques for performing unequal sampling are provided. In one technique, multiple scores generated by a prediction model are identified, each score corresponding to a different entity of multiple entities. Multiple buckets are determined, each bucket corresponding to a different range of scores. Each entity is assigned to a bucket based on the score corresponding to the entity. A probability distribution function is generated based on the scores and a number of scores belonging to each bucket. For each entity, a probability of sampling the entity is determined based on the probability distribution function and a score corresponding to the entity. A subset of the entities are sampled based on the probability determined for each entity.

Abstract: Disclosed is a vehicular update system including a communication device configured to communicate between a server and a controller included in a vehicle, a memory, and a controller configured to, (i) when a public key set including a root public key for verifying a root signature is stored in the memory, acquire the root signature from the server and verify root metadata based on the acquired root signature and the root public key of the public key set pre-stored in the memory, and configured to, (ii) when the public key set is not stored in the memory, acquire, from the server, root metadata including a public key set and a root signature obtained by performing a digital signature on a hash value of the public key set using a root private key, verify the root metadata based on the root public key of the acquired root metadata and the root signature, and store the public key set.

Abstract: A method for secure proxying using trusted execution environment (TEE) technology includes performing, using a TEE running on a proxy, an attestation with a TEE running on a client. The TEE running on the proxy receives from the TEE running on the client a request to fetch data from a remote server. The TEE running on the proxy fetches the data specified in the request from the remote server. The TEE running on the proxy forwards to the TEE running on the client the data fetched from the remote server.

Abstract: A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc.

Abstract: A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc.

Abstract: A system includes a secure payload generator and a payload warehouse. The secure payload generator receives a payload, which includes a private key and a corresponding public key. For example, the private key may include information for decrypting a message encrypted with the public key. An encryption vector is determined based at least in part on the public key. The private key is encrypted using the determined encryption vector. The encrypted private key and the corresponding public key are provided to the payload warehouse. The payload warehouse stores the encrypted private key and the corresponding public key as a secured payload.

Abstract: Methods and apparatus for detecting and handling evil twin access points (APs). The method and apparatus employ trusted beacons including security tokens that are broadcast by trusted APs. An Evil twin AP masquerades as a trusted AP by broadcasting beacons having the same SSID as the trusted AP, as well as other header field and information elements IE in the beacon frame body containing identical information. A sniffer on the trusted AP or in another AP that is part of a Trusted Wireless Environment (TWE) receives the beacons broadcasts by other APs in the TWE including potential evil twin APs. The content in the header and one or more IEs in received beacons are examined to determine whether a beacon is being broadcast by an evil twin.

Abstract: A method at a network element, the method including receiving at least one message at the network element, the at least one message being one or both of: an update status information message from an updates server; and an anomaly detection status information message from anomaly detection server; determining, based on the receiving the at least one message, a dynamic cybersecurity posture indication for an intelligent transportation system entity; and providing the dynamic cybersecurity posture indication for the intelligent transportation system entity to an Enrolment Authority, wherein the dynamic cybersecurity posture indication can be included in a certificate relating to the intelligent transportation system entity.

Abstract: A method and system for configuring a web application firewall (WAF) device. The system includes continuously receiving events of an event log associated with a first web based application; generating for each event a signature using a local sensitive hash function; populating a Markov model based on signatures generated for the events, wherein each node in the Markov model corresponds to a generated signature; generating a first new signature for a first new received event, and a second new signature for a second new received event, wherein the second event is subsequent to the first event; determining a probability based on the Markov model that the second event is subsequent to the first event, by locating a first node corresponding to the first new signature and a second node corresponding to the second new signature; and authorizing a request associated with the second event, in response to determining that the determined probability exceeds a predefined threshold.

Abstract: Secure communication in mobile digital pages is provided. The system receives an electronic document and validates the electronic document for storage in a cache server. The system receives a request for the electronic document and provides it to a viewer component on a client computing device. The viewer component loads the electronic document in an iframe. The viewer component executes a runtime component to receive, via a secure communication channel, a tag from the electronic document. The system receives the tag and selects a data value for transmission to the viewer component. The viewer components provides the data value to cause the runtime component to execute an action with the data value.

Abstract: A method and system for controlling internet browsing user security is provided. A control device (120) receives, via a first communication channel, a web page request from a control agent (102) implemented in a browser (101), the browser (101) being installed in a computer device operated by a user. Then, the control device (120) requests, to a control service (130), via a second communication channel, a security level of said requested web page including a status of the user and the presence of risks in the requested web page. The control service (130) executes a security check on said requested web page by checking whether the requested web page is included in a blacklist or a whitelist and also by checking certain risk control criteria of the requested web page. Finally, in response to receipt a result of said security check, the control device (120) allows or denies access to said web page.

Abstract: Implementations include evaluating a first sub-set of rules based on a first sub-set of facts to provide a first set of impacts, evaluating including applying the first sub-set of facts to each rule using a hash join operation to determine whether a rule results in an impact, indexes of arguments of facts being used in a probe phase of the hash join operation, evaluating a second sub-set of rules using impacts of the first set of impacts to provide a second set of impacts, determining whether each goal in a set of goals has been achieved using the first set of impacts and the second set of impacts, each goal being provided as an impact, in response to determining that each goal in the set of goals has been achieved, removing paths of the AAG, each of the paths resulting in an impact that is not a goal.

Abstract: A method is described for a proxy to mitigate attacks from web application clients based on context of web application layer requests. The method includes receiving a plurality of web application layer requests from a web application layer client; aggregating a first set of requests from the plurality of web application layer requests, wherein the first set of requests are part of a first session; determining a profile based on the first set of requests, wherein the profile describes a baseline of expected behavior for a user of the web application layer client; and determining a first threat value associated with the first set of requests based on the first set of requests and the profile, wherein the first threat value describes the likelihood that the first set of requests are part of an attack on one or more web application servers.

Abstract: A phytosanitary treatment blockchain is generated from automatically gathered phytosanitary treatment records. The phytosanitary treatment records are generated by matching authenticated treatment data with authenticated identification data. Matching may be based on geolocation, timestamps, or both. Authentication may be based on digital signatures using private key encryption. Separate treatment sensors and identification sensors automatically gather information about a phytosanitary treatment and the item being treated. The gathered information is encrypted and transmitted to blockchain members that perform authentication, matching, and generation of the phytosanitary treatment blockchain. A tracking code may be issued for each treatment. The tracking code is used to obtain an authentication of the treatment that indicates whether the treatment passed or failed.

Abstract: A server transmits to a third-party application a request for a resource that is received from a client. The server receives an authentication request from the client device that has been generated by the third-party application. The server transmits an identity provider selection page to the client device that allows the client device to select an identity provider. The server causes the client device to transmit a second authentication request to a selected identity provider. The server receives an authentication response that was generated by the identity provider that includes the identity of the user. The server enforces access rule(s) including identity-based rule(s) and/or non-identity based rule(s). If the user is permitted to access the third-party application, the server causes an authentication response to be transmitted from the client device to the third-party application that indicates the user has successfully authenticated.

Abstract: A method for managing sensitive data, including: receiving an encryption key from a third party recovery agent; at a user agent executing on a user device, encrypting the sensitive data with the encryption key; and storing the encrypted sensitive data at a third party storage provider system. The method can optionally include, at the user agent: requesting the encryption key from the third party recovery agent using a set of recovery agent authentication credentials; requesting the encrypted sensitive data from the third party storage provider system using a set of storage provider authentication credentials; and decrypting the encrypted sensitive data using the encryption key.

Abstract: A network security device configured to monitor and control incoming and outgoing network traffic allows for concurrently or parallel access to a network session table by multiple session managers in order to increase the network session setup rate within the device. Each of the multiple session managers can gain access to the session table in parallel with each other when the session managers are processing packets associated with different network sessions. Session managers utilize an identifier unique to each network session to be established in the network session table, which is used to determine which session managers can concurrently access the network session table.

Abstract: A proxy system is installed on a computing device that is in the network path between the device and the Internet. The proxy system, residing on the computing device, decrypts and inspects all traffic going in and out of the computing device.

Abstract: Extensive deployment of interoperable distributed energy resources (DER) on power systems is increasing the power system cybersecurity attack surface. National and jurisdictional interconnection standards require DER to include a range of autonomous and commanded grid-support functions which can drastically influence power quality, voltage, and the generation-load balance. Investigations of the impact to the power system in scenarios where communications and operations of DER are controlled by an adversary show that each grid-support function exposes the power system to distinct types and magnitudes of risk. The invention provides methods for minimizing the risks to distribution and transmission systems using an engineered control system which detects and mitigates unsafe control commands.