Abstract: In an example for implementing a process under a superuser privilege within a computing device, a monitor function library for monitoring an executable function is loaded when the process acquires the superuser privilege. When it is detected that the process runs the executable function, the monitor function library may suspend the running of the executable function, and output process monitoring information. If a feedback to the process monitoring information indicates that it is allowable to perform the executable function, a system function library is invoked to perform the executable function the process runs.

Abstract: Implementations of a system and method of generating and using bilaterally generated variable instant passwords are provided. In some implementations, the Bilaterally Generated Variable Instant Password System is a Password generation and authentication system that may be used to secure electronic transactions (e.g., a stock market transaction). The system works by authenticating a user at the beginning of a session and at the initiation of any subsequent transactions that occur during the same session. The initial password is entered by the user while additional passwords required to authenticate subsequent transactions are generated by the system without any effort on the part of the user. The passwords are used as encryption keys to encrypt each transaction and may be used to limit a user's access to specific portions of a service providers system. A variety of authentication devices may be used to generate system passwords.

Abstract: A system for attribute-based encryption comprises a first encrypter (11) and a second encrypter (12). The first encrypter (11) comprises an input unit (1) for determining a message and a policy over a set of attributes, wherein the policy comprises a plurality of components, and a first cryptographic unit (2) for generating an encrypted representation of the message and an encrypted representation of the plurality of components. The second encrypter (12) comprises a receiving unit (3) for receiving the encrypted representation of the message and the encrypted representation of the plurality of components, and a second cryptographic unit (4) for transforming the encrypted representation of the message and the encrypted representation of the plurality of components into an attribute-based encrypted message associated with the policy.

Abstract: A method for diverse security handling may comprise: maintaining a first connection between a user equipment and a first network node, and a second connection between the user equipment and a second network node which has a third connection with the first network node; setting an indicator in a packet to indicate whether a destination of user data in the packet is the first network node or the second network node; and transmitting the packet from the user equipment to the first network node via the first connection.

Abstract: A system, method, and computer program product are provided for monitoring an execution flow of a function. In use, data associated with a function is identified within a call stack. Additionally, a call stack frame is determined from freed memory in the call stack. Further, an execution flow of the function is monitored, utilizing the call stack frame from the freed memory.

Abstract: Systems and methods may provide for online identification and authentication. In one example, the method may include generating a credential to represent a relationship based on a common ground of authenticated communication between a first user and a second user, identifying the second user to the first user, authenticating the relationship of the second user to the first user, and initiating, upon authentication, a communication between the first user and the second user.

Abstract: The present disclosure is applicable to the field of network communications, and provides a login method and apparatus, and an open platform system. The method includes: receiving an Access Token parameter provided by a login platform after a user is authenticated and authorized; acquiring an open digital identity (OpenID) of the user by using the received Access Token parameter; and generating a corresponding command word according to a browser environment of a third-party page, and returning the command word to the third-party page, the command word including the Access Token parameter and the OpenID of the user.

Abstract: A method for detecting malware includes the steps of identifying a one or more open network connections of an electronic device, associating one or more executable objects on the electronic device with the one or more open network connections of the electronic device, determining the address of a first network destination that is connected to the open network connections of the electronic device, receiving an evaluation of the first network destination, and identifying one or more of the executable objects as malware executable objects. The evaluation includes an indication that the first network destination is associated with malware. The malware executable objects includes the executable objects that are associated with the open network connections that are connected to the first network destination.

Abstract: The invention provides methods and apparatus for detecting when an online session is compromised. A plurality of device fingerprints may be collected from a user computer that is associated with a designated Session ID. A server may include pages that are delivered to a user for viewing in a browser at which time device fingerprints and Session ID information are collected. By collecting device fingerprints and session information at several locations among the pages delivered by the server throughout an online session, and not only one time or at log-in, a comparison between the fingerprints in association with a Session ID can identify the likelihood of session tampering and man-in-the middle attacks.

Abstract: To verify compliance with a data access policy, a query result including data specified by a requesting entity and a representation of a data access policy is received from a database. Based on the representation of the data access policy included in the query result, it is verified whether the requesting entity is permitted to access the data included in the query result. Transmission of the data included in the query result to the requesting entity is controlled responsive to the verification. Related methods, systems, and computer program products are also discussed.

Abstract: The embodiments of the present invention provide a method and a trusted gateway for a WiFi terminal to access a PS service domain. The method comprises: receiving an accounting request message sent by an authentication, authorization and accounting AAA server or a dynamic host configuration protocol DHCP request message sent by the WiFi terminal; establishing, by a trusted gateway, a first packet data protocol PDP context connection or a first packet data network PDN connection with the PS service domain according to attribute information of the WiFi terminal after receiving the accounting request message or the DHCP request message, so that the WiFi terminal accesses the PS service domain via the wireless local area network, the trusted gateway, and the established first PDP context connection or the first PDN connection.

Abstract: A personal digital ID device provides a digital identifier to a service for a predetermined duration in response to user interaction. The user interaction may include a button press. The personal digital ID device may be in the form of a bracelet, a key fob, or other form factor. The service may be provided by a mobile device, in the cloud, or elsewhere.

Abstract: A method of automating security provisioning is provided. The method includes receiving a request to start a virtual application and determining an owner of the virtual application. The method includes determining a workload based on the virtual application, the workload including an application and a virtual machine and assigning the workload to a security container or sub-container, among a plurality of security containers, based on the owner of the virtual application.

Abstract: In a decryption apparatus according to an embodiment, a holding device pre-holds a verification formula. A determination device performs a calculation based on the verification formula read from the holding device by substituting, into the verification formula, the part of the re-encrypted data received from a re-encryption apparatus and the public key of a re-encryption key generation apparatus and the private key of the decryption apparatus, to determine whether or not the verification formula holds true. An output device outputs verification success when a result of the determination indicates that the verification formula holds true.

Abstract: The present invention relates to a system and method for processing a lost password by selectively providing a reset process under the password in the long-term memory of the user. According to the present invention, the system includes a user terminal including: a long-term memory condition registration unit receiving the registration of long-term memory conditions; a long-term condition determination unit determining the long-term memory conditions are satisfied; a user identification unit, after the occurrence of a lost password, authenticating the user through a user identification verification scheme or through a enhanced user identification verification scheme whether or not the password resides in the long-term memory of the user, and a lost state resetting unit cancelling the lost password occurrence state.

Abstract: Network fabric devices capable of participating in an anonymity protocol can be configured to operate as virtual circuit end-points where the node routes packets between a virtual circuit associated with a hidden service address and a port-level channel. Through management of the virtual circuit end-points, the network fabric devices participate as a hop in a virtual circuit, host hidden services, or operate as an interface to hidden services while reducing latency and truly hiding hidden services.

Abstract: A method for generating a coordinate point in an embedded system comprises the following steps: obtaining a random number and a first fixed value, and performing a modulo operation on the random number by using the first fixed value as a modulus, so as to obtain first data; selecting each data bit from the first data; obtaining, according to a position of the selected data bit in the first data, an initial point value corresponding to the selected data bit from a pre-stored initial point value list when data in the selected data bit is not zero; and performing a point adding operation on the obtained initial point value and an intermediate point value, and outputting the obtained operation result as result data. In the present invention, by querying in a preset initial point value list, an initial point value in the initial point value list is obtained, and calculation is performed according to the initial point value, thereby greatly improving the speed of generating a coordinate point.

Abstract: A plurality of devices have common access to a cryptographic key. The cryptographic key is rotated by providing the devices simultaneous access to both the cryptographic key and a new cryptographic key and then revoking access to the cryptographic key. Keys stored externally and encrypted under the cryptographic key can be reencrypted under the new cryptographic key. Keys intended for electronic shredding can be left encrypted under the old cryptographic key.

Abstract: A computer-implemented method that monitors the activity of different nodes within a system as well as crowd sourcing activity. The computer-implemented method determines that a first node formed a relationship with a second node, generates an edge based on the relationship between the first node and the second node, stores the edge in a graph index and assigns a privacy setting to the edge based on the relationship between the first and second nodes.

Abstract: A computer program product for eliminating access to data within a writable storage media cartridge includes a computer readable medium having program instructions embodied therewith. The program instructions are executable by a processing circuit to cause the processing circuit to determine whether a first portion of data on the writable storage media cartridge is encrypted, and determine whether key shredding is enabled. In response to determining that key shredding is not enabled, the processing circuit causes performance of a long erase on at least the encrypted first portion of data, and causes shredding of an encryption key related to said encrypted first portion of data.