Abstract: A method and system for connecting an Internet of Things (IoT) hub to a wireless network. One embodiment of the method includes establishing a secure communication channel between an IoT hub and an IoT service through a client device using a first secret; generating a second secret on the client device and transmitting it to the IoT hub; encrypting a wireless key using the second secret to generate a first-encrypted key and transmitting it to the IoT service; encrypting the first-encrypted key using the first secret to generate a twice-encrypted key and transmitting it to the IoT hub over the secure communication channel; decrypting the twice-encrypted key at the IoT hub using the first secret to generate the first-encrypted key and decrypting it using the second secret to generate the wireless key usable to establish a secure wireless connection between the IoT hub and the local wireless network.

Abstract: Systems and methods for monetizing the reproduction of digital media content for the rights-holders of the digital media content. Embodiments of the present disclosure relate to determining whether a user of a media content item has a license to reproduce the media content item. In one embodiment, the media content item may be reproduced when the user is licensed. The user is prompted to select to acquire a license to reproduce the media content item or to decline the license to reproduce the media content item when the user is not licensed. Further embodiments determine whether a user may receive a license when the user wishes to acquire a license. In an embodiment, the user is declined a license when not approved for the license.

Abstract: In one embodiment, a system, apparatus, and method are described for requesting access authorization from an access network access point (AP) via an access network interface, generating at a processor a public-private key pair to be used to generate a cryptographically generated address (CGA) upon receiving the access authorization, sending a secure neighbor discovery (SeND)—neighbor solicitation (NS) to the AP via the access network interface after the public-private key pair has been generated, receiving a signed user location information (ULI) from the AP in response to the SeND-NS, and sending the signed ULI to one of a 3GPP mobility controller or an emergency service via a 3GPP network interface. Related systems, apparatuses, and methods are also described.

Abstract: The present invention provides a method for detecting a website attack, comprising: selecting multiple uniform resource locators (URLs) from history access records of a website; clustering the multiple uniform resource locators; and generating a whitelist from the multiple uniform resource locators according to a clustering result. In some embodiments of the present invention, a common OWASP attack at URL level can be checked.

Abstract: Apparatus and methods are provided for tracking and validating behavior and communication patterns of sensors connected to an Internet-of-Things (“IoT”) network. Preferably, trusted IoT sensors monitor communication patterns exhibited by other trusted and/or untrusted sensors. An untrusted monitored sensor may be assigned a trusted status based on applying artificial intelligence and/or machine learning algorithm to monitored and/or historical communication patterns exhibited by the monitored sensor. A trusted group of sensors may continue to grow by adding other trusted sensors. If a compromised sensor is detected, a silo may be erected around the compromised sensor. The silo may include disconnecting the compromised sensor from the network. After erecting the silo, communication patterns exhibited by the compromised sensor may be continue to be monitored. After a pre-determined time period the compromised sensor may be reassigned a trusted status or purged from the trusted group and/or network.

Abstract: A customer of a resource provider environment can apply policies at the data object level that will live with a data object during its lifecycle, even as the object moves across trusted boundaries. A customer can classify data, causing tags and/or predicates to be applied to the corresponding data object. Each tag corresponds to a policy, with predicates relating to various actions that can be performed on the data. A chain of custody is maintained for each data object, such that any changes to the object, tags, or policies for the data can be determined, as may be required for various audit processes. The support of such policies also enables the resource provider environment to function as an intermediary, whereby a third party can receive the data along with the tags, policies, and chain of custody as long as the environment trusts the third party to receive the data object.

Abstract: Disclosed are various embodiments for detecting unknown software vulnerabilities and system compromises. During a learning period, it is determined which of a plurality of portions of a software package are invoked. At least one unused portion of the software package is determined based at least in part on the portions of the software package invoked during the learning period. Access to the unused portion(s) of the software package is then prevented.

Abstract: In a computing system, methods for secure OS level login authentication for internal users to access servers. Some or all servers in a group each utilize a local ID Service for generating and validating a challenge responsive to an OS login request. The challenge is processed in a centralized secure server HSM. Rather than copying individual user public keys to each host in the data center, we need only copy the public key of the HSM to each host in the group. When a user attempts OS level login to a host, it encrypts the challenge using the public key of the HSM and forwards the request for processing in the HSM. There, it decrypts the challenge using the private key in the HSM and re-encrypts the challenge with the public key of the individual user. The user's mobile device, previously registered, is required to complete the authentication process.

Abstract: A device and method for placing the device in a locked state having an associated set of permitted tasks so as to permit the device owner to share the device with others but maintain security over aspects of the device. A task change request is evaluated to determine whether the requested task is permitted and, if so, the requested task is allowed; if not, then an authorization process is invoked to prompt the user to input authorization data. Upon verification of the authorization data, the device may be unlocked and the requested change implemented. The permitted tasks may designate specific applications, specific operations or functions within applications or at the operating system level, one or more currently open windows, and other levels of granularity.

Abstract: Technologies are provided in embodiments for using compiling techniques to harden software programs from branching exploits. One example includes program instructions for execution to obtain a first encoded instruction of a software program, the first encoded instruction including a first opcode in a first field to be performed when the first encoded instruction is executed, identify a vulnerable value in a second field within the first encoded instruction, where the vulnerable value includes a second opcode, determine that the first encoded instruction can be replaced with one or more alternative encoded instructions that do not contain the vulnerable value, and replace the first encoded instruction with the one or more alternative encoded instructions.

Abstract: Techniques are described for adjusting policy characteristics based on a determined similarity between routes. A similarity metric may be determined indicating the similarity between a first route followed by a vehicle and/or driver and a second (e.g., previous) route followed by the vehicle and/or driver. A similarity metric may indicate the similarity in movements, and changes in movement, exhibited by the vehicle on the routes. The similarity metric may be determined through analysis of real time data collected by in-vehicle sensor(s), mobile user device(s), external sensors or other data sources. Based on the similarity metric, a premium, a deductible, a price, or other characteristic(s) of a policy may be determined. In some examples, policy characteristics may be adjusted (e.g., in real time) based on the analysis according to changing risk conditions if a driver is following routes that are dissimilar from typical routes.

Abstract: A method and apparatus for providing fallback data services over a Wi-Fi network is described. A request to enable access to new data sessions for wireless terminals in a zone covered by a Wi-Fi network node is received upon failure of 3GPP radio in that zone. When a request for a new data session from a WT is received, the MAC address of the WT is added to a list of authorized users. The MAC address of the WT is sent to Wi-Fi network nodes of adjacent zones such that the WT can have continuous service as it moves between zones. When a Wi-Fi network node currently serving the WT receives an indication that the WT data session is terminated, a message is sent from the Wi-Fi network node currently serving the WT, to nodes of adjacent zones to remove the MAC address of the WT from the list of authorized users.

Abstract: A method implemented on an augmented reality (AR) electronic device includes initiating a security access code software application on the AR electronic device. A user of the AR electronic device is identified. A first electronic computing device at or near a current location of the user is identified. The first electronic computing device is an input device for entry of a security code to permit access to a protected asset. A determination is made as to whether the user is authorized to access the protected asset. When a determination is made that the user is authorized to access the protected asset, a security access code is displayed on the AR electronic device. The security access code permits the user to access the protected asset via the first electronic computing device.

Abstract: This disclosure describes an automated process of discovering characteristics needed to integrate a web-based application to a web portal, such as a reverse proxy. This process eliminates the need for application owners and security analysts to manually discover the information needed for the on-boarding process. To this end, application-specific information is determined by monitoring network traffic flows in and out of the application, user authentication and authorization event data, and the like. An application discovery engine analyzes the discovered data, preferably against a set of patterns and heuristic-based rules, to discover or identify the one or more application characteristics. A set of configuration data is then generated, and this configuration data is then used to integrate the application into the web reverse proxy and, in particular, by specifying the configuration needed to “board” the application.

Abstract: A policy management method and system, which determines at least one functional model for the IT system; loads at least one pre-configured policy selection template that indicates at least one policy aspect applicable to the at least one IT system; generates at least one policy user interface that gathers a policy input; receives a policy input loaded from a data storage or a memory or entered by a user via a user interface; loads at least one pre-configured policy generation template that indicates at least one technical rule or configuration aspect of the policy that the policy template pertains to; generates at least one machine-enforceable rule/configuration compliant with the received input policy; transmits the at least one machine-enforceable rule and/or configuration to at least one policy implementation entity; and executes the transmitted at least one machine-enforceable rule/configuration.

Abstract: Embodiments for performing self-contained, consistent data masking in a distributed computing environment by a processor. A data masking operation is performed on one or more datasets in one of a plurality of data formats such that a key of each value of each key-value pair representing a common set of columns or paths for the one or more datasets is masked.

Abstract: In one example in accordance with tie present disclosure, a method for security vulnerability detection includes indexing a variety of internet sources comprising third party submitted information, to extract security vulnerabilities based on the third party submitted information. The method includes generating a security vulnerabilities list comprising security vulnerabilities from the internet source and generating a software components list comprising a software component used in an application. The method includes determining that a security vulnerability in the security vulnerabilities list affects the software component and determining a risk score of the security vulnerability. The method includes presenting the security vulnerability, the risk score and the software component via a user interface.

Abstract: A method, system and computer-usable medium for generating a security analysis effort, cost and process scope estimates, comprising: analyzing a software system; identifying a complexity level of a security analysis, the complexity level of the security analysis comprising identification of an effort level for the security analysis; and, generating the security analysis effort estimate, the security analysis effort estimate comprising an estimate of an effort expenditure to perform a security analysis on the software system at the identified complexity level.

Abstract: A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

Abstract: The present disclosure relates to a communication method and system for converging a 5th-Generation (5G) communication system for supporting higher data rates beyond a 4th-Generation (4G) system with a technology for Internet of Things (IoT). The present disclosure may be applied to intelligent services based on the 5G communication technology and the IoT-related technology, such as smart home, smart building, smart city, smart car, connected car, health care, digital education, smart retail, security and safety services.