Abstract: An attack defense processing method and a protection device. The attack defense processing method includes the protection device receives a first packet by a protection device, if it is determined that the first packet is an Internet Control Message Protocol version 6 (ICMPv6) Packet Too Big packet, parses the first packet to obtain an internet protocol (IP) address of a source node, an IP address of a destination node, and a Maximum Transmission Unit (MTU) value that are carried in the first packet, determines a range of valid MTUs on a path between the source node and the destination node according to the IP address of the source node and the IP address of the destination node, and performs attack defense processing for the first packet when it is determined that the MTU value does not belong to the range of the valid MTUs.

Abstract: A method is provided for securely transmitting a digital message that is transmitted by means of an electronic letter service. A user of the service has a computer with a functioning browser and an Internet connection, and the electronic letter service makes use of a TrustCenter. The user creates a password using his/her browser. A user password verifier is cryptographically derived from the password. The user password verifier is transmitted to the electronic letter service and stored on a storage medium. A user secret is generated from the password by means of a cryptographic derivation. The user secret constitutes the symmetrical key for the encryption of a user-specific user master secret. The user secret is encrypted using the public key of the TrustCenter and the encrypted user secret is transmitted to the electronic letter service, from where it is then forwarded to the TrustCenter.

Abstract: A non-transitory machine-readable media embodying instructions executable by one or more processors to perform a method is provided. In one aspect, the method includes receiving, from a first computing device associated with a first account, a request for interaction with a second computing device associated with a second account, wherein the first account is assigned a quota for interacting with one or more accounts. The method includes determining a cost associated with the interaction. The method includes, when the quota exceeds the cost, determining that the interaction is allowed and deducting the cost from the quota. Systems and methods are also provided.

Abstract: The invention relates to a method of signature with pseudonym ? of a message m by a user device storing a secret signature key sk dependent at least on a first part of key f, on a second part of key x and on a third part of key A equal to (g1hf)1/(x+y) and comprising the following steps: —generation of a pseudonym nym equal to hf dpkx, with dpk a public domain parameter, —determination of random numbers a, r_a, r_f, r_x, r_b, r_d, —calculation of signature coefficients R1 equal to hr_Jdpkr_x, R2 equal to nymr_ah?r_ddpk?r_b, R3 equal to Zr_x Va?r_x?r_f?r_b W?r_a, with Z, V and W respectively equal to e(A, g2), e(h, g2) and e(h,w), —obtaining of a first signature parameter T equal to Aha, —calculation of a second signature parameter c by applying a cryptographic hash function H, to the public domain parameter dpk, to the pseudonym nym, to the first signature parameter T, to the signature coefficients R1, R2, R3 and to the message m, —calculation of signature parameters s_f, s_x, s_a, s_b, s_d, respectively equa

Abstract: An application centric compliance management system includes a computing system that executes a tool to identify a subset of a the resources of a multi-tier computing environment that are used to execute an application, and for each identified resource, obtain one or more application-based compliance policies associated with the application. The tool may then determine whether the resource meets each application-based compliance policy, and when the resource does not meet the application-based compliance policy, generate an alarm that includes information associated with the one unmet application-based compliance policy.

Abstract: A system provides cloud-based identity and access management. The system receives a request for performing an identity management service, where the request includes a call to an application programming interface (“API”) that identifies the identity management service and a microservice configured to perform the identity management service. The system authenticates the request, accesses the microservice, and performs the identity management service by the microservice.

Abstract: Aspects of the subject disclosure may include, for example, a method comprising authenticating, by a server comprising a processor, a communication device to a first communication network, in accordance with authentication information stored in a first repository of the first communication network. The method also comprises determining, by the server, that a second communication network is accessible to the communication device. The method further comprises providing, by the server, the authentication information to a second repository of the second communication network in accordance with the determining, wherein the providing is performed independently of a request from the second communication network. Other embodiments are disclosed.

Abstract: A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (“UHCA”) may also be used to detect anomalous behavior.

Abstract: Resource restrictions are associated with a user identifier. A resource restriction agent receives operating system calls related for resources and provides resource request data to a resource agent. The resource agent determines whether the resource is restricted based on the resource request data and resource restriction data and generates access data based on the determination. The resource restriction agent grants or denies the system call based on the access data.

Abstract: In an example, there is disclosed a computing apparatus, including: a network interface; one or more logic elements providing a security orchestration server engine operable for: receiving contextual data from a client via a network interface; providing the contextual data to a security orchestration state machine, the security orchestration state machine operable for deriving a policy decision from the contextual data; and receiving the policy decision from the policy orchestration state machine. There is also disclosed one or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions for providing a security orchestration engine, and a method of providing a security orchestration engine.

Abstract: A device securely accesses data in a memory via an addressing unit which provides a memory interface for interfacing to a memory, a core interface for interfacing to a core processor and a first and second security interface. The device includes a security processor HSM for performing at least one security operation on the data and a remapping unit MMAP. The remapping unit enables the security processor to be accessed by the core processor via the first security interface and to access the memory device via the second security interface according to a remapping structure for making accessible processed data based on memory data. The device provides a clear view on encrypted memory data without requiring system memory for storing the clear data.

Abstract: Methods, apparatus, and systems for generating and verifying one time passwords in connection with a risk assessment are disclosed. The risk assessment may comprise a client-side risk assessment. The risk assessment may also comprise a server-side risk assessment.

Abstract: Techniques for mobile devices to subscribe and share raw sensor data are provided. The raw sensor data associated with sensors (e.g., accelerometers, gyroscopes, compasses, pedometers, pressure sensors, audio sensors, light sensors, barometers) of a mobile device can be used to determine the movement or activity of a user. By sharing the raw or compressed sensor data with other computing devices, the other computing devices can determine a motion state based on the sensor data. Additionally, in some instances, the other computing devices can determine a functional state based on the sensor data and the motion state. For example, functional state classification can be associated with each motion state (e.g., driving, walking) by further describing each motion state (e.g., walking on rough terrain, driving while texting).

Abstract: An encrypted cached content system includes a user IHS, a content provider IHS, and a caching IHS. The caching IHS includes a caching engine that is configured to receive a content request from the user IHS. The caching engine generates a user-side key using content identifying information in the content request, and forwards the content request to the content provider IHS over a network as a content partial information request. In response to receiving a content partial information response from the content provider IHS over a network, the caching engine generates a content-provider-side key using header information in the content partial information response. The caching engine performs a hashing operation on the content request using a combination of the user-side key and the content-provider-side key to produce a hashed content request, and uses the hashed content request to retrieve content from the cache.

Abstract: The present disclosure relates to a method and system for the remote provisioning of an access subscription of a user to a wireless communication network, wherein at least one network operator provides communication services to mobile communication devices provided with a user UICC card. Data of a temporary subscription are generated from the data of an initial subscription which will subsequently allow generating data of a definitive subscription in a network operator and in the UICC card requesting a subscription from the former without the need of remotely transmitting sensitive data of the definitive subscription.

Abstract: The present invention discloses a system and method for controlling mutual access of smart devices. The method includes creating a home account on a cloud server, and adding smart devices and device information corresponding to the smart devices to a device list under the home account; acquiring, for each of the smart devices, authentication by using the home account and device information corresponding to the smart device; and establishing, for each of the smart devices, a Transmission Control Protocol (TCP) long connection to the cloud server. In the present invention, a unique home account is created on a cloud server, so that smart devices log in to the cloud server by using the unified home account, and the smart devices under the unified home account allow mutual access when being authorized. Therefore, when smart devices in a home access each other, the workload is greatly reduced.

Abstract: A data securing device according to an embodiment includes a processor that executes a process including: receiving individual data and a parameter for anonymization, using the parameter to suppress data that does not satisfy k-anonymity among data that is included in various attributes of records in the individual data, and suppressing data that is extracted from the data at random; and outputting individual data in which data is suppressed at the receiving.

Abstract: One or more embodiments of the invention provide access to a work environment in a mobile device from a lock screen presented by a personal environment of the mobile device, wherein the work environment is running in a virtual machine supported by a hypervisor running within the personal environment and wherein the personal environment is a host operating system (OS) of the mobile device. The host OS receives an authentication credential from a user in response to a presentation of the lock screen on a user interface (UI) of the mobile device and then determines whether the authentication credential is valid for the personal environment or the work environment. If the authentication credential is valid for the personal environment, access is enabled only to the personal environment. If the authentication credential is valid for the work environment, access is enabled to both the personal environment and the work environment.

Abstract: A security method that includes assigning a sensitivity value for a communication with a sensitivity determining module including at least one hardware processor. Following assignment of the sensitivity value to the communication, the communication is formatted for display. When sensitivity value exceeds a security threshold, the communication is parsed into a sequence of fragments. The communication is transmitted as the sequence of fragments when said sensitivity value exceeds the security threshold.

Abstract: In some implementations, tokens that are representative of sensitive data may be used in place of the sensitive data to maintain the security of the sensitive data. For example, data may be separated into sensitive data and nonsensitive data, and at least the sensitive data is securely delivered to a data storage service. The data storage service generates a token that is representative of the sensitive data and stores the sensitive data as secure data. The data storage service may deliver the token to an entity that also receives the nonsensitive data, and the entity may use the token in place of the sensitive data. In some implementations, different tokens are generated each time the same piece of sensitive data is submitted for storage as secure data. Further, in some implementations, access policies define authorizations regarding which entities are able to resolve a token to access the actual sensitive data.