Abstract: A secure computing device having a storage arrangement configured to store a secret. The secure computing device includes a first interface configured to control a display, and a second interface configured to receive an input signal having information which reproduces a prompt to display the secret. The secure computing device is designed to read the secret from the storage arrangement on the basis of the input signal, and to control the display via the first interface in such a way that a display of the secret is effected.

Abstract: Systems are provided for facilitating the disclosed methods for performing event storage and diagnostic processing within a hybrid cloud environment. Event records are gathered and batched at an on-premises server. The event records are also appended with correlation vector data that enables the event records to be correlated with other events. The batch of event record batches are signed with a security key associated with a cloud storage container and the on-premises server is restricted to writing the batch of event records to the container. In some instances, the size of the batch is based on a duration of time for collecting records, which can be adjusted to accommodate for missing data.

Abstract: The present disclosure relates to methods, systems, and computer program products for generating an attack kill chain for threat analysis. The method comprises receiving a first security event captured by a first security operation associated with a computing device, and receiving a second security event captured by a second security operation associated with the computing device. The first security event and the second security event are associated with an attack campaign. The method further comprises mapping the first security event to first security data in an attack repository, and mapping the second security event to second security data in the attack repository. The method also comprises determining based on the mapping, one or more attack execution operations for executing the attack campaign associated with the first security event and the second security event. Additionally, the method sequences the one or more attack execution operations to form an attack kill chain.

Abstract: A method, apparatus, system, and computer program product for configuring a computing environment. A configuration profile is identified by a computer system for the computing environment that is to be deployed in which the computing environment meets a security policy to run an application in the computing environment. A determination is made, by the computer system, as to whether the configuration profile for the computing environment meets the security policy for running the application in the computing environment. The configuration profile for the computing environment is deployed, by the computer system, to configure the computing environment for the application in response to the configuration profile meeting the security policy.

Abstract: The object of the invention relates to a method in which a telecommunications operator or an e-delivery provider can send notices by email to one or a number of recipients, certifying the content of the notice and with a link to a proxy server of a CA (certification authority) who will verify the digital certificate of the recipient and their identity.

Abstract: In general, one aspect disclosed features a media asset capture and processing method, implemented via a computer-based state machine executing on a computer processor, the method comprising: implementing a first phase including media asset capture and frame processing limited to Rich Execution Environment (REE) read-only (RO) frame access; implementing a second phase including processing with REE read-write (RW) frame access; and implementing a third phase including processing with REE read-only (RO) frame access.

Abstract: Techniques for secure public exposure of digital data include extracting first digital data comprising one or more batches, each batch comprising a plurality of no more than a number T of packets, each packet containing a plurality of a number n of bits. A random binary matrix CK consisting of T rows and n columns is generated. For a first batch, a first random n-bit temporary key is generated and positions of the nT elements of matrix CK are randomized to produce matrix CK(RP). For a packet in the first batch, a first packet vector key is generated based on non-overlapping pairs of bit positions for both the temporary key and for a first packet-corresponding row of matrix CK(RP). An encrypted packet is generated for the packet based on the packet and the first packet vector key. The encrypted packet is exposed publicly.

Abstract: Methods and systems for monitoring activity on a network. The systems may include a host computer executing a non-honeypot service. The host computer may also include a control module configured to enable or disable a honeypot service on the host computer in response to at least one of computational resource availability and configured tolerance for degraded service.

Abstract: A data provisioning device is arranged for provisioning a data processing entity from a set of data processing entities sharing the same joint decryption key. The data provisioning device comprises: a network interface configured to receive the provisioning data for provisioning the data processing entity, a joint encryption key associated with the joint decryption key, and control information indicating a processing scheme to be deployed by the data provisioning device when provisioning the data processing entity; a processor configured to process the provisioning data according to the control information to obtain processed provisioning data, to cryptographically encrypt the processed provisioning data using the received joint encryption key to obtain encrypted processed provisioning data; and a device interface configured to transmit the encrypted processed provisioning data to the data processing entity.

Abstract: A system and method enabling enterprises to engage in cyber threat information sharing in a privacy-enhanced fashion. The invention reduces the enterprise's risk to sensitive information leakage by inducing a state in the information it shares such that, when an enterprise's shared data attributes are interdependent, the sensitive features (those to be kept private to the enterprise) are not deducible by another enterprise. This state is accomplished by employing rough set theory to undermine the deductive route to the data's sensitive features.

Abstract: A method (800) for detecting an injection vulnerability of a client-side templating system includes receiving a web page (200), determining that the web page implements an interpreted programming language framework (142) with client-side templating, and extracting a version (144) of the interpreted programming language framework and an interpolation sign (146) from the web page. The method also includes generating an attack payload (152a) for at least one injection vulnerability context (210) of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.

Abstract: A system configured for identifying unpermitted data in source code receives a search query comprising particular keywords related to the unpermitted data. The system labels the source code with vulnerability factors and categories of those vulnerability factors, where the vulnerability factors indicate a security vulnerability and the categories provide information about the security vulnerability of the source code. The system performs a static analysis on the source code to identify instances of the particular keyword in a data flow and control flow of the source code. The system performs a vulnerability analysis on the source code to determine a vulnerability level of the source code, in which factor weights and category weights for each code portion of the source code are determined. The system calculates a weighted sum of the factor weights and category weights for each code portion, thereby detecting instances of unpermitted data in source code.

Abstract: Online user account access control includes adjustable authentication challenge levels based on a level of match between observed attributes of a present login attempt and corresponding recorded attributes for the authentic user for the entered user identifier (UID). Login candidates whose attributes sufficiently closely match the recorded attributes for the entered UID are allowed to select an authentication graphic pattern registered for the UID from a set of alternatives, with the degree of complexity of such selection based authentication increasing according to the degree of difference between the observed attributes of the present login attempt and the corresponding recorded values for the UID, while by default, login candidates may be required to produce the registered authentication graphic pattern from blank slate.

Abstract: Techniques for secure public exposure of digital data include extracting first digital data comprising one or more batches, each batch comprising a plurality of no more than a number T of packets, each packet containing a plurality of a number n of bits. A random binary matrix A consisting of T rows and n columns is generated. For a first batch, a first random n-bit temporary key is generated. For a packet in the first batch, a first packet vector key is generated based on random non-overlapping pairs of bit positions for both the temporary key and for a first packet-corresponding row of matrix A. An encrypted packet is generated for the packet based on the packet and the first packet vector key. The encrypted packet is exposed publicly.

Abstract: There is a provided a digital identity network interface system that may include a communications module and a processor. The processor may be configured to receive a signal representing a digital identity request, the digital identity request defining one or more scopes associated with the request, at least one of the scopes identifying a data type associated with the request, generate a query based on the scopes by translating at least one of the scopes into a query having a query format associated with a digital identity network, the digital identity network storing data associated with a plurality of users, send a signal representing the query to the digital identity network, send a link to an authorization device, after successful authentication, obtain data associated with the digital identity request from the digital identity network, and release at least some of the data.

Abstract: Malicious attacks by certain devices against a radio access network (RAN) can be detected and mitigated, while allowing communication of priority messages. A security management component (SMC) can determine whether a malicious attack against the RAN is occurring based on a defined baseline that indicates whether a malicious attack is occurring. The defined baseline is determined based on respective characteristics associated with respective devices that are determined based on analysis of information relating to the devices. In response to determining there is a malicious attack, SMC determines whether to block connections of devices to the RAN based on respective priority levels associated with respective messages being communicated by the devices.

Abstract: A method for DoS attacks at an NF includes maintaining, at a first NF, an NF subscription database containing rules that specify maximum numbers of allowed subscriptions and corresponding rule criteria. The method further includes receiving, at the first NF and from a second NF, a subscription request for establishing a subscription. The method further includes determining, by the first NF, that the subscription request matches criteria for at least one rule in the NF subscription database and incrementing, by the first NF, at least one count of a number of subscriptions for the at least one rule. The method further includes determining, by the first NF, that the at least one count of the number of subscriptions exceeds a maximum number of allowed subscriptions for the at least one rule.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to facilitate malware detection using compressed data. An example apparatus includes an input processor to obtain a model, the model identifying a first sequence associated with a first trace of data known to be repetitive, a sequence identifier to identify a second sequence associated with a second trace of data, a comparator to compare the first sequence with the second sequence, and an output processor to when the first sequence matches the second sequence, transmit an encoded representation of the second sequence to the central processing facility using a first channel of communication, and when the first sequence fails to match the second sequence, transmit the second sequence to the central processing facility using a second channel of communication, the second sequence to be analyzed by the central processing facility to identify whether the second sequence is indicative of malware.

Abstract: Embodiments for managing the utilization of software releases are provided. Information associated with a software release and at least one early adopter of the software release is analyzed to calculate a severity score for the software release. A time to utilize the software release is determined based on the calculated severity score.

Abstract: A multiple-identity secure device (MISD) persistently may store an identification code. The identification code may be stored in an integral memory of the device, or on an interchangeable card received in a physical interface of the MISD. The MISD may generate one or more unique identities (e.g., network addresses) from the stored identification code. The generated identities may be dynamically generated or may be securely stored in the MISD for subsequent retrieval. The generated identities may generates in accordance with an addressing scheme, a global/network setting, or as determined from a received data transmission.