Abstract: The system and method for protecting multiple networked enclaves each having one or more insecure machines. The system may include an attack detector as part of a secure node (e.g., SAFE node) proxy. The system may include an attack detector external to the proxy. The proxy may support multiple detectors and its actions may include isolating an insecure machine, cleansing an insecure machine, or tattling on (impugning the reputation of) an insecure machine.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to identify candidate boundaries of Internet protocol addresses associated with a malicious Internet protocol address. An example method includes collecting, with a processor, netflow data associated with the Internet protocol addresses within a netblock having a lower boundary Internet protocol address and an upper boundary Internet protocol address, generating, with the processor, a first window of Internet protocol addresses numerically lower than the malicious Internet protocol address, generating, with the processor, a second window of Internet protocol addresses numerically higher than the malicious Internet protocol address, for respective Internet protocol addresses in the first and second windows, calculating, with the processor, occurrence counts associated with behavior features, and identifying candidate boundaries within the netblock based on divergence values caused by the behavior features.

Abstract: An apparatus, system, and method are disclosed for secure data transmissions. A method includes receiving a request for data that is encrypted according to a first encryption scheme, and determining a first public IP address associated with the request. The first public IP address identifies a remote client that created the request and is located in a field of a data packet that includes the request. The method includes determining a second public IP address associated with the request that identifies a sender of the request and is determined dynamically when the request is received. The method includes verifying an authenticity of the request in response to the first public IP address of the remote client matching the second public IP address of the sender. The method includes encrypting the requested data according to a second encryption scheme, and transferring the data to the remote client.

Abstract: Techniques for detecting and/or handling target attacks in an enterprise's email channel are provided. The techniques include receiving aspects of an incoming email message addressed to a first email account holder, selecting a recipient interaction profile and/or a sender profile from a plurality of predetermined profiles stored in a memory based upon the received properties, determining a message trust rating associated with the incoming email message based upon the incoming email message and the selected recipient interaction profile and/or the sender profile; and generating an alert identifying the incoming email message as including a security risk based upon the determined message trust rating.

Abstract: A network can operate a WiFi access point with credentials. An unconfigured device can (i) support a Device Provisioning Protocol (DPP), (ii) record responder bootstrap public and private keys, and (iii) be marked with a tag. The network can record initiator bootstrap public and private keys, as well as derived initiator ephemeral public and private keys. An initiator can (i) operate a DPP application, (ii) read the tag, (iii) establish a secure and mutually authenticated connection with the network, and (iv) send the network data within the tag. The network can record the responder bootstrap public key and derive an encryption key with the (i) recorded responder bootstrap public key and (ii) derived initiator ephemeral private key. The network can encrypt credentials using the derived encryption key and send the encrypted credentials to the initiator, which can forward the encrypted credentials to the device, thereby supporting a device configuration.

Abstract: Apparatus, systems, and methods are provided for substantially continuous biometric identification (CBID) of an individual using eye signals in real time. The apparatus is included within a wearable computing device with identification of the device wearer based on iris recognition within one or more cameras directed at one or both eyes, and/or other physiological, anatomical and/or behavioral measures. Verification of device user identity can be used to enable or disable the display of secure information. Identity verification can also be included within information that is transmitted from the device in order to determine appropriate security measures by remote processing units. The apparatus may be incorporated within wearable computing that performs other functions including vision correction, head-mounted display, viewing the surrounding environment using scene camera(s), recording audio data via a microphone, and/or other sensing equipment.

Abstract: In an unauthorized access detecting system, authentication information to be leaked outside is generated. In the unauthorized access detecting system, the generated authentication information is set on an analyzing host, and a program to be analyzed is operated on the analyzing host. In the unauthorized access detecting system, access to a content using the authentication information is detected, and if the access using the authentication information is detected, the access is identified as unauthorized access.

Abstract: An interface device may provide a first wireless network and a second wireless network in a user's premise. The interface device may encourage some user devices to connect to the second wireless network without controlling the user devices. For example, the interface device may receive a request from a device to access its first wireless network. The interface device may then determine whether the device is a premise device by, for example, searching a database of device registration information. The interface device may determine that the device is a premise device and deny the request to access the first wireless network. The device may then be available to access the second wireless network.

Abstract: An authentication system is provided using one-time passwords (OTPs) for user authentication. An OTP key may be stored on a different device than the device on which the OTP is generated. In an embodiment, the system described herein enables a combined authentication system, including the two separate devices communicating over a non-contact interface, to provide advantageous security features compared to the use of a single device, such as a hardware OTP token. One device may be a personal security device and the other device may be a reader device coupled to a host device via which access is being controlled.

Abstract: Non-harmful data mimicking computer network attacks may be inserted in a computer network. Anomalous real network connections may be generated between a plurality of computing systems in the network. Data mimicking an attack may also be generated. The generated data may be transmitted between the plurality of computing systems using the real network connections and measured to determine whether an attack is detected.

Abstract: A device unlock pattern (“pattern password”) is static in that the same pattern is entered each time to unlock a device. Due to this repetition, a pattern password may be discovered by an application that captures touchscreen gestures, by inspection of fingerprints or smudges on a screen, or simply by an onlooker that views the pattern password being entered. A variable hint pattern can be used to impede discovery. A hint pattern is a sub-pattern (“hint”) of the pattern password to be completed for device unlock. A variable hint pattern can impede discovery by changing the sub-pattern at a defined change threshold related to unlock attempts. The device can randomly change the sub-pattern or randomly change the missing portions of the pattern password at each change threshold. As a result, different inputs complete the pattern password. This variance stymies the methods typically used to discover pattern passwords.

Abstract: A method is used in managing use of security keys. Based on a request for use of a key that serves as part of a data security system, a set of criteria to apply to the request is determined. The set of criteria pertain to security management of the key that is subject of the request. The set of criteria is applied to the request; and a result is determined based on the application of the set of criteria.

Abstract: Methods and systems for accessing databases using a common web interface are provided. A method for transmitting data retrieved from an endpoint device to a client device using a common web interface includes providing the common web interface to the client device. The common web interface allows access to a plurality of endpoint devices, each endpoint device comprising a unique endpoint address. The method further includes receiving, by a computer, identification data from the client device, retrieving an endpoint address for one of the plurality of endpoint devices based on the identification data, connecting to the endpoint device corresponding to the endpoint address, retrieving data from the endpoint device, and transmitting the retrieved data to the client device.

Abstract: Adapting access rules for a data interchange between a first network and a second network by the second network is provided based on a service-specific integrity information item of the first network, wherein the first network processes data for carrying out a service and the service defines multiple components. A respective integrity status is transmitted for each of the components by each respective component via a communication link within the first network to a management unit of the first network. The service-specific integrity information item is computed based on each respective integrity status by the management unit. The service-specific integrity information item is transmitted by a network access point of the first network to a receiver in the second network for adapting the access rules. Access by the receiver to each respective integrity status is prevented.

Abstract: Embodiments of an invention for custom protection against side channel attacks are disclosed. In one embodiment, a processor includes instruction hardware and execution hardware. The instruction hardware is to receive an instruction to provide for shielding code against side channel attacks, wherein the instruction includes a first operand to specify one of a plurality of levels of protection. The execution hardware is to execute the instruction, wherein execution of the instruction includes configuring the processor to provide a specified level of protection.

Abstract: A personal computer a smartphone, a tablet, a web server or a cloud server configured for connection to a network of computers or system on a microchip including one or more buffer zones excluding circuitry and two or more zones, each including circuitry. The one or more buffer zones form one or more boundaries separating the zones including circuitry. At least a first of the zones including circuitry includes at least one public unit with a microprocessor and a network communication component. At least a second of the zones including circuitry includes at least one private unit with at least a separate, private network connection and a microprocessor that is a central controller of the computer. The public unit and the at least one private unit can be connected by at least one secure control bus that is isolated from input from a public network.

Abstract: The present invention relates to a method (500) performed at an IP network node for IPSec establishment with other IP network nodes in a network. The method comprises collecting (S1) information about the other IP network nodes in the network using a dynamic routing protocol, the information comprising an IP address associated with the respective other IP network node, and establishing (S2) an IPSec relationship with a predetermined set of the other IP network nodes in the network based on the collected information and based on Internet Key Exchange (IKE) using a certification protocol and the identity of the IP network node, wherein the identity of the IP network node is determined by a pre-stored node certificate.

Abstract: The disclosure is directed to reduce a load of time and cost at the time of transition to a safer system in which an encryption scheme is newly set. By allowing a device of a transition step which implements a predetermined security reinforcement measure to handle high-value content only for a given system transition period, a problem of a time necessary for the transition can be avoided and the transition to the safer system can be performed smoothly. The device mentioned herein which implements the predetermined security reinforcement measure is, for example, a device which supports only an existing encryption algorithm and for which security of a weaker portion other than the encryption scheme is ensured.

Abstract: A system and method for provisioning a push notification session via a communications network between an application on a client terminal and a server corresponding to the application. In one aspect, a push provisioning entity transmits a message to the client terminal, whereby to configure the client terminal into a state in which it is able to request a push notification session with the server. An application on the client terminal can then request establishment of a push notification session by transmitting a push notification session request message to the push provisioning entity. The push provisioning entity generates a token for use in validating the push notification session, associates the generated token with the application and transmits the token to the application, which uses it to establish the push notification session.

Abstract: Methods and systems are provided for bypassing an authenticity check for a secure control module. In one embodiment, a method includes: receiving authenticity data from a secure source, wherein the authenticity data includes a signature and an identifier that is unique to the control module; programming the control module with the authenticity data; and bypassing the authenticity check of a control program of the control module based on the authenticity data.