Abstract: The threat of malicious parties exposing users' credentials from one system and applying the exposed credentials to a different system to gain unauthorized access is addressed in the present disclosure by systems and methods to preemptively and reactively mitigate the risk of users reusing passwords between systems. A security device passively monitors traffic comprising authorization requests within a network to reactively identify an ongoing attack based on its use of exposed credentials in the authorization request and identifies accounts that are vulnerable to attacks using exposed credentials by actively attempting to log into those accounts with exposed passwords from other networks. The systems and methods reduce the number of false positives associated with attack identification and strengthens the network against potential attacks, thus improving the network's security and reducing the amount of resources needed to securely manage the network.

Abstract: Methods to strengthen the cyber-security and privacy in a proposed deterministic Internet of Things (IoT) network are described. The proposed deterministic IoT consists of a network of simple deterministic packet switches under the control of a low-complexity ‘Software Defined Networking’ (SDN) control-plane. The network can transport ‘Deterministic Traffic Flows’ (DTFs), where each DTF has a source node, a destination node, a fixed path through the network, and a deterministic or guaranteed rate of transmission. The SDN control-plane can configure millions of distinct interference-free ‘Deterministic Virtual Networks’ (DVNs) into the IoT, where each DVN is a collection of interference-free DTFs. The SDN control-plane can configure each deterministic packet switch to store several deterministic periodic schedules, defined for a scheduling-frame which comprises F time-slots. The schedules of a network determine which DTFs are authorized to transmit data over each fiber-optic link of the network.

Abstract: A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions (involving the transformation, conversion or transfer of information or value) are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network fabric or “core” is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. Each computing node typically is functionally-equivalent to all other nodes in the core.

Abstract: An example computer-implemented method of providing security for a software container includes discovering credentials that a software container is expected to use at runtime. The discovering is performed prior to instantiation of the software container from a container image, and is based on one or more of credentials stored in the container image, credentials stored in runtime configuration data for the software container, and credentials from a secrets management service. An unsafe credential set is determined that includes one or more of the discovered credentials that do not meet predefined credential safety criteria. A runtime request is intercepted from the software container. A credential violation is detected based on the intercepted runtime request attempting to use a credential from the unsafe discovered credential set. A corrective action is performed for the software container based on the detected credential violation.

Abstract: Techniques for user behavior anomaly detection. At least one low-variance characteristic is compared to an expected result for the corresponding low-variance characteristics to determine if the low-variance characteristic(s) is/are within a pre-selected range of the expected results. A security response action is taken in response to the low-variance characteristic not being within the first pre-selected range of the expected results. At least one high-variance characteristic is compared to an expected result for the corresponding high-variance characteristics to determine if the high-variance characteristic(s) is/are within a pre-selected range of the expected results. A security response action is taken in response to the high-variance characteristic not being within the first pre-selected range of the expected results. Access is provided if the low-variance and the high-variance characteristics are within the respective expected ranges.

Abstract: A computer-implemented method includes generating, by one or more processors, a hyperlink targeting a Uniform Resource Locator (URL), detecting a selection of the generated hyperlink by one or more social entities across one or more social networks, generating a report, wherein the generated report includes analytical details regarding the selection of the generated hyperlink by the one or more social entities, and providing the generated report to a user associated with a protected social entity.

Abstract: The present disclosure provides a method, system, and device for securely updating a software release across a network. To illustrate, a server may compile a transaction log that includes information corresponding to one or more nodes in the network to which the software release has been transmitted. The server may analyze one or more files based on vulnerability information to identify at least one file of the one or more files that poses a risk. The server may also identify at least one node of the network at which the at least one file is deployed. Based on identifying the at least one node, the server may transmit a corrective action with respect to the at least one node.

Abstract: A surveillance system connectable to a network, comprising a communication module and a management module; said system being configured to, during an initialization phase: a. intercept a first message being sent to a first device; b. intercept a second message said second message being a response from the first device to the first message; c. calculate a time interval between the interception of the first message and the second message; d. repeat the steps a. to c. to determine further time intervals; e. determine a distribution of said time intervals; f. store the distribution and during a surveillance phase, intercept a third message said message being sent to the first device; intercept a fourth message said fourth message being a response to the third message; calculate a new time interval between the interception of the third and fourth messages; and verify that the new time interval is within the distribution.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: A Trustonic DRM Plug-in is provided that can be downloaded and operate in conjunction with an Android framework. The solution also includes a PVP with the downloadable DRM. The system includes components that can be added by Trustonic based on the Android 4.3 Framework in addition to current t-base 300 that can be used by any DRM vendor. The system enables the DRM to be downloaded in the field since all DRMs could use the standard API services of the Android 4.3 OS. With a codec component employed like H.264 or HEVC that can use the PVP with the downloaded DRM component, the Android video player can use the component to satisfy HD content security requirements.

Abstract: A method for online authentication includes receiving membership authenticating information specific to members of a particular affiliation from the members and from one or more remote databases. The information is aggregated and stored in an aggregate database. An individual is authenticated, via a widget at least one of integrated into, and accessible by, at least one of a mobile application and a website of a provider of at least one of a particular program and a particular service, as a member of the particular affiliation based on a comparison of authenticating indicia provided online by the individual and the information stored in at least one of the aggregate database and the remote databases. Digital credentials are provided to the individual for access to the at least one of the particular program and the particular service when the individual is authenticated. The credentials include a unique identifier, a login and password.

Abstract: A method and system for encryption and decryption. The system includes a user computing device, a root secret server, and a backend server. The root secret server has a root secret code, and when receiving a fingerprint of the user computing device, calculates a device secret code for that device using the fingerprint. When sensitive data needs to be encrypted, the user computing device calculates a data key for the data based on the device secret code and the data information, and encrypts the data. The backend server retrieves the root secret code from the root secret server, and in response to receiving the encrypted data, retrieves data information and calculates the data key to decrypt the data. Similarly, the backend server can encrypt data and the user computing device can decrypt data. The root secret code, the device code, and the data key form a three level encryption mechanism.

Abstract: A trusted branded email method and apparatus in one aspect detects branded electronic messages and performs validation before it is sent to a recipient. In another aspect, an electronic messages is branded by embedding branding assets and validation signatures. Algorithms that generate validation signatures are dynamically selected to further strengthen the security aspects. Branding assets are presented to a user using a distinct indicia that represents to the user that the branding assets are secure.

Abstract: An identification, authentication and authorization method in a laboratory system is presented. The system comprises at least one laboratory device. The method comprises receiving identification data identifying a user; receiving identity confirmation data to authenticate the user; and generating authentication data upon successful authentication of the user. The authentication data is configured to enable authentication of the user based on only the identification data during a validity time period without repeated receipt of the identity confirmation data. The method further comprises receiving the identification data by an identification unit; validating the authentication data corresponding to the identification data comprising the step of verifying non-expiry of the validity time period; and granting authorization to the user for the laboratory device upon successful validation of the authentication data.

Abstract: Managing private key access in multiple nodes is described. A piece of data (e.g., a private key) is encrypted using identity-based broadcast encryption and identity-based revocation encryption so that only certain servers in a distributed network of servers can decrypt the piece of data. The piece of data is encrypted with a key encryption key (KEK). The KEK is split into two pieces. The first piece is encrypted using identity-based broadcast encryption with a first set of identities as input such that only servers of the first set of identities can decrypt the first piece, and the second piece is encrypted using identity-based revocation encryption so that all servers except those that have the second set of identities can decrypt the second piece. The keys are transmitted to the servers.

Abstract: A method, system, and computer program product for performing strong desensitization of sensitive data within a garbled circuit includes: compiling a predetermined program into a first program, where the compiled first program is encoded in a form of a garbled circuit, and where the predetermined program runs on sensitive data; and executing the first program, where executing the first program includes: executing an analytics function using tokenized data with a first set of sensitive information and analytics data with a second set of sensitive information, where the tokenized data originated from a data provider and the analytics data originated from an analytics provider; and generating an output of the first program using a result of the analytics function, where the output contains desensitized data.

Abstract: A platform and method for content management is disclosed. A content right management method includes receiving contents from a user, and generating a create key for a right for the contents by encrypting the contents using encryption information, in which the create key includes a copyright of the contents and a creation right of the contents.

Abstract: A method, system, and computer program product for performing strong desensitization of sensitive data within a garbled circuit includes: compiling a predetermined program into a first program, where the compiled first program is encoded in a form of a garbled circuit, and where the predetermined program runs on sensitive data; and executing the first program, where executing the first program includes: executing an analytics function using tokenized data with a first set of sensitive information and analytics data with a second set of sensitive information, where the tokenized data originated from a data provider and the analytics data originated from an analytics provider; and generating an output of the first program using a result of the analytics function, where the output contains desensitized data.

Abstract: An apparatus and method for performing an operation which are secure against side-channel attack are provided. According to one embodiment of the present disclosure, the apparatus includes a first extractor configured to extract one or more first parameter candidate values corresponding to a seed value from a first parameter candidate value set, a first outputter configured to output a first output values using the extracted first parameter candidate values, a second extractor configured to extract one or more second parameter candidate values corresponding to the seed value from a second parameter candidate value set, and a second outputter configured to output a second output value using the extracted second parameter candidate values wherein the second output value is capable of being generated using the first output value.

Abstract: Techniques for enhancing the security of storing sensitive information or a token on a communication device may include sending a request for the sensitive information or token. The communication device may receive a session key encrypted with a hash value derived from user authentication data that authenticates the user of the communication device, and the sensitive information or token encrypted with the session key. The session key encrypted with the hash value, and the sensitive information or token encrypted with the session key can be stored in a memory of the communication device.