Abstract: A network security layer with a role mapping component with a current role mapping between services and access permissions is provided between a user and the services. A multi-tenancy module with current membership mapping is also provided. The security layer has a network authentication protocol for user authentication at log-in. Snapshots of a baseline role mapping between services and permissions are taken at certain times. The role mapping component verifies snapshots at set intervals, and when the user performs certain actions, the current role mapping is compared with the baseline role mapping. Upon discrepancy, the role mapping component executes a set of rules, including forceful log-out to prevent system intrusion. Comparison of current membership mapping with a baseline membership mapping can also be applied. The security layer can thus monitor authorization-exceeding modifications to baseline policies attempted by logged-in and initially authorized users.

Abstract: A network system includes network relay devices including a master device for administrating the network system, and a member device to be administrated by the master device. When the master device receives an authentication request from an external terminal connected to the network system, the master device performs an authentication processing for authorizing or denying the authentication request. When the authentication request is authorized, one network relay device connected to the external terminal in the network system performs a communication-authorizing processing for authorizing a communication between the external terminal and the one network relay device, and performs a transmission processing for transmitting a communication authorization data to an other network relay device which is not connected to the external terminal in the network system.

Abstract: Authentication devices and methods for generating dynamic credentials are disclosed. The authentication devices include a communication interface for communicating with a security device such as a smart card.

Abstract: A system and a method for advanced malware analysis. The method filters incoming messages with a watch-list, the incoming messages including attachments, if an incoming message matches the watch-list, forwards the message to a malware detection engine, strips the attachments from the forwarded message, the one or more attachments including one or more executable files, launches a plurality of sandboxes, executes each of the executable files in the plurality of sandboxes, the sandboxes generating analysis results that may be used to determine whether each executable file is malicious, normalizes the analysis results, evaluates the risk level of the attachments to the forwarded message based on the normalized analysis results of the executable files in the attachments to the forwarded message, and, if the risk level of an attachment to the forwarded message is above a certain level, determines that the forwarded message is malicious and permanently quarantines the forwarded message.

Abstract: The object is to provide an attribute-based signature scheme which is flexible in the design and which supports a non-monotone predicate. An access structure is constituted by applying the inner-product of the attribute vectors to a non-monotone span program. This access structure is flexible in the design of the span program and in the design of the attribute vectors, providing high flexibility in the design of access control. By incorporating the concept of secret distribution in the access structure, the attribute-based signature scheme which supports the non-monotone predicate is realized.

Abstract: There is provided an authentication server including: a network access authenticating unit and an address notifying unit wherein the network access authenticating unit receives, from an authentication relay connected to a network, a first authentication message for a communication device existing under the authentication relay, and execute network access authentication process with the communication device, and the address notifying unit notifies the communication device of the server's address information in accordance with a result of the network access authentication process.

Abstract: Method for managing appliance authentication. In one embodiment, the method comprises generating, by a server, a first secret and a second secret from a certificate; transmitting from the server to a client computer, via a first channel secured and trusted based on a trusted computer, the first secret and the second secret; presenting the certificate to an appliance in response to a secure channel request from the appliance, wherein the appliance is holding the first secret; receiving, from the appliance, a description of a second channel, via the appliance, between the client computer and the server; establishing a trust in the second channel based on the description; and transmitting, in response to the trust in the second channel, via the second channel, channel information that comprises a portion of the description signed by the second secret.

Abstract: A method for storing binary data, preferably in the form of Binary Large Objects (BLOBs), in more than one location. The method includes the steps of producing a processing thread corresponding to each location where the data is to be stored and verifying whether each thread has completed successfully after a predetermined time period. Information relating to the storage of the binary data is stored in an access token.

Abstract: A system and method for providing a comprehensive security solution for databases through a reverse proxy, optionally featuring translating database queries across a plurality of different database platforms.

Abstract: Detecting a speed violation of a vehicle traveling from a first roadside system to a second roadside system comprises: protecting evidence data collected at two roadside systems by encrypting each set of data with random session keys at each roadside system, and then encrypting the random session keys with a public key generated from an identity that may include a vehicle identifier and a timestamp. A ratio of the public keys is calculated and used to detect a violation, whereupon a private key is obtained for decrypting at least one of the encrypted session keys, and decrypting at least one of the encrypted evidence data with the decrypted session key.