Abstract: An apparatus, computer program, and method are afforded for providing a peer-to-peer security protocol. In operation, a message is identified that is directed from a first peer device to a second peer device. Further, the message is copied, so that a copy of the message is caused to be sent to an auditing server.

Abstract: An attack data packet processing method, an apparatus, and a system are provided. The method includes receiving, by a management node, description information of an attack data packet and an attack type of the attack data packet, where the description information and the attack type are sent by an awareness node; determining a processing policy on the attack data packet of the attack type according to the attack type; and sending the description information and the processing policy to a switch using a software-defined networking controller, so that the switch performs an operation indicated by the processing policy on the attack data packet with the description information.

Abstract: A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

Abstract: A method and apparatus for operating a device by controlling the device based on input received from group members, uses a sensor for monitoring each group member for detecting an instruction provided by a group member. The instruction includes a visual or audible instruction. Upon detecting, a controller associates a control command with the instruction. The controller provides the control command to the device. For establishing the group, an authentication is performed for adding a user as a group member. For identifying the control command, the detected instruction is associated with the instructing group member, where the member profile is accessed from a memory including a set of reference instructions, and the instruction is matched with a reference instruction selected from the set of reference instructions in the profile.

Abstract: Systems and methods for end-to-end encryption and dynamic resizing and encoding into grouped byte channels are described herein. A query is homomorphically encrypted at a client using dynamic channel techniques. The encrypted query is sent without a private key to a server for evaluation over target data to generate encrypted response without decrypting the encrypted query. The result elements of the encrypted response are grouped, co-located, and dynamically resized and encoded into grouped byte channels using the dynamic channel techniques, without decrypting the encrypted query or the encrypted response. The encrypted response is sent to the client where the client uses the private key and channel extraction techniques associated with the dynamic channel techniques to decrypt and perform channel extraction on the encrypted response to obtain the results of the query without revealing the query or results to a target data owner, an observer, or an attacker.

Abstract: Access to digital data is provided based on a specific location of a receiver device. In one embodiment, for each one of a plurality of digital files, a location identity is received, where the location identity includes a location value (e.g., a geographical location) and a proximity value (e.g., a geographical region in relation to the geographical location), thereby defining a particular area. A location of a receiver device (e.g., operated by a user) is then received (e.g., in response to a query) and used to select at least one of the plurality of digital files (e.g., one that matches the users location). The selected file (i.e., selected digital data or selected content) is then provided to the receiver device.

Abstract: System and method for establishing secure conference calls. In one example system, a central conference call server establishes point-to-point connections with accessory devices comprising a secure element and connected to corresponding participant devices. The conference call server includes an interface to a plurality of secure elements configured to perform scrambling and unscrambling of media signals communicated to and from the accessory devices. In another example, one of the participant devices operates as the central conference call server. In other examples, participant devices communicate on a conference call via point-to-point connections between all accessory devices connected to the participant devices. The accessory devices include secure elements for decryption and encryption of media signals communicated between the accessory devices.

Abstract: A computer-implemented method for information protection comprises: committing a transaction amount of a transaction with a first commitment scheme to obtain a transaction commitment value, committing a change of the transaction with a second commitment scheme to obtain a change commitment value, the first commitment scheme comprising a transaction blinding factor, and the second commitment scheme comprising a change blinding factor; encrypting a first combination of the change blinding factor and the change with a first key; transmitting the transaction blinding factor, the transaction amount, and the transaction commitment value to a recipient node associated with a recipient for the recipient node to verify the transaction; in response to that the recipient successfully verifies the transaction, obtaining an encrypted second combination of the transaction blinding factor and the transaction amount encrypted with a second key.

Abstract: The present disclosure relates generally to firewall configuration management, and, more specifically, to managing firewall configurations using dynamically generated block lists. A computer-implemented method includes adding an entry as a record in a block list entries table and associating the entry with a block list in a block list table and with an observable in an observables table. The method also includes activating the entry in the block list entries table to allow or block subsequent occurrences of the observable on a client network. The method further includes receiving a request for the block list from a firewall disposed on the client network and, in response, generating the block list from activated entries in the block list table and block list entries table and sending the block list to the firewall, wherein the firewall is configured to allow or block network traffic associated with the observable on the client network in accordance with the block list.

Abstract: Systems for providing a security assessment of a target computing resource, such as a virtual machine or an instance of a virtual machine, include a security assessments provisioning service that provisions third-party-authored rules packages and security assessments into the computing environment of the target computing resource. The third-party rules package includes rules that can operate on telemetry and configuration data of the target computing resource, produced by sensors that are native to the computing environment, but the sensor protocols, message format, and sensitive data are not exposed to the rules. The provisioning service can provide security assessments and/or rules packages that are “native” and are thus able to operate directly on the telemetry and configuration data.

Abstract: In one example, a system for authenticating domains operates by authenticating a first domain and the extensions that make up the URI of an initial or primary Internet network call. Thereafter, the system can enable the owner of the first domain to make assertions or statements about additional domains and URIs that make up the rest of the web page, session or application.

Abstract: Techniques for multiplexing between an execute-in-place (XIP) mode and a memory-mapped input/output (MMIO) mode for access to external memory devices are described herein. In an example embodiment, an IC device comprises a serial interface and a controller that is configured to communicate with external memory devices over the serial interface. The controller comprises a control register and a cryptography block. The control register is configured to indicate an XIP mode or a MMIO mode. Caches in XIP interfaces provide seamless access to multiple memories, or multiple portions of a single memory. The cryptography block is configured to encrypt and decrypt XIP data transfers to and from a first external memory device in the XIP mode, and to encrypt and decrypt MMIO data transfers to and from a second external memory device in the MMIO mode.

Abstract: The present disclosure relates to methods and systems for managing a guest virtual machine executing within a virtualized environment. A daemon is established on a guest virtual machine executing within a virtualized environment. The daemon is configured to communicate with a management service virtual machine executing within the virtualized environment. The daemon receives, from the management service virtual machine via an application layer protocol, a request identifying an action type of a plurality of predetermined action types. The daemon identifies the action type of the plurality of predetermined action types from the received request and performs an action corresponding to the identified action type. In some implementations, the application layer protocol is one of Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS).

Abstract: A machine has a network interface circuit to coordinate communications with a network. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores instructions executed by the processor to collect network traffic from the network through the network interface circuit. The network traffic includes on premise identity service user object data and cloud service user object data. Merged user objects are derived from the network traffic. Each merged user object includes user object attributes from the on premise identity service user object data and user object attributes from the cloud service user object data. The merged user objects are utilized to administer access over the network to on premise computation resources and third-party computation resources.

Abstract: Examples determine a number of hosts, within an enterprise, which are resolving a particular domain. Based on the number of hosts within the enterprise resolving the particular domain, the examples identify whether the particular domain is benign.

Abstract: Methods, apparatus, systems and articles of manufacture (e.g., physical storage media) to authenticate a first device for access to a first service provider are disclosed. Example methods disclosed herein include sending, by executing a first instruction with a processor at a first service provider, an authentication request from the first service provider to a second service provider. The authentication request is generated in response to an access request from the first device and includes an identification code assigned to the first device by the second service provider. Example methods also include obtaining, at the first service provider, an authentication response from the second service provider. The authentication response is generated by the second service provider in response to the authentication request. Example methods further include, based on the authentication response, granting, by executing a second instruction with the processor, the first device access to the first service provider.

Abstract: Device identification scoring systems and methods may be provided that can increase the reliability and security of communications between devices and service providers. Users may select and configure additional identification factors that are unique and convenient for them. These factors, along with additional environmental variables, feed into a trust score computation that weights the trustworthiness of the device context requesting communication with a service provider. Service providers rely on the trust score rather than enforce a specific identification routine themselves. A combination of identification factors selected by the user can be aggregated together to produce a trust score high enough to gain access to a given online service provider. A threshold of identification risk may be required to access a service or account provided by the online service provider.

Abstract: A method for securely providing a receiver unit with a replica pseudo-random noise code is provided. The replica pseudo-random noise code is provided in a restricted manner based on a result of an admissibility check. In order to carry out the admissibility check, values are recorded and are compared with predefined threshold values.

Abstract: Provided are methods and systems for performing a secure analytic over a data source. An example method includes acquiring, by a client, an analytic, at least one analytic parameter associated with the analytic, and an encryption scheme. The encryption scheme can include a public key for encryption and a private key for decryption. The method further includes generating, using the encryption scheme, at least one analytical vector based on the analytic and analytic parameter, and sending the analytical vector and the encryption scheme to at least one server. The method includes extracting, by the at least one server based on the encryption scheme, a set of terms from a data set, and evaluating the analytical vector over the set of terms to obtain an encrypted result. The method further includes sending, by the server, the encrypted result and the error to the client where the encrypted result is decrypted.

Abstract: A device for detecting network traffic content is provided. The device includes a first input port configured to receive one or more signatures, each of the one or more signatures associated with content desired to be detected, a second input port configured to receive data associated with network traffic content. The device also includes a processor configured to process the one or more signatures and the data to determine whether the network traffic content matches the content desired to be detected, and an output port configured to couple the device to a computer system of an intended recipient of the network traffic content. The output port passes the network traffic content to the computer system when it is determined that the network traffic content does not match the content desired to be detected.