Abstract: A message authentication apparatus compresses a message M into a value H of 2n bits, and divides the value H into two values H[1] and H[2] each having n bits. The message authentication apparatus extracts two values U[1] and U[2] each having min{t, n/2} bits from the value H[1], generates a value V[1] of t bits, using as input the message M and the value U[1], and generates a value V[2] of t bits, using as input the message M and the value U[2]. The message authentication apparatus encrypts the value H[2] by a tweakable block cipher E, using the value V[1] as a tweak, to generate a value Z[1], and encrypts the value H[2] by the tweakable block cipher E, using the value V[2] as a tweak, to generate a value Z[2]. The message authentication apparatus generates an authenticator Z from the value Z[1] and the value Z[2].

Abstract: An Intrusion Defense System for protecting the computer systems of a vehicle includes a vehicle having a computer with a direct wired or Radio frequency or other contact-less remote connection diagnosis connection port interface. A hardware device for protecting the computer from hazardous software code intrusions into the computer system. is used to protect the computer from unwanted hacks or intrusions into the system. The hardware device includes at least one or more of: a Diagnostic Port Gateway; a CAN Conditioner; and a CAN Data Security Diode and combinations of these.

Abstract: This application discloses a method and an apparatus for detecting invalidity of an ACL rule. The method includes: obtaining, by a first network entity, a second ACL rule, where the first network entity includes a first entry, and the first entry includes a first rule index and first information; generating, by the first network entity, a second entry according to the second ACL rule, where the second entry includes a second rule index and second information; determining, by the first network entity, whether the second information is a subset of the first information; and if the first network entity determines that the second information is a subset of the first information, determining, by the first network entity, that the second ACL rule is an invalid ACL rule, and skipping, by the first network entity, sending the second ACL rule to a second network entity.

Abstract: Aspects of the technology described herein maintain the privacy of confidential information to be communicated to a user through a computing device. The technology keeps confidential information private by assessing the privacy context of the communication. The privacy context can be determined by determining a privacy level of the information to be communicated and the privacy level of the environment into which the information is to be communicated. The privacy context can be used to select an appropriate communication channel for the information. The privacy context can also be used to determine whether all available content is shared or just a portion of it.

Abstract: A terminal includes a security subsystem, a baseband processor, and a first bidirectional bus coupled between the security subsystem and the baseband processor. The security subsystem is configured to manage at least one of data related to a user identity and data related to network security in wireless communication, and exchange the data with the baseband processor by using the first bidirectional bus. The baseband processor is configured to exchange the data with the security subsystem by using the first bidirectional bus, and implement wireless communication by using the data. The security subsystem and the baseband processor are in the same hierarchy. The security subsystem may proactively perform data transmission by using the first bidirectional bus.

Abstract: Disclosed herein are methods, systems, and processes for managing and controlling the collective behavior of deception computing system fleets. A malicious attack initiated by a malicious attacker received by a honeypot that is part of a network along with other honeypots is detected. Information associated with the malicious attack is received from the honeypot. Based on the received information, a subset of honeypots other than the honeypot are configured to entice the attacker to engage with the subset of honeypots or avoid the subset of honeypots.

Abstract: A system and method for real-time attestation which attests to the untouchability of processors from external influences. The system and method comprise a security mechanism that extracts information about a program's full-control execution path and then validates that information with a highly isolated guard process during runtime, which is running in a trusted environment. This trusted guard application also acts as a remote attester client and sends the currently running control flow graph to a remote attestator server on demand.

Abstract: Systems and methods for obscuring data from a data source include devices and processes that may objectively measure the information loss for a dataset that is caused by applying a privacy policy, and may select and apply a policy to the dataset based on the measured information loss. The systems and methods may measure the information loss for a large dataset by taking a representative sample from the dataset and applying the policy to the sample in order to quantify the information loss. The quantified information loss can be iteratively used to change the policy in order to meet utility and/or privacy goals, and the system can subsequently apply the changed policy to the dataset.

Abstract: Disclosed herein are systems and method for protecting an endpoint device from malware. In one aspect, an exemplary method comprises performing, by a light analysis tool of the endpoint, a light static analysis of a sample, terminating the process and notifying the user when the process is malware, performing light dynamic analysis when the process is not malware based on the light static analysis, when the process is clean based on the light dynamic analysis, enabling the process to execute, when the process is malware, terminating the process and notifying the user, and when the process is suspicious pattern, suspending the process, setting a level of trust, sending the sample to a sandbox, terminating the process and notifying the user when the process is a malware based on received final verdict, enabling the process to resume executing when the process is determined as being clean based on the final verdict.

Abstract: Provided is a process that establishes representations and permits users to login to a relying device to which a mobile device has registered. Credential values of the user are established within a trusted execution environment of the mobile device and representations of those credentials are transmitted to a server. The user of the mobile device may authenticate with the mobile device to the server, which may permit user access to the relying device via secure session. The user of the mobile device may authenticate with the mobile device to the server, which may permit user access by causing the mobile device to obtain a value by which the relying device may be accessed. The user of the mobile device may authenticate with the mobile device based on a policy received from the server to obtain a value by which the relying device may be accessed.

Abstract: An electronic device is provided that includes a processor, and a data storage device having executable instructions accessible by the processor. Responsive to execution of the instructions, the processor receives candidate network based notifications. For each of the candidate network based notifications, the processor blocks communication of the candidate network based notifications to a user of the electronic device based on user permissions. The processor also obtains context data related to the user, modifies the user permissions based on the context data and determines a period for utilizing modified user permissions, and resets the user permissions after the period.

Abstract: A method for use in a network system is provided. The network system includes a plurality of electronic controllers that transmits and receives, via a network, a plurality of frames. The plurality of frames includes at least one control frame that instructs predetermined control to an object of control. The method receives, sequentially, the plurality of frames from the network, and determines whether the predetermined control, instructed by the control frame received in the receiving, is to be suppressed, based on a set of frames received in the receiving. The set of frames is received in the receiving within a predetermined period preceding a time of reception of the control frame.

Abstract: This disclosure is related to devices, systems, and techniques for controlling access to network services based on a trust ledger. In some examples, a trust broker system enables a relying party to control network service access of client device, where the trust broker system comprises one or more computing devices configured to maintain a trust ledger including a trust account balance (TAB) associated with each user of a set of users, where the TAB associated with each user of the set of users represents a value used to determine whether the respective user is permitted to access a resource.

Abstract: Delegating use of a DID from a first DID owner to a second DID owner. An indication is received that a first DID owner desires to delegate use of a DID owned by the first DID owner to a second DID owner. This may allow the second DID owner to act on behalf of the first DID owner in interactions with third-party entities. A signed claim is generated that specifies that the first DID owner has delegated use of the DID to the second DID owner. The signed claim identifies the DID owned by the first DID owner and defines a scope of permission for the second DID owner when the second DID owner uses the delegated DID on behalf of the first DID owner. The signed claim may then be provided to the second DID owner.

Abstract: A method includes accessing a plurality of network sources by a crawler bank. The crawler bank includes a plurality of crawlers. Each crawler may be designated to specifically crawl at least one of the network sources. In some implementations, the method includes crawling each of the network sources to identify one or more featured content. In some implementations, the crawlers look to identify vulnerability reports on the network sources. In some implementations, crawlers look to identify vulnerability reports based on a predetermined set of rules. The predetermined set of rules may include a name of a product, a name of a vendor or manufacturer, a name and a version of a product, a product part number, etc. In some implementations, the method includes transmitting each of the identified featured content to the server. In such implementations, the crawlers transmit the identified vulnerability reports to the crawler bank on the server.

Abstract: A method secures a system that includes an application owner, a master application, and a plurality secure platforms. The master application receives from the application owner an application and an input. The application computes a function to calculate an output from the input. The master application deploys replicas of the application on a number of the secure platforms. The master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas. The master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input. The master application determines the output based on the result received from each of the replicas; and sends to the application owner, the output.

Abstract: Embodiments of the invention are directed to a system, method, or computer program product structured for identifying potential misappropriation attempts into a technology resource and enforcing a credential lockout. In some embodiments, a system is structured for receiving a user credential associated with a first log-on attempt to access a technology resource, determining whether the user credential matches a stored valid credential, and, if it does not match, performing a misappropriation assessment. The misappropriation assessment includes evaluating and weighting a plurality of potential misappropriation factors, determining a misappropriation score from the weighted plurality of potential misappropriation factors, and adding the misappropriation score to a cumulative misappropriation score for the technology resource.

Abstract: In some aspects, an apparatus for encoding data for delivery to or for decoding data retrieved from a storage medium comprises a memory device and at least one hardware processor. The memory device is configured to store at least one parameter associated with at least one cryptographic protocol, the at least one parameter comprising one or more of a first cryptographic scheme, a first cryptographic key operation, a first cryptographic key length, and first cipher directives. The hardware processor is configured to generate a first frame comprising a first field for one parameter selected from the first cryptographic scheme, the first cryptographic key operation, the first cryptographic key length, and the first cipher directives and excluding fields for non-selected parameters, wherein the first frame is associated with the data delivered to or retrieved from the storage medium.

Abstract: Example methods and computer systems for encapsulated encrypted packet handling for receive-side scaling (RSS). One example may comprise a first computer system performing encryption and encapsulation on a first inner packet to generate a first encapsulated encrypted packet that includes (a) a first security protocol header and (b) a first outer header configured based on a first security association (SA). The first encapsulated encrypted packet may be forwarded to cause receive-side processing using a first core of a second computer system based on the first outer header. The first computer system may further perform encryption and encapsulation on a second inner packet to generate a second encapsulated encrypted packet that includes (a) a second security protocol header (b) a second outer header configured based on a second SA. The second encapsulated encrypted packet may be forwarded to cause receive-side processing using a second core based on the second outer header.

Abstract: A circuit used in a network device, which includes a memory and an analyzer. The memory stores an ACL look-up table, wherein the ACL look-up table includes multiple ACL rules, and each ACL rule contains at least a comparison field, a control field, and a logical operation field. The comparison field includes comparison information of a communication protocol, the control field indicates whether said each ACL rule needs to be combined with a next ACL rule, and the logic operation field indicates a logical operation used when said each ACL rule needs to be combined with the next ACL rule. The analyzer is configured to sequentially compare the packet according to multiple ACL rules recorded in the ACL look-up table, so as to generate at least one comparison result for determining the processing method of the packet.