Abstract: Described technologies automatically detect candidate networks having external nodes which communicate with nodes of a local network; a candidate external network can be identified even when the external nodes are owned by a different entity than the local network's owner. A list of network addresses which communicated with local network nodes is culled to obtain addresses likely to communicate in the future. A graph of local and external nodes is built, and connection strengths are assessed. A candidate network is identified, based on criteria such as connection frequency and duration, domain membership, address stability, address proximity, and others, using cutoff values that are set by default or by user action. The candidate network identification is then utilized as a basis for improved security though virtual private network establishment, improved bandwidth allocation, improved traffic anomaly detection, or network consolidation, for example.

Abstract: Methods, systems, and computer readable media for monitoring, adjusting, and utilizing latency associated with accessing distributed computing resources are disclosed. One method includes measuring a first latency associated with accessing a first computing resource located at a first site. The method further includes the measuring a second latency associated with accessing a second computing resource located at a second site different from the first site. The method further includes selectively impairing transmission of packets to or processing of packets by at least one of the first and second computing resources in accordance with a performance, network security, or diagnostic goal.

Abstract: A secure and fault-tolerant, or variation-tolerant, method and system to turn a set of N shares into an identifier even when only M shares from this set have a correct value. A secret sharing algorithm is used to generate a number of candidate identifiers from subsets of shares associated with asset parameters of a collection of assets. The most frequently occurring candidate identifier is then determined to be the final identifier. The method has particular applicability in the fields of node locking and fingerprinting.

Abstract: A malicious code analysis method and system, a data processing apparatus, and an electronic apparatus are provided. A behavior characteristic data corresponding to a suspicious file is received from the electronic apparatus via the data processing apparatus to analyze the behavior characteristic data. The behavior characteristic data corresponding to the suspicious file is compared with a malware characteristic data of each of a plurality of malicious codes to obtain a comparison result. And based on the comparison result, a representative attack code corresponding to the suspicious file is obtained and a precaution corresponding to the representative attack code is transmitted to the electronic apparatus.

Abstract: Systems and methods are provided for securing data using a mobile device. The method may include determining securing global positioning data values of the mobile device; measuring a securing direction of the mobile device relative to a magnetic north direction; capturing a securing password by the mobile device; and securing the data against unauthorized access using the determined global positioning data values, the securing password, and the securing direction as a combined password.

Abstract: A mobile secret communications method based on a quantum key distribution network, comprises the following steps: a mobile terminal registering to access the network and establishing a binding relationship with a certain centralized control station in the quantum key distribution network; after a communication service is initiated, the mobile terminals participating in the current communication applying for service keys from the quantum key distribution network; the quantum key distribution network obtaining addresses of the centralized control stations participating in service key distribution during the current communication, designating a service key generation centralized control station according to a current state indicator of each centralized control station; the service key generation centralized control station generating service keys required in the current communication and distributing the keys to the mobile terminals participating in the current communication.

Abstract: Technologies for control flow validation a computing device having a processor with real-time instruction tracing support. The processor generates trace data indicative of control flow of a protected application. The computing device identifies an indirect branch target based on the trace data and determines whether the indirect branch target is included in the same module as a previous indirect branch target. If the indirect branch target and the previous indirect branch target are not included in the same module, the computing device determines whether an inter-module transfer policy is satisfied. If satisfied, the indirect branch target is stored as the previous indirect branch target and the protected application continues to execute. If the policy is not satisfied, the computing device generates an exception. The policy may be satisfied, for example, if the indirect branch target is an exported function. Other embodiments are described and claimed.

Abstract: A blacklist generating device acquires a malicious communication log and a normal communication log. A malicious communication profile extracting function calculates statistics on communication patterns included in the malicious communication log and outputs a communication pattern satisfying a certain condition to a potential blacklist. A normal communication profile extracting function calculates statistics on communication patterns included in the normal communication log and outputs a communication pattern satisfying a certain condition to a whitelist. A blacklist creating function searches the potential blacklist for a value with the value on the whitelist, excludes a coincident communication pattern from the potential blacklist, and creates a blacklist.

Abstract: A cloud-based identity and access management system that implements single sign-on (“SSO”) receives a first request for an identity management service configured to allow for accessing applications. Embodiments send the first request to a first microservice, where the first microservice performs the identity management service by generating a token. The first microservice generates the token at least in part by sending a second request to a SSO. The SSO microservice implements an SSO and generates a cookie that includes a global state and is used for communicating with different microservices. Embodiments receive a single log-out (SLO) of the SSO and use the cookie to iteratively log-out of the applications, where, after each log-out of an application of a first protocol, a redirect is performed to the SSO microservice to trigger log-out of applications of a different protocol.

Abstract: A secure method connects to an application run on a server from a client computer device, by a user who does not have the authentication data of the account declared in the application, the account including at least one proxy ID. The disclosure also relates to the application and associated authentication data, implementing a proxy [mandatary gateway] including a memory for recording, for each user declared by a primary account comprising at least one user ID, the list of resource targets C and accounts to which the user has access.

Abstract: A method for long range communications using sensors with bidirectional communication capability includes installing a plurality of sensors configured to communicate with a central node configured to send and receive packets in working slots on two frequencies; selecting a frequency with the strongest signal from each particular sensor; and avoiding collisions between the two-way sensors by changing working slots of the two-way sensors in each new frame by (a) creating a super-frame comprising multiple ordinary frames; (b) clocking all five multiple frames through; (c) returning the working slots to their initial positions; (d) creating a new super-frame; and (e) changing the working slot position throughout the new super-frame. Bidirectional communication guarantees that reception will be confirmed, or increases the chances that the signal will be received. Thus, it is possible to transfer information both ways, i.e., it is possible to write data (settings, etc.) into sensors.

Abstract: A third party system generates a group of users and a function that identifies users in the group as well as additional users not in the group when applied to user identifying information. The third party system transmits the function to an online system, which applies the function to user identifying information associated with various users of the online system. Applying the function to the user identifying information generates a set of users including users in the group and one or more additional users who are not in the group. The online system transmits information associated with users in the set and information identifying users in the set to the third party system, which determines obtained information associated with users of the group. In some embodiments, the information identifying users in the set is obfuscated user identifying information associated with the users in the set by the online system.

Abstract: Processor system with a general purpose processor and a cryptographic processor dedicated to performing cryptographic operations and enforcing the security of critical security parameters. The cryptographic processor prevents exposure of critical security parameters outside the cryptographic processor itself, and instead implements a limited scripting engine, which can be used by the general purpose processor to execute operations that require the critical security parameters.

Abstract: Methods, systems, computer-readable media, and apparatuses may provide password encryption for hybrid cloud services. A workspace cloud connector internally residing with an entity may intercept user credentials associated with an internal application being transmitted to an external cloud service. The workspace cloud connector may generate an encryption key and encrypt the user credentials via a reversible encryption methodology. The workspace cloud connector may encrypt the encryption key using an irreversible encryption methodology (e.g., use a hashing function to produce a first hash). The workspace cloud connector may transmit the encrypted user credentials and the first hash to a virtual delivery agent via a first path (e.g., via the external cloud service). In response, the workspace cloud connector may receive an address of the virtual delivery agent and, using the address, may send the encryption key to the virtual delivery agent via a second path different from the first path.

Abstract: A system and method for performing licensing monitoring and compliance within a service provider platform are provided. The system comprises a memory and a processor configured to execute instructions stored within the memory. The system further comprises a central instance that executes on the processor and comprises a license repository containing licensing data for application components. The system further comprises a customer instance that includes a third-party application component installed within the customer instance from an application store. The system further includes a licensing module. The third-party application component is switchable between a monitor mode in which the licensing module reports usage of the third-party application component to the central instance and an enforcement mode in which the usage is controlled on the customer instance based on the license repository.

Abstract: The embodiments herein provide a system and method for an authentication-driven secret installation and access to applications and data on handheld computing devices. The secret storage is installed and accessed by a directly installed application or a host application on the device. The system comprises an authentication module for authenticating a user to access a data stored in the secret storage area, and a security module for detecting an intrusion of user's privacy during an accessing of the secret storage area. The authentication module automatically shuts down the application when a privacy intrusion is detected continuously for a preset period of time. A secret storage application is run to create a clone of one or more applications installed outside the secret storage area while the created clone of the one or more applications are stored in the secret storage area.

Abstract: A method of trust provisioning a device, including: receiving, by a hardware security module (HSM), a list of instructions configured to produce trust provisioning information; performing, by the HSM, a constraint check on the list of instructions including performing a symbolic execution of the list of instructions; receiving confidential inputs; executing, by the HSM, the list of instructions on the confidential inputs when the list of instructions passes the constraint check; outputting, by the HSM, trust provisioning information.

Abstract: A method and system for dynamic identification of network security policies are provided. The method comprises inspecting network traffic using a number of network inspection technologies; executing a first network security system to implement a first number of security policies to respond to a first number of threats identified by the number of network inspection technologies; executing a second network security system to implement a second number of security policies to respond to a second number of threats identified by the number of network inspection technologies; obtaining security intelligence from the first and second network security system; and adaptively reassessing the first and second number of security policies based on the security intelligence.

Abstract: Systems and methods for tiered connection pooling are disclosed herein, which may be used in a method of fulfilling user requests in an enterprise computing system. The method involving generating, by a processing unit, a first connection pool comprising one or more previously used authenticated connections with a resource; generating, by the processing unit, a second connection pool comprising one or more unused authenticated connections with the resource; and generating, by the processing unit, a third connection pool comprising one or more unauthenticated connections with the resource; receiving, by the processing unit, a request from the user device to access the resource, the resource requiring authentication for access; and fulfilling, by the processing unit, the request based on a connection from the first, second, or third connection pool.

Abstract: Methods and apparatus for control of data and content protection mechanisms across a network using a download delivery paradigm. In one embodiment, conditional access (CA), digital rights management (DRM), and trusted domain (TD) security policies are delivered, configured and enforced with respect to consumer premises equipment (CPE) within a cable television network. A trusted domain is established within the user's premises within which content access, distribution, and reproduction can be controlled remotely by the network operator. The content may be distributed to secure or non-secure “output” domains consistent with the security policies enforced by secure CA, DRM, and TD clients running within the trusted domain. Legacy and retail CPE models are also supported.