Abstract: Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.

Abstract: A runtime analysis framework (RTA) stores a hierarchical list of input tags and a hierarchical list of output tags. The RTA stores defined vulnerabilities that include associated input tags and output tags. During runtime the software application may receive a request from a user system. The RTA assigns an input tag from the hierarchical list of input tags to an object associated with the request and assigns an output tag from the hierarchical list of output tags to a method generating a response to the request. The RTA identifies one of the defined vulnerabilities as a potential vulnerability if the assigned output tag and output tag associated the potential vulnerability are in a same subtree of the hierarchical list of output tags and the assigned input tag and the input tag associated with the potential vulnerability are in a same subtree of the hierarchical list of input tags.

Abstract: In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. Various aspects of the operation of the network regulator may be managed remotely via a graphical user interface (GUI) executing on an administration device, such as a mobile phone. The GUI is further configured to display a security notification to a user of the administration device, the security notification indicating the occurrence of a security event caused by an action of a protected client system.

Abstract: A user may only log into an education application using login credentials of a third-party social media site. A browser is redirected to a server computer of the site which authenticates the user's credentials. The server confirms to the education application which displays its contents on the computer and allows the user to access the education application. Or, the user selects a mobile application on a telephone which connects to the server of the site. The site authenticates the user's credentials and sends a confirmation back to the mobile application. The mobile application connects to the education application and allows it to display its contents on the telephone. Alternatively, an actual minimum number of links is required before access is granted to the education application which is greater than a stated minimum. Attempting to log into the education application with fewer than the stated minimum results in a warning message and access is not granted.

Abstract: In accordance with codes of applications, it is determined whether the applications access predetermined privacy information due to permission, a first label is assigned to an application that is determined to make an access, and a second label to an application that is determined not to make an access. The score of each word is calculated such that a high score is set to a word that is included in the text of the description of the application, to which the first label is assigned, more often than in the text of the description of the application, to which the second label is assigned, and a predetermined number of words at the top with regard to the score is extracted. The application whose text of the description includes the extracted word is classified as an application that refers to the permission.

Abstract: Disclosed herein are systems and methods for distributed key management. A first communications node may join a network. The first communications node may receive a white list generated by a central authority. The white list may include criteria for selecting a master communications node that may generate and distribute a cryptographic key for the network. The white list may also identify one or more communications nodes authorized to receive the generated cryptographic key. Responsive to detecting a second communications node joining the network, the first communications node may determine whether the second communications node is to be the master communications node for the network.

Abstract: Techniques are disclosed for providing an authentication service that performs authentication of users on behalf of a relying party. The authentication service receives authentication requirements from the relying party and compares those requirements with authentication capabilities of the user and user equipment. If the authentication requirements are met, the authentication service may perform authentication using the corresponding authentication factors. If the available authentication factors are insufficient or the user fails authentication using the authentication factors used by the authentication service, the relying party may be notified that authentication failed. Upon successful authentication, the authentication service notifies the requiring party that the user has been authenticated.

Abstract: There is disclosed in an example, a computing apparatus, including: a trusted execution environment (TEE); and one or more logic elements providing a collaboration engine within the TEE, operable to: receive a change to a secured document via a trusted channel; apply a change to the secured document; log the change to a ledger; and display the document to a client device via a protected audio-video path (PAVP). There is also disclosed a method of providing a collaboration engine, and a computer-readable medium having stored thereon executable instructions for providing a collaboration engine.

Abstract: Systems, devices and processes are described for implementing an access heartbeat role on a hardware security module (HSM) that stores secure data on behalf of a secure data owner. Heartbeat and access credentials are established and distributed by the HSM. Access to the secure data is prevented unless the HSM receives valid heartbeats prior to a time expiration along with a valid access request. Generally, heartbeats are signed messages and include heartbeat credentials. Access requests may also be signed messages and include access credentials. The access credentials may be suspended, revoked or the entire HSM may be zeroized (e.g., plaintext keys erased), dependent upon a failure to receive valid heartbeats in a timely fashion. Heartbeats may be required from multiple entities, in some embodiments. Some example configurable features include heartbeat expiration time, the source of the credentials, the access denial options, and how many sources of distinct heartbeats are required.

Abstract: A host central processing unit subsystem that writes information to external memory may provide policy to the external memory. Then every time a write comes from the host subsystem, a memory controller within the memory may check the write against the policy stored in the memory and decide whether or not to implement the write.

Abstract: An integrated circuit includes a security module with multiple stages arranged in a pipeline, with each stage executing a different operation for accessing stored lifecycle (LC) information. For each portion of LC being accessed, each stage performs N iterations of its corresponding operation, whereby N is an integer greater than two, and crosschecks the results of successive iterations to ensure that the results of the operation are consistent. In addition, the stages of the security module are overlapping, such that different stages can perform different iterations concurrently. These concurrent operations at different stages are organized such that they may also be crosschecked and thereby confirm “offset” results between the stages.

Abstract: Systems and methods for unmanned vehicle security and control are provided herein. An exemplary system includes a control station and an unmanned vehicle. The unmanned vehicle may be locked from remote control by the control station. The system may also include a first access control hardware device attached to the control station and communicably coupled, using a network, with the unmanned vehicle. The system may also include a second access control hardware device physically attached to the unmanned vehicle and communicably coupled, using the network, with the control station. The first and/or second access control hardware devices are utilized to unlock the unmanned vehicle from remote control by the control station.

Abstract: A convenient, easy to use ubiquitous secure communications capability can automatically encrypt and decrypt messages without requiring any special intermediating security component such as gateways, proxy servers or the like. Trusted/secure applications for the mobile workforce can significantly improve productivity and effectiveness while enhancing personal and organizational security and safety.

Abstract: Portable, hand-held electronic devices for and methods to enabling a user to interact with a native operating system (OS) running on a host device and a virtual machine running on top of the native OS are presented. The host device includes a processor to communicate with an application having a target network address. The devices includes an onboard database that stores user credential information and a portable encryption and authentication service module (PPEASM) that allows to make a secure communication channel with the host device. The PPEASM configures the processor to negotiate authentication of the user with an application running on top of the native OS utilizing the user credential information, render an application running on top of the virtual machine, and pass data between the application running on top of the virtual machine and a second application running on top of the native OS.

Abstract: A multi-tiered file locking service provides file locking at the thread and process level, and can optionally include locking at the file system level. A local locking mechanism maintains a list of local locks for threads within a process. When a thread requests a lock for a file, and a local lock is obtained, a process lock for the file may be requested. When no file system locking is used, when the process lock is obtained, the thread receives the lock for the file. When file system locking is used, when the process lock is obtained, a file system lock for the file may be requested. When the file system lock for the file is obtained, the thread receives the lock for the file. The result is a file locking service that functions across threads, processes and nodes in a distributed computing environment.

Abstract: The present invention discloses a computer implemented method for developing an anomaly detector which is adapted to detect/predict anomaly in one or more network terminals and optimize the behavior of the network terminals. The said method is adapted to collect and monitor the behavior of the network terminals and compare it with the behavior profile of the network terminals in order to detect the anomaly parameter. The behavior profile is the normal interaction of the software and hardware components of the network terminals. A system for implementation and execution of such anomaly detector is also disclosed.

Abstract: Implementations of PDB Sandboxing in layers and mapping to different operating systems are described. In exemplary implementations, one or more pluggable databases (PDBs) are encapsulated on common container databases to form one or more PDB sandboxes. Encapsulating PDBs forms an isolation boundary layer configured to dynamically regulate security and isolation of the PDB sandboxes. Access by processes and resources to and from the PDBs inside respective PDB sandboxes through the isolation boundary layer, and access within PDB sandboxes, is regulated using dynamic access processes that dynamically vary access to resources and process disposed within and external to the PDB sandboxes.

Abstract: A secure and transparent digital credential sharing arrangement which utilizes one or more cryptographic levels of indirection to obfuscate a sharing entity's credentials from those entities authorized to share the credentials. A security policy table is provided which allows the sharing entity to selectively authorize or revoke digital credential sharing among a plurality of entities. Various embodiments of the invention provide for secure storage and retrieval of digital credentials from security tokens such as smart cards. The secure sharing arrangement may be implemented in hierarchical or non-hierarchical embodiments as desired.

Abstract: Concepts and technologies are disclosed herein for monitoring and controlling electronic activity. A policy service can be called for policies for controlling electronic activity occurring at one or more managed devices. The policies can include a number of rules, each of which can include a number of variables. The rules can be defined by a manager device and/or received from third parties. Third party rule submissions can be validated. If electronic activity at the managed device deviates from a rule, the manager device can be notified and the electronic activity can be blocked. The manager device can update the policy and/or issue exceptions, if desired.

Abstract: Detecting duplicate malware samples is disclosed. A first guest clock is set to a first value in a first virtual machine instance. A first malware sample is executed in the first virtual machine instance. A second guest clock value is set to the first value in a second virtual machine instance. A second malware sample is executed in the second virtual machine instance. A determination is made as to whether the first malware sample and the second malware sample are the same, based at least in part on performing a comparison of attempted external contacts generated by executing each of the respective first and second malware samples.