Abstract: An integrated security system which seamlessly assimilates with current generation logical security systems. The integrated security system incorporates a security controller having standard network interface capabilities including IEEE 802.x and takes advantage of the convenience and security offered by smart cards and related devices for both physical and logical security purposes. The invention is based on standard remote authentication dial-in service (RADIUS) protocols or TCP/IP using SSL, TLS, PCT or IPsec and stores a shared secret required by the secure communication protocols in a secure access module coupled to the security controller. The security controller is intended to be a networked client or embedded intelligent device controlled remotely by to an authentication server. In another embodiment of the invention one or more life cycle management transactions are performed with the secure access module.

Abstract: A privacy-preserving verification methodology for SoC computing systems is described. The verification methodology utilizes the principles of Multi-Party Computation (“MPC”), and enables meaningful manipulation of encrypted data in the encrypted domain through the use of a fully homomorphic encryption (“FHE”) scheme. In the described verification methodology, IP logic is transformed and test vectors utilized to verify the IP logic are encrypted. The parties involved in the verification (e.g., the designer, the manufacturer, a third-party verification service, etc.) can functionally verify the IP core via the encrypted test vectors while the encrypted test vectors remain in the encrypted domain. Accordingly, the IP core is verified without revealing unwarranted information, such as the underlying IP behind the SoC.

Abstract: Embodiments of the present application disclose a method for providing a terminal identifier to a terminal. During operation, a security server receives a registration information set from the terminal, in which the registration information set includes multiple pieces of equipment information from the terminal. The security server then generates a terminal identifier based on the multiple pieces of equipment information in the registration information set. The security server then returns the terminal identifier to the terminal.

Abstract: A method of equality verification using relational encryption including receiving a relational key that includes a first relational key component and a registration ciphertext that includes an encryption of a first plaintext data set. The method includes storing the registration ciphertext without decrypting the registration ciphertext. After the storing of the registration ciphertext, the method includes receiving an authentication request and communicating a safeguard data set that includes a random challenge in response to the authentication request. The method includes receiving an encrypted response that is generated based on the safeguard data set and a second plaintext data set. The method includes verifying a relationship between the encrypted response and the registration ciphertext using the relational key without decrypting the encrypted response and without decrypting the registration ciphertext. The relationship indicates that equality exists between the first and the second plaintext data sets.

Abstract: A method and system for providing information management of data from hosted services receives information management policies for a hosted account of a hosted service, requests data associated with the hosted account from the hosted service, receives data associated with the hosted account from the hosted service, and provides a preview version of the received data to a computing device. In some examples, the system indexes the received data to associate the received data with a user of an information management system, and/or provides index information related to the received data to the computing device.

Abstract: A data center has a plurality of secure processing units; a plurality of data stores holding encrypted data records; and a network connecting the secure processing units and the data stores. The secure processing units comprise computing functionality configured to execute a data processing operation in parallel on the secure processing units by being configured to read encrypted records from the stores, process one or more of the encrypted records within the secure processing units, send one or more of the encrypted records to the stores. The data center is configured to carry out a secret shuffle of the data records to protect the privacy of data processed in the data center from an observer observing any one or more of: the reading of the records, the sending of the records, the writing of the records; the secret shuffle comprising a random permutation of the records hidden from the observer.

Abstract: Techniques for handshake-free encrypted communication are described. An apparatus may comprise a key component, a message component, and a network component. The key component may be operative to retrieve a first symmetric encryption key from a key store and to store a second symmetric encryption key in the key store. The message component may be operative to construct a message comprising a data section, the data section encrypted using the first symmetric encryption key. The network component may be operative to transmit the message to a device and to receive a response to the message, the response comprising the second symmetric encryption key. Other embodiments are described and claimed.

Abstract: Embodiments as described herein provide systems and methods for sharing secrets between a device and another entity. The shared secret may be generated on the device as a derivative of a secret value contained on the device itself in a manner that will not expose the secret key on the device and may be sent to the entity. The shared secret may also be stored on the device such that it can be used in future secure operations on the device. In this manner, a device may be registered with an external service such that a variety of functionality may be securely accomplished, including, for example, the generation of authorization codes for the device by the external service based on the shared secret or the symmetric encryption of data between the external service and the device using the shared secret.

Abstract: A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.

Abstract: A method may include performing secure device configuration, via a configuration service manager device, for a SIP user device. The method includes monitoring, via the configuration service manager device, the SIP user device for device authentication problems, configuration file download problems, device registration problems and device third party registration problems. The method may also include detecting the device authentication problems, and logging and reporting the detected device authentication problems. The method may also include automated testing of the device and logging and reporting of detected device test problems. The method further includes resolving the detected device authentication, registration or testing problems.

Abstract: The present disclosure relates to transmitting a request for a set of data records, the request indicating encrypted data items associated with first and second interval boundaries, and selectively traversing a partially ordered set to determine an encrypted data item of the partially ordered set that is associated with an interval boundary of the first and second interval boundaries, based on no cache entries being associated with any encrypted data item associated with the interval boundary. The selectively traversing may include decrypting one or more portions of the partially ordered set, determining the encrypted data item of the partially ordered set, and transmitting a request to retrieve a data element of a linear order annotated to the encrypted data item of the partially ordered set associated with the interval boundary, to cause generation of a new cache entry including the encrypted data item and the data element.

Abstract: A privacy compliance measurement system, according to particular embodiments, is configured to determine compliance with one or more privacy compliance requirements by an organization or sub-group of the organization. In various embodiments, the system is configured to determine a privacy maturity rating for each of a plurality of sub-groups within an organization. In some embodiments, the privacy maturity rating is based at least in part on: (1) a frequency of risks or issues identified with Privacy Impact Assessments (PIAs) performed or completed by the one or sub-groups; (2) a relative training level of members of the sub-groups with regard to privacy related matters; (3) a breadth and amount of personal data collected by the sub-groups; and/or (4) etc. In various embodiments, the system is configured to automatically modify one or more privacy campaigns based on the determined privacy maturity ratings.

Abstract: A method for analyzing side-channel leakage of an application running on a device including loading the application on a system comprising a device simulator, wherein the application is configured to accept public inputs and secret inputs and selecting a set of public inputs. The method includes, for each public input in the set of public inputs, executing the application on the system comprising the device simulator based on a respective public input and a first value for a secret input and extracting first intermediate values for the simulated device, and executing the application on the system based on the respective public input and a second value for the secret input and extracting second intermediate values for the simulated device. The method includes determining an amount of dependency of a location of the simulated device on the secret input based on a plurality of the first and second intermediate values.

Abstract: A device may receive rule information, associated with a firewall policy, that includes a set of N rules. The device may add a rule, of the set of N rules, to a detector tree associated with the firewall policy. The device may identify other rules to which the rule is to be compared. The other rules may be included in the set of N rules, and may include a quantity of rules approximately equal to a result of a logarithm to base 2 of N. The device may compare the rule and the other rules, and may detect a rule anomaly based on comparing the rule to the other rules. The rule anomaly may be associated with a conflict between the rule and a particular rule of the other rules. The device may identify the rule anomaly within the detector tree, and may output information regarding the rule anomaly.

Abstract: The invention relates to a device for interconnecting at least two data-communication networks, connecting a first network qualified as a high-security network and at least one second network qualified as a low-security network, the device including a one-way channel referred to as downlink channel between the high-security network and the low-security network, and a one-way channel referred to as uplink channel between the low-security network and the high-security network, the uplink channel being configured, in accordance with at least one predetermined data model from the low-security network or a dedicated loading channel, such as to transmit a return signal towards the high-security network whenever an uplink data stream sent from the low-security network to the high-security network includes all or part of the predetermined data model, the return signal being transmitted together with a transmission of the uplink data stream or at the end of a transmission of the uplink stream towards the high-security

Abstract: The present disclosure relates to the field of information technologies and discloses a method and an apparatus for implementing virtual machine introspection. The method provided in the present disclosure may further include: determining to-be-checked data in a virtual machine; starting to read the to-be-checked data, saving a copy of the read to-be-checked data, and storing a storage address of the read to-be-checked data in a hardware transactional memory, so that the hardware transactional memory is capable of monitoring the read to-be-checked data according to the storage address; when the read to-be-checked data is modified, stop reading the to-be-checked data, and delete the copy; and when reading the to-be-checked data is completed and it is not detected that the read to-be-checked data is modified, performing security check on the copy. The method can be applied to virtual machine introspection.

Abstract: A method of configuring a network security device includes receiving a changed set of network rules to replace a current set of network rules; using a plurality of network traffic events to perform a first simulation of according to the current set of network rules and a second simulation according to the changed set of network rules; comparing the results of the first and second simulation to identify changes in network traffic allowed and denied between the current set and the changed set of network rules; displaying the changes in allowed and denied traffic for review of the changed set of network rules; receiving an instruction to implement the changed set of network rules based on the review; and filtering network traffic according to the changed set of network rules.

Abstract: An authenticator in a second user device captures a media sample played on a first user device in proximity to the second user device. The media sample comprises at least one of an audio portion, a video portion or an image portion of a media stream received by the first user device from a remote media streaming source over a network. The authenticator sends at least a portion of the media sample from the second user device to an authentication server, the authentication server to compare the at least the portion of the media sample to a reference media stream received from the remote media streaming source to determine that the second user device is authenticated for viewing the media stream responsive to the portion of the media sample matching the reference media stream. The authenticator then receives an authentication decision from the authentication server at the second user device, the authentication decision indicating whether the second user device is authenticated.

Abstract: An incident response system and method for tracking data security incidents in enterprise networks is disclosed. An Incident Manager application (IM) stores incident objects and incident artifacts (IAs) created in response to the incidents, where the incident objects include the information for the incident and the IAs are associated with data resources (e.g. IP addresses and malware hashes) identified within the incident objects. In response to creation of the IAs, the IM issues queries against one or more external threat intelligence sources (TISs) to obtain information associated with the IAs and augments the IAs with the obtained information. In examples, the IM can identify known threats by comparing the contents of IAs against TIS(s) of known threats, and can identify potential trends by correlating the created incident objects and augmented IAs for an incident with incident objects and IAs stored for other incidents.

Abstract: A protection method, which releases an attack of a malware to a firewall apparatus disposed at an application layer, includes processing a microbatching operation in a plurality of session channels and at at least an operational period according to at least one input information, to generate a plurality of session-specific firewall patterns; and merging the plurality of session-specific firewall patterns to generate an application-specific firewall pattern at the application layer, so as to dispose a script information corresponding to the application-specific firewall pattern in the firewall apparatus for releasing the attack of the malware, wherein the microbatching operation is processed to generate a plurality of independent subset-specific firewall patterns in each session channel, so as to generate a session-specific firewall pattern corresponding to each session channel.