Abstract: The solution herein describes a software module that works in combination with certain hardware (e.g., a particular chipset) to obtain the level of security provided by an HSM. The software module can be implemented on a commodity server. The software module can utilize an HSM or key custodian to obtain cryptographic keys. The cryptographic keys may be stored on the commodity server within a secure memory space managed by the commodity server's chip set. While stored, access to the cryptographic keys may be managed by the chip set. The chip set can ensure that only protected applications associated with the cryptographic keys may access said keys.

Abstract: An illustrative embodiment of a computer-implemented process for identifying a request invalidating a session excludes all marked logout requests of a Web application, crawls an identified next portion of the Web application and responsive to a determination, in one instance, that the state of the crawl is out of session, logs in to the Web application. The computer-implemented process further selects all crawl requests sent since a last time the crawl was in-session, excluding all marked logout requests and responsive to a determination that requests remain, crawls a selected next unprocessed request. Responsive to a determination, in the next instance, that state of the crawl is out of session and the selected request meets logout request criteria, the computer-implemented process marks the selected request as a logout request.

Abstract: Described is a system for cloud-based privacy-preserving navigation operations between multiple parties. The system performs a two-party computation (2PC) between input data related to a current location of a first party and public data stored on a cloud computing infrastructure. Each party individually performs a 2PC on the public data while maintaining privacy of their input data. The system then performs multi-party computations (MPC) between multiple parties and the cloud computing infrastructure. The multiple parties privately update the public data with a result obtained from the 2PC. For the first party, a privacy-preserved navigation result is generated using results obtained from the 2PC and the MPC. The first party is caused to perform a navigation operation based on the privacy-preserved navigation result.

Abstract: Technologies for secure content display include a computing device having a display controller and a display. The display includes a self-refresh frame buffer. The computing device establishes a secure, attested communication session between the display controller and the display device. Attestation may be performed using an enhanced privacy identifier key provisioned to the display controller and/or the display by the corresponding manufacturer. The display controller may transmit protected content from a protected audio/video path to the display over the secure communication session. The display controller may transmit a command to the display to disable read back of the self-refresh frame buffer. The display controller may transmit a command to the display to clear the frame buffer. The display controller may transmit a predefined image frame from secure storage to the display. The predefined image frame may be an advertisement or user-defined content. Other embodiments are described and claimed.

Abstract: A transaction authorization apparatus includes a processor in communication with a communications interface. The processor is configured to receive a request for a transaction requested by a user with whom a plurality of user devices are associated, to obtain respective transaction measurements from at least some available devices from among the plurality of user devices, and to confirm approval of the request for the transaction in response to confirmation that the transaction measurements satisfy a multi-device authorization policy associated with the transaction.

Abstract: In an example, a network device may receive a L3VPN packet of which an egress label edge router (LER) is the network device, and acquire an adjacency index of an adjacency entry in an adjacency table according to the destination IP address of the inner IP datagram from the L3VPN packet. The network device may acquire a PW extended index of a PW extended entry in a PW extended table and a private network layer-2 header for the inner IP datagram from an adjacency entry having the adjacency index. By using the private network layer-2 header and a public network label, a private network label and a public network layer-2 header in a PW extended entry having the PW extended index, the network device may encapsulate the inner IP datagram into a L2VPN packet and forward the L2VPN packet through a physical egress interface in the PW extended entry.

Abstract: In some embodiments, an industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time that represent operation of the industrial asset. A threat detection computer may determine that an attacked monitoring node is currently being attacked. Responsive to this determination, a virtual sensor coupled to the plurality of monitoring nodes may estimate a series of virtual node values for the attacked monitoring node(s) based on information received from monitoring nodes that are not currently being attacked. The virtual sensor may then replace the series of monitoring node values from the attacked monitoring node(s) with the virtual node values. Note that in some embodiments, virtual node values may be estimated for a particular node even before it is determined that the node is currently being attacked.

Abstract: A method for storing data in a cloud includes providing at least one data file to be stored together with a predefined number t of replicas of the at least one data file within the cloud, at least one authentication tag corresponding to the at least one data file and t functions that are configurable to take at least a predefined time to compute. The at least one data file, the at least one authentication tag and the t functions are transmitted to the cloud. The at least one data file is stored within the cloud and t solutions of the t functions are computed within the cloud. The t replicas of the at least one data file are generated based on the t solutions of the t functions and the at least one data file within the cloud. The t replicas are stored within the cloud.

Abstract: A number of transmissions of secure data communicated between a secure trusted device and an unsecure untrusted device in a DBMS is controlled. The data is communicated for database transaction processing in the secure trusted device. The number of transmissions may be controlled by receiving, from the untrusted device, an encrypted key value of a key and a representation of an index of a B-tree structure, decrypting, at the trusted device, the key and one or more encrypted index values, and initiating a transmission, a pointer value that identifies a lookup position in the index for the key. The index comprises secure, encrypted index values. Other optimizations for secure processing are also described, including controlling available computation resources on a secure trusted device in a DBMS and controlling transmissions of secure data that is communicated between a secure trusted device and an unsecure untrusted device in a DBMS.

Abstract: In one aspect, the invention provides a method for the provision of a profile, comprising the steps of, receiving information relevant to an individual, formatting the information into a format suitable for use in an identification situation, and storing the information in the format.

Abstract: Particular systems, methods, and program products for web-based security systems for user authentication and processing in a distributed computing environment are disclosed. A computing sub-system may receive an electronic processing request and a first signed data packet having a first payload that was hashed and encrypted using a first private key. The first payload may comprise first processing output and a first timestamp. The sub-system may verify the first signed data packet by decrypting it using a first public key. The sub-system may execute computing operations to satisfy the electronic processing request, producing second processing output. The sub-system may configure a data packet with a second payload comprising at least the second processing output and a second timestamp. The sub-system may encrypt the second payload using a second private key producing a second signed data packet. The sub-system may transmit to a second sub-system the second signed data packet.

Abstract: According to one embodiment, a threat detection system comprising an intrusion protection system (IPS) logic, a virtual execution logic and a reporting logic is shown. The IPS logic is configured to receive a first plurality of objects and analyze the first plurality of objects to identify a second plurality of objects as potential exploits, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects. The virtual execution logic including at least one virtual machine configured to process content within each of the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of exploits to classify that a first subset of the second plurality of objects includes one or more verified exploits. The reporting logic configured to provide a display of exploit information associated with the one or more verified exploits.

Abstract: Techniques described herein are directed toward creating, visualizing, and simulating a threat based whitelisting security policy and security zones for networks. The disclosed technology may be implemented by providing a graphical user interface (GUI) on a network orchestration and security platform that facilitates creation and visualization of security zones and security policies for networks.

Abstract: A system for providing a user with access to different services of at least one service provider in a network considering privacy and security via a user-related unique digital identifier (D-ID). The system includes: a D-ID middleware; and a D-ID-agent. The D-ID agent is at least partly run on a terminal device of a user and is configured to: generate the D-ID, at least one pseudonym for the user, and a user-defined and pseudonym-specific number of secrets; compute, using the number of secrets and a cryptographic hash function, a root value of a pseudonym-specific Merkle-tree having the secrets as its leafs; transmit the at least one pseudonym and the corresponding root value, both encrypted, to the D-ID middleware; and use a secret of the number of secrets as needed to access a desired service of the different services of the at least one service provider.

Abstract: In some implementations, a device may detect loading of a first web page associated with a domain, and may create an inline frame element that references a second web page associated with the domain. The second web page may require an authenticated user session to access particular content of the second web page. The device may insert the inline frame element into code for the first web page, and may transmit a request for the second web page based on inserting the inline frame element into the code for the first web page. The device may receive a response to the request for the second web page, and may determine whether there is an authenticated user session for the domain based on the response. The device may selectively perform an action based on determining whether there is an authenticated user session for the domain.

Abstract: Disclosed are some implementations of systems, apparatus, methods and computer program products for encrypting and securely storing session data during a browser session using a session-based cryptographic key. The session data may be decrypted during the browser session or other browser sessions using the session-based cryptographic key or other backwards compatible session-based cryptographic keys. In addition, session-based cryptographic keys may be shared among browser sessions to enable encrypted session data to be decrypted across page refreshes and browser tabs.

Abstract: A method and system for securely and traceably enabling playing back of content on a playback device of a plurality of playback devices, in which each of the plurality of playback devices comprises a cryptographic function module (CFM). In one embodiment, the method comprises accepting a first input in the playback device from a content licensing agency; generating, in the device, a first output from the first input according to a proprietary cryptographic function using the CFM, the first output necessary to enable playback of the content by the playback device, the proprietary cryptographic function being one of a family of proprietary cryptographic functions executable by the CFM of each of the plurality of playback devices; and enabling the playback of the content by the device at least in part according to the first output.

Abstract: A protected machine. The machine includes an enclave. An enclave includes a protected area of an application address space for which access is prevented for any application code not resident in the enclave itself, except that keys can be provided by one or more management enclaves into the enclave. The machine further includes a management enclave coupled to the enclave. The management enclave is configured to provide a key to the enclave. The management enclave is a protected area of an application address space for which access is prevented for any application code not resident in the management enclave itself.

Abstract: An encryption processing device includes an encryption processing section that repeats a round operation on input data and generate output data, and a key scheduling section that outputs a round key to be applied in the round operation to the encryption processing section. The encryption processing section has an involution property in which a data conversion function E and an inverse function E?1 are executed sequentially, and executes the round operation in which a constant is applied once or more in only one of the function E and the inverse function E?1. The constant is a state that satisfies a condition that all of constituent elements of a state which is a result of a matrix operation with the linear conversion matrix which is applied in the linear conversion processing section at a position adjacent to the exclusive-OR section to which the constant is input are nonzero.

Abstract: A device can be configured to receive speech input from a user. The speech input can include a command for accessing a restricted feature of the device. The speech input can be compared to a voiceprint (e.g., text-independent voiceprint) of the user's voice to authenticate the user to the device. Responsive to successful authentication of the user to the device, the user is allowed access to the restricted feature without the user having to perform additional authentication steps or speaking the command again. If the user is not successfully authenticated to the device, additional authentication steps can be request by the device (e.g., request a password).