Abstract: Embodiments of an invention for inter-processor attestation hardware are disclosed. In one embodiment, an apparatus includes first attestation hardware associated with a first portion of a system. The first attestation hardware is to attest to a second portion of the system that the first portion of the system is secure.

Abstract: One embodiment of the present invention provides a system for mitigating interest flooding attacks in content-centric networks (CCNs). During operation, the system receives, at a physical interface of a router, an interest packet; obtains current interest satisfaction statistics associated with the physical interface; and determines whether to forward or drop the interest packet based on the current interest satisfaction statistics.

Abstract: A security module detects and remediates malware from suspicious hosts. A file arrives at an endpoint from a host. The security module detects the arrival of the file and determines the host from which the file arrived. The security module also determines whether the host is suspicious. If the host is suspicious, the security module observes the operation of the file and identifies a set of files dropped by the received file. The security module monitors the files in the set using heuristics to detect whether any of the files engage in malicious behavior. If a file engages in malicious behavior, the security module responds to the malware detection by remediating the malware, which may include removing system changes caused by the set.

Abstract: A device that uses homomorphic encryption is disclosed. The device includes a public key data generator configured to generate public key data, and a secret key data generator configured to generate secret key data that includes, as a secret key, an integer that is an element of a matrix obtained as a product of the first public key matrix element and an inverse matrix of the secret key matrix and that is not a multiple of the plain text space size.

Abstract: A method of authenticating a password and a portable device thereof are provided. The method includes: displaying an input keyboard on which a plurality of objects are arranged; changing an object arranged on the input keyboard according to a manipulation of a user; and if an object pattern arranged in a designated position of the input keyboard corresponds to a preset password pattern, authenticating the user. Therefore, it is difficult to use artifacts on the display screen to trace a password after entry, and thus security is improved. As a result, a protection of personal information of a user is strengthened.

Abstract: There is provided a security chip having a tamper-resistant feature, including an acquisition part configured to acquire specific information transmitted by a device performing challenge-response authentication, the specific information being specific to the device, a storage configured to store second key information that enables generation of first key information from the specific information, the first key information being used by the device for challenge-response authentication, and a generation part configured to generate, using the second key information, the first key information from the specific information. A response to be transmitted to the device is generated, using the first key information, from a challenge transmitted by the device. In the device, the first key information is not stored in a tamper-resistant security chip.

Abstract: A computer-implemented method for protecting organizations against spear phishing attacks may include (1) searching a plurality of websites for user profiles belonging users who are affiliated with an organization and who have access to at least one privileged computing resource controlled by the organization, (2) retrieving, from the user profiles, personal information describing the users, (3) determining, based on the personal information, that a portion of the user profiles belongs to an individual user with access to the privileged computing resource, (4) identifying at least one phishing attack risk factor in the user profiles that belong to the individual user, and (5) assessing, based at least in part on the phishing attack risk factor, a risk of a phishing attack targeting the individual user to illegitimately gain access to the privileged computing resource. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Software on a router receives configuration data that specifies a social networking service as a source for authentication according to an authentication protocol. Subsequently, the router software receives packet data from a client device for a destination other than the social networking service. The router software causes software on the client device to display a login view for the social networking service. The router software transmits the login data entered in the login view to the social networking service. And the router software receives an authorization code following a successful login by a user identified on an access control list (ACL). Then the router software transmits the packet data to the destination.

Abstract: An information processing device stores, in a storage device, command execution user data associating an attribute of a command with a name of a user entitled to execute the command. When execution of the command is requested, a service of the information processing device extracts, from the command execution user data, a name of a user entitled to execute the requested command and executes the command with the extracted user name.

Abstract: Some embodiments provide a program that provides data protection for a device when synchronizing a set of keychains stored on the device with a set of other devices. The program receives keychain data for synchronizing the set of keychains stored on the device with the set of other devices. The keychain data is specified as belonging to a protection domain. The program determines whether a set of conditions defined for the protection domain is satisfied. When the set of conditions is determined as satisfied, the program allows access to the keychain data in order to process the keychain data and synchronize the set of keychains stored on the device with the set of other devices.

Abstract: A system obtains assurance by a content provider that a content control key is securely stored in a remote security module for further secure communications between the content provider and the security module. A security module manufacturer, which has a pre-established trustful relation with the security module, imports a symmetric transport key into the security module. The symmetric transport key is unique to the security module. The content provider shares the symmetric transport key with the security module manufacturer. The content provider exchanging messages with the security module through a security module communication manager in order to get the proof that the security module stores the content control key. At least a portion of the messages exchanged between the content provider and the security module are protected using the symmetric transport key. The symmetric transport key is independent of said content control key.

Abstract: Systems, methods, and computer program products are described for controlling malicious activity detection with respect to information technology assets based on behavioral models associated with the respective information technology assets. Protection rules and corresponding sensitivities associated with the behavioral models are applied by protection services to detect malicious activity with respect to the information technology assets.

Abstract: The present invention relates to systems and methods for parsing of a token stream for user generated content in order to prevent attacks on the user generated content. The systems and methods include a database which stores one or more whitelists, and a parser. The parser removes tokens from the token stream by comparing the tokens against the whitelist. Next, the parser validates CSS property values, encodes data within attribute values and text nodes, reconciles closing HTML tags, and coerces media tags into safe variants. The tokens removed may be any of HTML tags, HTML attributes, HTML protocols, CSS selectors and CSS properties.

Abstract: Provided is a system in which two or more clients, each including an application program that transmits a network access request, and a server are able to communicate, wherein at least one client includes first control means for controlling the access request transmitted to the server, based on a security level assigned to the application program, and the server includes second control means for determining whether the first control means has been introduced to the client that has transmitted the access request, authorizing the access request when the determination result is positive, and controlling the access request based on a security level assigned to an access target when the determination result is negative.

Abstract: The subject disclosure is directed towards securing a computing device using content-based isolation. When the computing device requests content data having different ownership, a monitor component identifies and groups trusted portions of the content data into one or more isolation containers such that only trusted programs are permitted access. Other programs are, therefore, untrusted and can be denied access in order to prevent malicious activity, unless access is approved by the content owner.

Abstract: A multi-tiered static chain of trust is established in a computer system which utilizes a first authentication program stored on a first memory device to authentic data stored on a second memory device. If the data stored on the second memory device is authenticated, then a second authentication program stored on the second memory device authenticates data stored on a third memory device. If the data on the third memory device is authenticated the computer system is allowed to utilize the data stored on the third memory device. The data stored on the third memory device is indirectly authenticated while the data is being used by authenticating the data stored on the first memory device.

Abstract: An encryption key management system is provided for storage area network devices. A create key request is received at a storage area network switch. The key is created at the storage area network switch and the created key request is transmitted to a key management center. The key object is stored in the key management center and includes a unique identifier, an encrypted key, a wrapper unique identifier, and a key entity. The encrypted key can later be decrypted to generate a decrypted key. The encrypted key is decrypted using keying material accessed using the wrapper unique identifier that identifies another key object.

Abstract: Methods and systems may include a computing system having a display, a display controller with a decryption module, and a security element with security logic. The security logic can be configured to establish a secure path between the secure element and the display in response to a secure output mode request, wherein the secure path includes the display controller. In addition, the security logic may be configured to prevent the decryption module from being bypassed, and transmit encrypted data from the secure element to the display via the secure path.

Abstract: Embodiments of the present invention disclose a relay node authentication method, apparatus, and system. The method provided in an embodiment of the present invention includes: sending, by a relay node, an authentication request message to a peer node, where the authentication request message includes a certificate of the relay node, so that the peer node authenticates the relay node according to the certificate of the relay node, where the peer node is a network side node or a security gateway in a security domain where the network side node is located; and receiving, by the relay node, an authentication response message sent by the peer node, where the authentication response message includes a certificate of the peer node, and authenticating the peer node according to the certificate of the peer node.

Abstract: According to one embodiment of the invention, a method for setting permission levels is described. First, an application and digital signature is received by logic performing the permission assessment. Then, a determination is made as to what permission level for accessing resources is available to the application based on the particulars of the digital signature. Herein, the digital signature being signed with a private key corresponding to a first public key identifies that the application is assigned a first level of permissions, while the digital signature being signed with a private key corresponding to a second public key identifies the application is assigned a second level of permissions having greater access to the resources of an electronic device than provided by the first level of permissions.