Abstract: In one example in accordance with the present disclosure, a system may comprise a a combination engine to combine an encrypted device identification and a routing indicator resulting in a combined device identification. The system may also include an encryption engine to encrypt the combined device identification and a transmission engine to transmit the encrypted combined device identification.

Abstract: Techniques for implementing a key vault as an enclave are presented. The techniques include securely storing, in a key vault enclave, a key for an encryption system according to a key use policy; sending an vault attestation report of a key vault enclave to a vault client; and performing an operation in the key vault enclave with the key. Some embodiments further include receiving, at the key vault enclave, a client attestation report of the vault client wherein the vault client and key vault enclave are hosted on different native enclave platforms.

Abstract: The disclosed embodiments include a passwordless method for securing data-at-rest. The method includes encrypting and/or decrypting data with a cryptographic key. For example, the encrypted data can be stored on a non-transitory computer memory of a first device. The method can include generating key shards based on the cryptographic key, which can be reconstituted from the key shards, and distributing the key shards among devices such that the encrypted data is secured at the first device because the first device is incapable of decrypting the encrypted data due to an absence of the cryptographic key.

Abstract: A three-component computer security system focused around crowdsourcing. Users may install the software, at which point it may access the users' computers or hosts, identify certain behaviors as suspicious, and ask for confirmation from the user. The user may then manually edit the report to remove or add behaviors. The system may then prepare a report to deliver to a central system, which may perform malware detection, expert evaluation, and deep learning on the received reports. When the host program's assessment and the user's assessment conflict, the program may be flagged for expert analysis. This use of crowdsourced information may then be used to develop detection, mitigation, and prediction protocols, which may be based on machine learning, and may further be used to manage hackbacks if authorized and desired.

Abstract: An abstract enclave identity is presented. An abstract identity may be a secure identity that may be the same for multiple related, but not identical, enclave instantiations. An enclave identity value may be determined from an abstract enclave identity type with respect to a instantiated enclave. Various enclave operations may be performed with an abstract identity, such as sealing data to an abstract identity, incrementing a monotonic counter, making trusted time measurement.

Abstract: A nested enclave identity is presented. A nested identity is indicative of one or more possible enclave instantiations according to one or more identity types. Enclave identities may be nested such that a lower level identity type corresponds to a subset of the possible enclave instantiations that a higher level identity type corresponds to. Techniques disclosed include instantiating an enclave with a nested identity at a software interface to an enclave platform, and performing an operation related to the instantiated enclave using the nested identity.

Abstract: Described is a system for network threat detection. The system identifies a targeted sub-network representing a threat within a multi-layer network having members. The targeted sub-network is identified with differential privacy protection, such that privacy of individuals that are not in the targeted sub-network is protected. The system causes an action to be generated, the action being one of generating an alert of a threat, initiating monitoring of the non-benign persons, or disabling network access of the non-benign persons.

Abstract: Provided is a method and system for protecting the integrity of a computing system. The system may initialize a plurality of trusted platform modules (TPMs) within the computing system. The system may read a unique identifier corresponding to each TPM of the plurality of TPMs to determine a system state. The system may write the system state to platform configuration registers (PCRs) of each of the plurality of TPMs. The system may load a sealed private owner key part into each TPM of the plurality of TPMs. The plurality of TPMs may determine if a predetermined number of unique identifiers have been processed by validating a value of the PCRs to meet an owner key policy. The plurality of TPMs may unseal the private owner key part in each TPM where the value of the PCRs meets the owner key policy.

Abstract: The technology disclosed herein provides an enhanced cryptographic access control mechanism that uses a cryptographic keys that are based on location data. An example method may include: determining location data of a computing device; transforming the location data in view of conversion data associated with the computing device, wherein the conversion data causes a set of alternate location data values to transform to a specific cryptographic value; creating, by a processing device, a cryptographic key in view of the transformed location data; and using the cryptographic key to enable access to a protected resource.

Abstract: A segmentation server enables user-based management of a segmentation policy. Administrators belonging to different user groups may have different limited visibility into traffic flows controlled by the segmentation policy and may be assigned different privileges with respect to viewing, creating, and modifying rules of the segmentation policy. Thus, the burden of administering the segmentation policy may be distributed between administrators associated with different user groups that each may have responsibility for a different segment.

Abstract: A system encrypts and decrypts e-mail, messages, and other digital data. By using quantum random number generators, the system has improved data security. Using a quantum random number, an agent (at a sender side) generates an encryption key which is used to automatically encrypt a message. The encryption key is stored at a key server. The encrypted message will be sent by an application using its standard transmission means such as SMTP, SMS, and others. The encrypted message can be automatically unencrypted by using an agent (at a recipient side) and retrieving the key from the key server. The system also provides an optional double encryption, where the message is encrypted with a user-generated password before being encrypted using the encryption key.

Abstract: Horizontal port scanning enables an attacker to gain information about the services running on a host computer system and/or about the users of the computer system so that the subsequent attacks can be targeted to those services and/or those users. A horizontal port scanning detection system enables a network administrator to use a system of cascading ring buffers to maximize network resources to detect attackers. The horizontal port scanning system employs a series of ring buffers, where each ring buffer is associated with a specific port and each cascade of ring buffers is associated with a specific source. As communications requests are received, the destination address is stored in the ring buffer associated with the requested port and a process is run across each ring buffer, such that when a threshold is passed, an alarm is raised.

Abstract: A method, system and computer-usable medium for performing a spoofed email detection operation, comprising: maintaining a list of allowed third party domains that are authorized to send an internally-addressed email, the list of allowed third party domains comprising a plurality of domains; receiving an email from a third party sender, the email comprising an email envelope, the email envelope storing a domain of a third party sender address of the third party sender; comparing the domain of the third party sender address stored in the email envelope with the list of allowed third party domains; identifying the domain of the third party sender address stored in the email envelope as an allowed domain when the domain of the third party sender address matches a third party domain stored within the list of allowed third party domains.

Abstract: Authenticating method for a user of a service uses both a personal computer (PC) and a personal connectable device over a communications network. An enrollment phase must be fulfilled first, for determining a list of properties of the user. Request for a new session is accompanied by the submission of credentials by the user. Then, a type 1 graphic interactive object is evoked in which a grid of colored cells shows on the user PC screen and at least some of the cells of the grid contain images, and at least one was chosen by the user in the enrolment phase. Service continues with an assessment stage unless a type 2 graphic interactive object is employed. A type 2 graphic interactive object only at least one cell in which a color identical to the color appears in the cell on the PC in which a chosen image appeared before.

Abstract: A technique for providing access to protected resources uses personal authentication tags (PATs) and enforces a requirement that a workstation sending an authentication request be trusted by a server that receives the request. Accordingly, the server allows an authentication request to proceed only when the request is received from a workstation having a trust relationship with the server. Otherwise, the server denies the authentication request. By restricting PAT-type authentication requests to trusted workstations, risks posed by malicious users are greatly reduced.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for security analysis are provided. One of the methods includes: determining a data risk value for data of an endpoint based on a number of classified files within the data and a type of classified files within the data; determining an endpoint risk value for the endpoint based on a user risk value and a cyber security risk value; determining a channel risk value for a set of channels through which the data is conveyable by the endpoint based on a number of channels within the set of channels and a type of channels within the set of channels; and rendering a map showing a security risk level of the endpoint, wherein the security risk level is based on the data risk value, the endpoint risk value, and the channel risk value.

Abstract: A threat management facility detects a device on an enterprise network and determines whether the device is one of a set of managed devices for the enterprise network. When the device is not one of the set of managed devices, the threat management facility may selectively direct the device to a portal that provides support to the user of the device while the device awaits admission to the enterprise network. As the user interacts with the portal, the portal may manage admission of unrecognized devices onto the enterprise network while making efficient use of network administrator resources.

Abstract: A method for operating a pseudorandom generator is disclosed. The method may be implemented by a processor of a mobile computing device. The method includes: collecting raw sensor data from at least one sensor associated with the mobile computing device; selecting a subset of the raw sensor data; retrieving first representation representing accumulated entropy associated with one or more previously acquired raw sensor data sets for the at least one sensor; and generating a seed for a pseudorandom generator based on combining the first representation and the selected subset of raw sensor data.

Abstract: Endpoints within a subnet of a heterogeneous network are configured to cooperatively respond to internal or external notifications of compromise in order to protect the endpoints within the subnet and throughout the enterprise network. For example, each endpoint may be configured to self-isolate when a local security agent detects a compromise, and to shun one of the other endpoints in response to a corresponding notification of compromise in order to prevent the other, compromised endpoint from communicating with other endpoints and further compromising other endpoints either within the subnet or throughout the enterprise network.

Abstract: Suspicious credential changes are automatically detected and mitigated. A comparison of data surrounding user-account credential changes with suspicious change patterns forms a basis for detecting suspicious credential changes. More particularly, if a credential change substantially matches a known suspicious change pattern, the credential change can be flagged as suspicious. After a credential change is determined to be suspicious, one or more mitigation activities can be triggered to allay adverse effects associated with a suspicious credential change.