Abstract: A method, an apparatus, and a storage medium for detecting vulnerabilities in software to protect a computer system from security and compliance breaches are provided. The method includes providing a ruleset code declaring programming interfaces of a target framework and including rules that define an admissible execution context when invoking the programming interfaces, providing a source code to be scanned for vulnerabilities; compiling the source code into a first execution code having additional instructions inserted to facilitate tracking of an actual execution context of the source code, compiling the ruleset code into a second execution code that can be executed together with the first execution code, executing the first execution code within an virtual machine and passing calls of the programming interfaces to the second execution code, and detecting a software vulnerability when the actual execution context disagrees with the admissible execution context.

Abstract: Computing resource service providers may provide computing resources to customers in a multi-tenant environment. These computing resources may be behind a firewall or other security device such that certain information does not reach the computing resources provided to the customer. A logging entity may be implemented on computer server operated by the computing resource service provider. The logging entity may obtain log information from the firewall or other security device and store the log information such that it is accessible to the customer. Additionally, the log information may be provided to other services such as a metrics service or intrusion detection service.

Abstract: A network node (21), which is placed within a core network, receives a message from a transmission source (30) placed outside the core network. The message includes an indicator indicating whether or not the message is addressed to a group of one or more MTC devices attached to the core network. The network node (21) determines to authorize the transmission source (30), when the indicator indicates that the message is addressed to the group. Further, the message includes an ID for identifying whether or not the message is addressed to the group. The MTC device determines to discard the message, when the ID does not coincide with an ID allocated for the MTC device itself. Furthermore, the MTC device communicates with the transmission source (30) by use of a pair of group keys shared therewith.

Abstract: Secure methods, systems, and media for generating and verifying user credentials are provided. In some embodiments, the method comprises: receiving, from a user device, a request for access to a service that requires valid user credentials; determining an aspect of the user credentials that is to be satisfied to grant access to the requested service; transmitting, to the user device, a request for information related to the aspect of the user credential; receiving, from the user device, information related to the aspect of the user credential, wherein the information has been signed using a key associated with the user device; verifying the key used to sign the information by the user device; in response to verifying the key used to sign the information, determining whether the aspect of the user credential has been satisfied based on the received information; and, in response to determining that the aspect of the user credential has been satisfied, granting access to the service.

Abstract: Systems and methods for side-channel monitoring a local network are disclosed. The methods involve generating a program trace signal from at least one of power consumption, electromagnetic emission, or acoustic emanation of a control processor connected to the local network and operating a monitoring processor to detect a communication of a message on the local network; identify at least one purported control processor related to the communication; analyze the program trace signal of the at least one purported control processor relative to the communication; and at least one of an authenticate or verify one or more purported control processors of the at least one purported control processor based on the program trace signal of the at least one purported control processor.

Abstract: Methods and systems for detecting a privacy violation in an image file. A policy to be used by a master imaging application is obtained and a file system is monitored for a digital image modified by a monitored imaging application. It is then determined that the digital image file includes at least some content in violation of a defined setting for the master imaging application and, based on the determination that the digital image file includes at least some content in violation of the defined setting for the master imaging application, taking an action.

Abstract: Aspects of the present disclosure involve systems and methods for utilizing verified autonomous system (AS) network interconnections received via a cryptographically certified Recognized Operating Agency (ROA) object to generate an interconnect network model which may be used as a reference model to mitigate hijacking of network communications in downstream route announcements. In particular, AS networks may announce or share a cryptographically certified ROA object that includes a list of other AS networks to which the announcing network is connected. A router, server, or other networking device may receive ROA objects from multiple AS networks and generate a model or graph of the interconnectedness of the AS networks. Further, because each ROA object may be cryptographically certified or signed, the networking device may trust the information provided in the received ROA objects. The networking device may further verify announced routing information against the generated network model.

Abstract: A computer-implemented method for use with a database computer system including a database data set that includes machine readable data in the form of a plurality of records, the computer-implemented method comprising: (i) defining a plurality of sets of permission rule(s); (ii) receiving a first user profile for a first user; (iii) establishing a plurality of user identities to the first user; (iv) generating a plurality of tokens; and (v) for each given user identity of the first user, adding a given token of the plurality of tokens to the first user profile and associating the given user identity and the given token.

Abstract: Systems and techniques for detecting suspicious file activity are described herein. System for identifying anomalous data events is adapted to monitor a networked file system and receive an indication of a suspicious event associated with a user and a file. The system is further adapted to perform a pattern of behavior analysis for the user, perform an adjacency by time analysis based on a set of events before the suspicious event and a set of events after the suspicious event, and perform an adjacency by location analysis using a set of files located in a location of the file. The system is further adapted to determine whether the suspicious event is an anomalous event based on the pattern of behavior analysis, the adjacency by time analysis, and the adjacency by location analysis and display a report for the user including the anomalous event.

Abstract: A method and an apparatus for authority control, a computer device, and a storage medium, and relates to the field of the Internet technologies. The method includes: acquiring a configuration file according to a business scenario when a container is initialized, wherein the configuration file is managed outside the container; validating the configuration file in the container; receiving a user instruction; and identifying a type of the user instruction when the user instruction is an executable instruction. The method further including acquiring script content of a script file when the type of the user instruction indicates that the user instruction is the script file, wherein the script content includes at least one command statement; and performing a validity check on the at least one command statement based on the configuration file.

Abstract: Decoding includes sensing a packet related to SSL handshake for connecting a SSL between a client and a server after a TCP session has been established between the client and the server in an SSL decoding device. If the packet for an SSL handshake is transmitted in a preset operating system, an SSL between the client and the SSL decoding device and an SSL between the SSL decoding device and the server is established. A TCP session between a virtual client corresponding to the client and a virtual server corresponding to the server is also established. A packet transmitted/received between the virtual client and the virtual server is transmitted when the TCP session is established. If a first SSL packet transferred from the client to the SSL decoding device is received, the SSL packet is decoded and transmitted to the security device and to the server.

Abstract: The process includes acquiring, from a relay device that relays a packet between a first communication device and a second communication device, a plurality of first delay times generated by a round trip of the packet between the first communication device and the relay device, and a plurality of second delay times generated by a round trip of the packet between the second communication device and the relay device, sorting separately the plurality of first delay times and the plurality of second delay times based on a length of a delay time, and calculating device delay times based on a first delay calculation that calculates a difference between each of the plurality of first delay times and each of the plurality of second delay times in a same rank after the sorting.

Abstract: A processing apparatus (10) includes a dividing means (110). The dividing means (110) divides data into a plurality of pieces of partial data by degree of importance, based on a content of the data. Then, first partial data and second partial data having a degree of importance higher than that of the first partial data are held separately from each other. The data are, for example, sensor data or camera data constituted of a plurality of values. For example, the second partial data are encrypted.

Abstract: Systems and methods for side-channel monitoring a local network are disclosed. The methods involve generating a program trace signal from at least one of power consumption, electromagnetic emission, or acoustic emanation of a control processor connected to the local network and operating a monitoring processor to detect a communication of a message on the local network; identify at least one purported control processor related to the communication; analyze the program trace signal of the at least one purported control processor relative to the communication; and at least one of an authenticate or verify one or more purported control processors of the at least one purported control processor based on the program trace signal of the at least one purported control processor.

Abstract: Disclosed is a checksum generation and validation system and associated methods for dynamically generating and validating checksums with customizable levels of integrity verification. The system receives a file with data points defined with positional values and non-positional values, and differentiates a first set of the data points from a second set of the data points. The system generates a checksum based on a combination of two or more values from the positional values and the non-positional values of each data point from the first set of data points, and further based on exclusion of the positional values and the non-positional values of the second set of data points from the checksum. The system may use the checksum to verify the integrity of the data associated with the first set of data points.

Abstract: A data transcoding device includes a memory device for storing clear data containing private information and a processor configured as a data transcoder. The processor is configured to create packets of the clear data, prepare the packets for transcoding the clear data into an indecipherable multimedia data file appearing as noise, by determining properties of the indecipherable multimedia file based on parameters of the clear data. The processor is configured to generate the indecipherable multimedia file by transcoding the clear data based on the determined properties.

Abstract: A network-based document protection system for the protection of business secret includes: a template module configured to search for the template information of a template stored in a template database (DB) or the document information of a document stored in a document DB, and to execute the corresponding template or document via a dedicated application; an authentication module configured to generate the document information by including the identification code of an operator in the corresponding template information or to identify a corresponding operator by recognizing an identification code from the document information of the executed document, according to the execution procedure of the template module; and a security module configured to store the document, generated or updated via the dedicated application, in the document DB, and to perform security processing on the document.

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

Abstract: Methods and apparatus for emerging use case support in user space networking architectures. In one embodiment, an apparatus configured to segregate packet data based on a packet type is disclosed. The exemplary embodiment provides a custom data type registry that enables the definition, addition, removal, modification, and/or prioritization of custom packet processing rules. Variants of the registry may support custom ethertype packets, network packets, and/or transport packets. In another embodiment, mechanisms for enabling an intermediary packet processing stage are described. Intermediary packet processing may enable user space system extensions that support e.g., packet filtering, packet modification, and/or other forms of packet processing.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Networks may be configured to protect servers using centralized security protocols. Centralized security protocols may depend on centralized control provided by authentication control servers. If a client intends to access protected servers it may communicate with the authentication control server to obtain keys that enable it to access the requested servers. NMCs may monitor network traffic the centralized security protocol to collect metrics associated with the control servers, clients, or resource servers.