Abstract: A method and system include a SDP controller in a SDP receiving a request from a first device for communicating with a second device. The second device is in the SDP. A firewall includes a connection table configured to map an identity of the first device and second device, and a filter table is configured to open and close ports. The SDP controller authenticates the first device, and provides the identity of the first device to the second device. The second device transmits a first packet to the first device. The firewall maps in the connection table, the identity of the first device in association with the second device. The first device transmits a second packet to the second device. The firewall determines that the identity of the first device is in the connection table for communicating with the second device and forwards the second packet to the second device.

Abstract: The present disclosure describes a self-learning system, method, and computer program for detecting cybersecurity threats in a computer network based on anomalous user behavior and multi-domain data. A computer system tracks user behavior during a user session across multiple data domains. For each domain observed in a user session, a domain risk is calculated. The user's session risk is then calculated as the weighted sum of the domain risks. A domain risk is based on individual event-level risk probabilities and a session-level risk probability from the domain. The individual event-level risk probabilities and a session-level risk probability for a domain are derived from user events of the domain during the session and are based on event-feature indicators and session-feature indicators for the domain.

Abstract: A system for detecting MITM for SCADA communication networks includes secure substation-substation communication links for providing secure and reliable paths to exchange OT data between substations for OT data consistency check; a SIB in each substation for sampling CT and PT measurements to calculate voltage magnitude and phase angle thereof; a S&C server in each substation coupled to the SIB for receiving the voltage magnitude and phase angle from the SIB and obtaining a packet carrying active power flow in transmission lines between two substations and a time stamp; an IDS server placed in a SCADA center for collecting the packet of each substation sent by the S&C server; analyzing the received packet from every adjacent substation; inspecting the payload of the received packet; and triggering an intrusion alarm to a SCADA operator when the power flow is not the same as the payload of the packets.

Abstract: Communication between web frames increases consistent application of security policies, without reducing security. A proxy receives a first request implicating a first web frame and its URL, potentially issues a sub-request and gets a sub-response, and creates a first response to the first request, including a control frame child creation in frame creation or frame navigation code. The control frame child code only permits setting and retrieving data of a browser store, using postMessage( ) without reference to external resources or external scripts. Safely sharing message data this way between frames allows the proxy to ascertain a policy based on the shared data, so the proxy and browser can apply the policy in reactions to subsequent requests, allows window frames to be associated together in the proxy, allows initialization control, supports reporting, and otherwise enhances browsing without reducing security.

Abstract: A method and apparatus provide for security for restricted local operator services. At least one of a restricted local operator services indication and security capabilities associated with the restricted local operator services can be sent. A non-access stratum key exchange request including a symmetric root key can be received. The symmetric root key can be encrypted with a public key. The non-access stratum key exchange request can be acknowledged. A non-access stratum security key can be derived with the symmetric root key. Radio interface keys for user plane and radio resource control can be derived with the symmetric root key.

Abstract: The present disclosure relates to a system, method, computer program and electronic device for managing end user data takeout. A data takeout message is communicated to one or more target subscriber entities to instruct the one or more target subscriber entities to enact a data takeout request relating to an end user. User data relating to the end user is then uploaded to a data collection database from at least some of the one or more target subscriber entities, which is then aggregated and made available for download by the end user.

Abstract: Systems and methods are described for facilitating authentication of hosted network services to other services. A target service, such as a database, may require specific authentication information, such as a username and password, to access the target service. While this information could be manually specified in the hosted network service, de-centralized storage of authentication information is generally discouraged by security best practices. This disclosure provides an authentication proxy system that reduces or eliminates a need for hosted network services to store authentication information for target services. Rather, the authentication proxy system can obtain authentication information for the hosted network service that is provided by a hosting system, and authenticate the hosted network service using that authentication information.

Abstract: The present disclosure relates to systems, methods and computer programs for managing end user data deletion by communicating a prepare for deletion message to one or more two-step deletion subscriber entities to instruct them to prepare to enact a data deletion request, and communicate a deletion message to the one or more two-step target subscriber entities only after a ready for deletion message is received from each of the one or more two-step deletion subscriber entities.

Abstract: The disclosed computer-implemented method for protection of storage systems using decoy data may include identifying an original file comprising sensitive content to be protected against malicious access and protecting the sensitive content. Protecting the sensitive content may include (i) processing the original file to identify a structure of the original file and the sensitive content of the original file, (ii) generating a decoy file using the structure of the original file and using substitute content in a location corresponding to the sensitive content of the original file, and (iii) storing the decoy file with the original file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods are disclosed for preventing relay or replay attacks using time-stamped, localized footprint data. An access device may receive, from one or more beacon transmitters, a plurality of broadcast messages, each broadcast message, of the plurality of broadcast messages, comprising a timestamp and a unique identifier for a beacon transmitter, of the one or more beacon transmitters. The access device may store the timestamps and the unique identifiers. The access device may receive, from a user device, an access request comprising timestamps and unique identifiers corresponding to a subset of the broadcast messages received by the access device. The access device may verify that the stored timestamps and unique identifiers match the timestamps and unique identifiers received from the user device. Based on the verifying, the access device may authenticate the access request.

Abstract: An open source library rating is generated for an open source library based on dependencies of the library, vulnerabilities of the library, an age of the library, a popularity of the library, a history of the library, or any suitable combination thereof. The rating of a specific version of a library may be generated based on a base score for all versions of the library and a version score for the specific version of the library. An authorization system receives a request from a developer to add a library to a software application. In response, the authorization system accesses a rating for the library. Based on the rating, the authorization system approves the request, denies the request, or recommends an alternative library.

Abstract: Various client devices include displays and one or more image capture devices configured to capture video data. Different users of an online system are associated with client devices that exchange information captured by their respective image capture devices. A user of a client device may provide a message to an additional user of an additional client device for asynchronous presentation to the additional user. The message includes information identifying the additional user and one or more privacy settings. When the additional client device identifies the user via captured video data, the online system determines whether the message has previously been presented to the additional user. Subject to the privacy settings included in the message, the additional client device presents the message to the additional user after detecting the additional user and determining the message has not previously been presented to the additional user.

Abstract: A computer implemented method includes receiving, by a trusted execution environment (TEE) application, a cross-chain data request from a first blockchain node of a first blockchain; obtaining, by the TEE application, cross-chain data corresponding to the cross-chain data request from a second blockchain node of a second blockchain; verifying, by the TEE application, the cross-chain data; generating, by the TEE application, a signature using a private key of the TEE application, where a public key corresponding to the private key is stored in the first blockchain; and returning, by the TEE application, the cross-chain data and the signature to the first blockchain node.

Abstract: A cloud-based service monitoring device includes a criteria database and an exceptions database. The criteria database includes predefined configuration criteria corresponding to approved operating parameters of each cloud-based service being monitored. The exceptions database includes predefined configuration exceptions such that, for a given instance, each configuration exception corresponds to a different instance-specific criteria than the associated configuration criteria for the cloud-based service. The monitoring device extracts configuration settings from instances of the cloud-based service and compares the settings to the configuration criteria of the cloud-based service. If a suspect setting is identified that does not satisfy the configuration criteria at the service level, the monitoring device compares the suspect setting to instance-specific criteria.

Abstract: A system and method for monitoring and protecting sensitive data that includes identifying sensitive data and statically tracking sensitive data using data flow analysis across a code base, monitoring flow of the data during application runtime, and responding to vulnerabilities according to a sensitive data characterization of the data. Identifying sensitive data includes processing a semantic description of the data in the application code and characterizing the sensitive data. Monitoring flow of the data includes: identifying and characterizing sensitive data through data usage, updating the characterization for the sensitive data through data usage, and enforcing security measures on the data according to the sensitive data characterization of the data.

Abstract: The present disclosure relates to an access security system and method, for example for securing access to data, objects or locations. According to one aspect there is provided a computer-implemented access security method, the method comprising: receiving, at a processor, a first authentication credential from a near-field communication, ‘NFC’ reader; generating a one-time token, at the processor, in dependence on the first authentication credential, the one-time token being in a form which is capable of reproduction by a user; and outputting the one-time token via an interface for use as an authentication credential in an access procedure. Other aspects relate to a user device for implementing such a method, a computer program product for storing instructions which, when executed, cause such a method to be implemented, and a system in which such a method can be used.

Abstract: A network node (21), which is placed within a core network, receives a message from a transmission source (30) placed outside the core network. The message includes an indicator indicating whether or not the message is addressed to a group of one or more MTC devices attached to the core network. The network node (21) determines to authorize the transmission source (30), when the indicator indicates that the message is addressed to the group. Further, the message includes an ID for identifying whether or not the message is addressed to the group. The MTC device determines to discard the message, when the ID does not coincide with an ID allocated for the MTC device itself. Furthermore, the MTC device communicates with the transmission source (30) by use of a pair of group keys shared therewith.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for enabling blockchain-based service of process. One method includes: receiving a request generated based on a blockchain-based application for delivering a notice associated with a legal action from a serving party to another party. The serving party is determined to be a registered user of the blockchain-based application. A time that the request is received is recorded on the blockchain. If the party to be served is determined to be a registered user of the blockchain-based application, identifying one or more manners of delivering the notice based on available communication methods included in the registration information of the serving party and registration information of the party to be served. The notice to the party to be served is determined based on at least one of the one or more manners.

Abstract: A processing system includes a first processing unit; a second processing unit; and a cryptographic coprocessor communicatively coupled to the first processing unit and the second processing unit. The cryptographic coprocessor includes a key storage memory for storing a cryptographic key; a first interface configured to receive source data to be processed directly from the first processing unit; a hardware cryptographic engine configured to process the source data as a function of the cryptographic key stored in the key storage memory; a second interface configured to receive a first cryptographic key directly from the second processing unit; and a hardware key management circuit configured to store the first cryptographic key in the key storage memory.

Abstract: A network defense system can include a sensor alert ingestion framework adapted to monitor network activity and alert detected or suspected anomalies. A network analyzer may be coupled to the sensor alert ingestion framework to analyze the anomalies. A course of action (CoA) simulator may be coupled to the network analyzer adapted to generate a list of decision including courses of action to address the anomalies. There may be a training and feedback unit coupled to the CoA simulator to train the system to improve responses in addressing future anomalies.