Abstract: Systems and methods are described to facilitate generation of access policies for a network-accessible service. An authorization service may use access policies to control whether requests to access a service are authorized. A user may submit to the authorization service a request to implement a “shadow” policy, to be compared to a currently in-force policy for a service during a specified period of time. During that period, the authorization service can evaluate requests to access the service under both the currently in-force policy for the service and the shadow policy. The user can then be notified of any requests for which different authorization results are given under the currently in-force policy and the shadow policy, thus enabling the user to verify that differences between the currently in-force policy and the shadow policy are intentional rather than the result of errors within the shadow policy or currently in-force policy.

Abstract: Method, system, and programs for performing two-factor authentication for a controlled access application via one or more third-party host verification servers. An example method includes receiving a request to a controlled access application after a user has successfully logged into an enterprise system with a first Identifier (ID) factor, the controlled access application requiring additional authentication with a second ID factor, obtaining first information to complete the second ID factor, at least some of the first information being obtained from the user, and generating a first web form using the first information. The method also includes submitting the first web form to a host verification server, receiving an indication of successful verification from the host verification server; and initiating, in response to receiving the indication of successful verification, access to the controlled access application.

Abstract: In one embodiment, data for use by a processor is stored in a memory. A network interface communicates over a network with a second device. At a processor, a Somewhat Homomorphic Encryption (SHE) of a plurality of secret shares is generated. The SHE of the plurality of secret shares is sent to the second device. The following is performed in a loop: a first result of a homomorphic exclusive-or operation performed by the second device on the SHE is received, a SHE of the first result is performed, yielding a second result, a SHE of the second result is performed yielding a third result, the third result is transmitted to the second device, and a final SHE result is received from the second device. The received final SHE result is decrypted in order to produce a final Somewhat Homomorphically Decrypted (SHD) output. The final SHD output is then output. Related methods, systems, and apparatus are also described.

Abstract: An exemplary system method, and computer-accessible medium for initiating a protocol(s) can be provided, which can include, for example, generating a digitally encrypted perishable object(s), distributing the digitally encrypted perishable object(s) to a cyber-physical entity(s), determining if the cyber-physical entity(s) has received the digitally encrypted perishable object(s), and initiating at a predetermined protocol(s) based on the determination.

Abstract: A method is provided for controlling exchange of privacy sensitive data between a first certified party server (A) associated with a first party and at least a second certified party server (B) associated with a second party using a certified intermediate server (Y) subject to authorizations (XAB) imposed by an authorizing party (X), using a public network. Therein the first certified party server (A) transmits (S2) to the certified intermediate server (Y) a primary request (ARQ(IxA,?xA)) that includes a digitally signed primary request indication (IXA,?XA) comprising a primary request indication (IXA) specifying a set of privacy sensitive data units (XA) for which a copy (CXA) is requested and a digital signature (?XA) of said first party, associated with said primary request indication (IXA).

Abstract: A trace comprising location data about a computing device is received at a mapping server, where the trace stores the location data about the computing device in an ordered set of points. The origin and destination of the trace are obscured. Then, the trace is then separated into a set of subtraces by dividing the received points of location data into a set of subtraces, and removing the links between subtraces of the set of subtraces. For example, subtraces can be divided based on size, distance, elapsed time, or features of interest present in the location data.

Abstract: Systems and methods for end to end encryption are provided. In example embodiments, a computer accesses an image including a geometric shape. The computer determines that the accessed image includes a candidate shape inside the geometric shape. The computer determines, using the candidate shape, an orientation of the geometric shape. The computer determines a public key of a communication partner device by decoding, based on the determined orientation, data encoded within the geometric shape. The computer receives a message. The computer verifies, based on the public key of the communication partner device, whether the message is from the communication partner device. The computer provides an output including the message and an indication of the communication partner device if the message is verified to be from the communication partner device. The computer provides an output indicating an error if the message is not verified to be from the communication partner device.

Abstract: A system and method to control access to data are disclosed. A request for a subject to perform an action on an object is received. A determination is made whether a policy for the subject limits the action to an object with integrity protection. The action is performed based on determining the object has integrity protection. The request is rejected based on determining the object does not have integrity protection.

Abstract: A non-volatile memory is organized in pages and has a word writing granularity of one or more bytes and a block erasing granularity of one or more pages. Logical addresses are scrambling into physical addresses used to perform operations in the non-volatile memory. The scrambling includes scrambling logical data addresses based on a page structure of the non-volatile memory and scrambling logical code addresses based on a word structure of the non-volatile memory.

Abstract: The disclosed embodiment provides a method and device for vulnerability scanning, the method comprising: a reverse scanning agent module acquires a client message; the reverse scanning agent module transmits the client message to a vulnerability scanner, enabling the vulnerability scanner to identify a vulnerability of the client according to the client message; or the reverse scanning agent module identifies the vulnerability of the client according to the client message and transmits the vulnerability to the vulnerability scanner; the reverse scanning agent module receives a control instruction from the vulnerability scanner, changes operation manner and/or mode according to the control instruction, and updates a vulnerability rule.

Abstract: Provided are a network attack detection method and device.

Abstract: In an aspect, a wireless communication between a transmitter and a receiver involves determining updated keys according to a key management process for MAC layer encryption. Such key is propagated to a transmitter MAC and though a receiver key management process to a receiver MAC. After a delay, transmitter MAC device begins using the updated key, instead of a prior key, for payload encryption. Receiver MAC continues to use the prior key until a packet that was accurately received fails a message integrity/authentication check. Then, the receiver MAC swaps in the updated key and continues to process received packets. The packet data that failed the message integrity check is discarded. Transmitter MAC retries the failed packet at a later time, and if the packet was accurately received and was encrypted by the transmitter MAC using the updated key, then the receiver will determine that the message is authentic and will receive it and acknowledge it.

Abstract: An apparatus and a method for managing user identity, the method comprising: establishing a connection secured with Transport Layer Security (TLS) from a client device to an IRP server; authenticating, at the IRP server, user login via the client device, with Strong Client Authentication (SCA) or Username/Password Authentication (UPA); upon request from the client device, registering or retrieving at the IRP server user identity information comprising user information, and an Internet Protocol (IP) address of the client device; upon request from the client device, registering or retrieving at the IRP server one or more digital certificate; sending from the client device to the IRP server a Certificate Signing Request (CSR) via the secured connection; upon request from the client device, returning a signed digital certificate from the IRP server to the client device; sending a PKCS #12 package from the client device to the IRP server; and upon request from the client device, returning a PKCS #12 package from t

Abstract: A controller and an accessory controllable by the controller can communicate using secure read and write procedures. The procedures can include encrypting identifiers of accessory characteristics targeted by a read or write operation as well as any data being read or written. The procedures can also include the accessory returning a cryptographically signed response verifying receipt and execution of the read or write instruction. In some instances, a write procedure can be implemented as a timed write in which a first instruction containing the write data is sent separately from a second instruction to execute the write operation; the accessory can disregard the write data if the second instruction is not received within a timeout period after receiving the first instruction.

Abstract: Described technologies automatically detect candidate networks having external nodes which communicate with nodes of a local network; a candidate external network can be identified even when the external nodes are owned by a different entity than the local network's owner. A list of network addresses which communicated with local network nodes is culled to obtain addresses likely to communicate in the future. A graph of local and external nodes is built, and connection strengths are assessed. A candidate network is identified, based on criteria such as connection frequency and duration, domain membership, address stability, address proximity, and others, using cutoff values that are set by default or by user action. The candidate network identification is then utilized as a basis for improved security though virtual private network establishment, improved bandwidth allocation, improved traffic anomaly detection, or network consolidation, for example.

Abstract: Systems and methods are described to facilitate generation of access policies for a network-accessible service. An authorization service may use access policies to control whether requests to access a network-accessible service are authorized. A user may submit to the authorization service a request to programmatically generate an access policy based on requests received at the network-accessible service during a training period, such that the access policy, if applied to the requests received during the training period, would result in an authorization result specified by the user. The authorization service may gather information regarding requests received during the training period, and thereafter programmatically generate an access policy based on parameter values, such as source identifiers, called functions, or authorization tokens, present within requests received during the training period.

Abstract: Methods, systems, and computer readable media for monitoring, adjusting, and utilizing latency associated with accessing distributed computing resources are disclosed. One method includes measuring a first latency associated with accessing a first computing resource located at a first site. The method further includes the measuring a second latency associated with accessing a second computing resource located at a second site different from the first site. The method further includes selectively impairing transmission of packets to or processing of packets by at least one of the first and second computing resources in accordance with a performance, network security, or diagnostic goal.

Abstract: A malicious code analysis method and system, a data processing apparatus, and an electronic apparatus are provided. A behavior characteristic data corresponding to a suspicious file is received from the electronic apparatus via the data processing apparatus to analyze the behavior characteristic data. The behavior characteristic data corresponding to the suspicious file is compared with a malware characteristic data of each of a plurality of malicious codes to obtain a comparison result. And based on the comparison result, a representative attack code corresponding to the suspicious file is obtained and a precaution corresponding to the representative attack code is transmitted to the electronic apparatus.

Abstract: A certification management system helps an organization develop and maintain a repository of current certification status of employees. The system may integrate multiple learning management systems and other enterprise level systems across the organization. The system facilitates identifying and enrolling targeted employees for any number and type of certification programs. The system may also implement and support reconfiguring certification programs, for example, during training, and enforcing recertification requirements according to maturing business needs. The system provides automated workflows that facilitate a formal, structured approach to the development and recognition of specific specialized skills at scale by infusing more consistency, rigor, and objectivity.

Abstract: The disclosed computer-implemented method for connecting Internet-connected devices to wireless access points may include (1) receiving, over the Internet from a client device at a server, a request to connect the client device to an access point that is secured by a passcode, (2) transmitting a verification-request message from the server to the access point and/or the client device that instructs the access point and/or the client device to perform an action that enables the physical proximity of a user of the client device to the access point to be verified, (3) receiving a verification-response message that indicates that the user of the client device has physical access to the access point, and (4) enabling the client device to connect to the access point by transmitting, from the server to the client device, the passcode. Various other methods, systems, and computer-readable media are also disclosed.