Abstract: A method for updating a policy by a policy manager, that includes selecting, by the policy manager, a policy entry that includes an input and an implementation, performing a validation on the policy entry, making a first determination, based on the validation, that the implementation was not successful, and updating the policy, based on the first determination, to match the input.

Abstract: Embodiments described herein enable a user to bypass the use of one-time keys or account recovery codes by providing techniques for accessory assisted account recovery. In various embodiments, accessory assisted account recovery makes use of an accessory device of a user, where the accessory device can be any device having a secure processor, cryptographic engine, public key accelerator, or is otherwise able to accelerate cryptographic operations or perform cryptographic operations in a secure execution environment. An account recovery key can be split into multiple portions. At least one portion of the recovery key is then encrypted. The accessory device is then configured to be uniquely capable of decrypting the encrypted portion of an account recovery key.

Abstract: In some implementations, a system is provided for securely transferring access credentials from a mobile device that is exclusively operated by a single user, to a terminal device that is shared among multiple different users, via a session server. A session is established between the session server and the terminal device over a secure communication channel. The terminal device generates a key pair, transmits the public key to the session server, and stores the private key. The terminal device outputs a detectable code corresponding to the session. In response to detecting the detectable code, the mobile device transmits an access token payload to the session server. The session server transmits, to the terminal device, an encrypted access token that has been encrypted using the public key. The terminal device decrypts the encrypted access token using the stored private key, and provides operator access to the terminal device.

Abstract: The method provides an automated and scalable system for the generation, distribution, management of symmetric pre-shared keys (PSKs) to applications executing on headless and mobile devices. It helps achieve device protection, application security, and data protection with data authenticity and confidentiality in intra-device, inter-device, device-to-edge, and device-to-cloud communications. It helps Transport Layer Security (TLS) enabled applications dynamically acquire and renew PSKs and use identity hints for PSK based authentication ceremony during a TLS handshake. It helps client-server applications dynamically acquire and renew PSKs using keyed-hash message authentication code (HMAC) for data integrity and authenticity, content signing, and data encryption for confidentiality. It helps manage and distribute API shared secrets and API access tokens required for authenticated API requests and API security.

Abstract: A system and method are provided for authenticating client devices communicating with an enterprise system. The method includes providing a policy enforcement interceptor to intercept API calls and enabling the policy enforcement interceptor to communicate with a policy information point to query the at least one endpoint for entitlements associated with an account. The method also includes intercepting an API call to the application API, communicating with the policy information point to determine entitlements associated with the account by having the policy information point query an entitlements database and, when the entitlements returned to the policy enforcement interceptor are valid, invoking a policy decision point to validate the client device. The method also includes, when the client device is validated, permitting invocation of the API. The method also includes providing an API response to the client device to permit access to the application via the API.

Abstract: Techniques for ensuring that geographic location specific security policies are enforce for an agent or agent device. An Agent service of an agent device accesses an Agent Authentication Service for a key to initiate one or more functions of the agent device. The Agent Authentication Service determines the location of the agent device and determines whether the agent device is within an approved geographic location based on geographic location specific security policies. If the agent device is within the approved geographic location, the Agent Authentication Services accesses a Key Management Service for a cryptographic key and delivers the cryptographic key to the Agent. If the Agent Authentication Service determines that the Agent device is outside of the approved location, access to the cryptographic key is denied.

Abstract: In the IKE or IPSec SA rekeying, whether the rekey exchange includes the cryptographic suite in the payload depends on whether the cryptographic suite used in the old SA is changed on both ends, e.g., the initiator and the responder. If the cryptographic suite is not changed, then the rekey exchange does not include the cryptographic suite. Additionally, in the IPSec SA rekey, if the flowing information is not changed in either end, the rekey exchange further does not include the Traffic Selector (TS). As such, the size of the payload is decreased, which saves bandwidth, processing time, and power in the course of the IKE SA or the IPSec SA rekey.

Abstract: An attack graph processing device includes a node extraction unit which extracts a node relating to a rule classified into a predetermined group from an attack graph that is configured from one or more nodes indicating the state of a system to be diagnosed, or the state of the primary agent of an attack on the system to be diagnosed, and one or more edges indicating the relationship among a plurality of nodes, the attack graph being generated using rules indicating a condition in which the attack can be executed, and a graph configuration unit which simplifies the attack graph on the basis of the extracted node.

Abstract: Methods and systems for uses and/or improvements to blockchain technology. In particular, the methods and systems described herein implement a novel cryptographic resource standard that provides functionality for complex communications. The novel cryptographic resource standard allows for blockchain functions that may involve single cryptographic resource transfers or batch cryptographic resource transfers as well as on-chain batching of one or more cryptographic resources.

Abstract: A method and apparatus for providing user key material from a server to a client is disclosed. The method comprises receiving a first message from the client in a server, the first message having a user key material request, an access token and an identifier of a transport key (TrK-ID), validating the user key material request according to the access token, generating a response having user key material responsive to the user key material request, encrypting the response according to the transport key (TrK), and transmitting a second message comprising the response from the server to the client. The client decrypts the second message according to the transport key (TrK) and validates the second message using the identifier of the transport key (TrK-ID).

Abstract: Examples of the present disclosure describe systems and methods for malicious software detection based on API trust. In an example, a set of software instructions executed by a computing device may call an API. A hook may be generated on the API, such that a threat processor may receive an indication when the API is called. Accordingly, the threat processor may generate a trust metric based on the execution of the set of software instructions, which may be used to determine whether the set of software instructions poses a potential threat. For example, one or more call stack frames may be evaluated to determine whether a return address is preceded by a call instruction, whether the return address is associated with a set of software instructions or memory associated with a set of software instructions, and/or whether the set of software instructions satisfies a variety of security criteria.

Abstract: While a stream device is streaming a media program from a multimedia device to a client device, the streaming device may be configured to send a first portion of the media program to the client device, where the first portion is transcoded from a first format into a second different format and adapted for a first playing mode of the client device. The streaming device may be configured to receive an indication of a user command from the client device specifying a second different playing mode of the client device. The streaming device may be configured to send a second different portion of the media program to the client device, where the second portion is transcoded from the first format to the second format and adapted for the second playing mode of the client device.

Abstract: Aspects of the present disclosure provide methods, devices, and computer-readable storage media that support dynamic enforcement of access control policies in a standardized manner. An administrator console enables access control policies to be defined as classes that may be combined and leveraged to rapidly define access control policies for enforcement in a standardized manner. An interceptor operates to detect access requests and perform policy administration (e.g., determining to grant/deny access) for the access requests and where access is granted, initiate policy resolution (e.g., determine any restrictions on the granted access request). An enforcer provides functionality for enforcing policy resolution outcomes, such as restricting access to information stored in a database or disabling interactive elements of a user interface.

Abstract: In an example, a component analyzer can compute a respective part score for each part of the platform based on a part property table, and a respective connection score for each connection of the platform based on a connection property table. The component analyzer can provide the respective part and connection scores as score data to an architecture modeling engine to compute a probability model based on the score data and an architecture model. The probability model can include a part probability value and a connection probability value, and the architecture model can characterize a target architecture of the platform. A survivability analysis engine can evaluate the probability model and the architecture model to determine a likelihood that one or more potential cyber-attacks on the platform based on the target architecture are successful or unsuccessful in compromising at least one part of the platform.

Abstract: Methods, systems, and devices for access management are described. A software platform may identify devices of a botnet based on a cluster score associated with a device characteristic. For example, the software platform may receive a request from a device to access an application. The software platform may determine a cluster score for the characteristic of the device. The cluster score may be based on a link between the device and a list of devices (e.g., devices of a botnet). If the cluster score satisfies (e.g., exceeds) a cluster score threshold, the software platform may deny the access request. In some examples, the cluster score may be determined using machine learning techniques. Based on determining the cluster score, the software platform may efficiently identify devices of the botnet and prevent brute force attacks, which may improve reliability of access for users of the application.

Abstract: The apparatus receives a first PDU and a first CRC that is based on the first PDU. The first PDU is encrypted based on a first nonce. The apparatus decrypts the first PDU to obtain a first payload and a first cipher stream. The apparatus soft combines the decrypted first payload with a decrypted set of payloads. The set of payloads have been encrypted based on at least one nonce different than the first nonce. The apparatus generates a second CRC based on the soft combined decrypted payloads and based on the first cipher stream. The apparatus determines whether the generated second CRC for the soft combined decrypted payloads passes a CRC check against the first CRC.

Abstract: A method for generating a query filter list includes obtaining set of training queries, each training query comprising a predicate and one or more accessed columns returned from evaluating the predicate, and transforming the set of training queries into a structure. The structure relates, for an accessed column and a training query, the predicate and a correlation value to the accessed column. The method further includes normalizing the structure into a normalized structure. The normalized structure grouping entries in the structure according to accessed column. The method further includes generating a generalized query from the normalized structure, and adding the generalized query to the query filter list.

Abstract: Aspects described herein may utilize self-federation in a plugin-based authentication system to support combinations of authentication processes. The authentication system may include a plugin that executes an authentication process that is a combination of two or more other authentication processes. This plugin may handle the combined authentication process by self-federating back to the authentication interface, generating its own authentication requests under each of the subsidiary authentication processes. Thus, the self-federating plugin corresponding to the combined authentication process may allow the authentication system to support authentication requests that indicate the combined authentication process. This “chained” authentication process, accomplished through self-federation, may allow the authentication system to reuse existing code paths and avoid downsides associated with duplication of code.

Abstract: Live and legitimate user traffic is used with in depth knowledge of the business logic for an API specification to perform security testing on a set of APIs. The present system intercepts and analyzes application program interface (API) traffic, identifies user session data, and identifies traffic suitable to duplicate. The identified traffic is duplicated and modified by addition of malicious code. The modified code is then sent to its intended API destination, where it is processed as normal. The resulting response and other traffic as well as the API system and optionally other systems, such as datastore systems, are analyzed to determine if the malicious code resulted in a valid attack. Results from the modified code attack attempts are reported to a user.

Abstract: A method and apparatus for inputting verification information, and a storage medium. The method is performed by a first terminal, and includes: sending, in response to a verification information request operation triggered by a user, a verification information request message to a verification server, where the verification information request message includes user communication identifier information, such that the verification server may generate verification information according to the verification information request message, and send the verification information to a second terminal corresponding to the user communication identifier information; receiving the verification information synchronized with the second terminal; and inputting the verification information into a displayed verification information input page.