Abstract: A method for key agreement between a first party and a second party over a public communications channel, the method including selecting, by the first party, from a semigroup, a first value “a”; multiplying the first value “a” by a second value “b” to create a third value “d”, the second value “b” being selected from the semigroup; sending the third value “d” to the second party; receiving, from the second party, a fourth value “e”, the fourth value comprising the second value “b” multiplied by a fifth value “c” selected by the second party from the semigroup; and creating a shared secret by multiplying the first value “a” with the fourth value “e”, wherein the shared secret matches the third value “d” multiplied by the fifth value “c”.

Abstract: Artificial intelligence, big data, and crowd sourcing techniques are utilized to efficiently and effectively determine permissions that should be granted to a party within an organization. In one example, the permissions granted to a party within an organization are determined using one or more algorithms to identify, weight, and correlate historical and current permissions to party attributes for parties within the organization and/or for similar parties in similar organizations. In one example, the activity of the party within the organization is then monitored and the permissions granted the party are automatically modified as needed to allow the party to perform their tasks in the organization as the party's responsibilities within the organization evolve.

Abstract: A software defined networking (SDN)-based distributed denial of service (DDoS) attack prevention method, an apparatus, and a system, where a controller delivers a traffic statistics collection instruction to a first packet forwarding device. The traffic statistics collection instruction instructs the first packet forwarding device to perform traffic statistics collection, and carries a destination Internet Protocol (IP) address. The controller collects statistical data reported by the first packet forwarding device, obtains, according to the statistical data, a statistical value of global traffic flowing to the destination IP address, and delivers a DDoS prevention policy to a second packet forwarding device based on a determining result that the statistical value of the global traffic exceeds the preset threshold.

Abstract: A technique for detecting malware uses hardware capabilities of the processing element of a programmable device to detect modification of executable code during execution. By monitoring a dirty bit in page tables, pages that have been modified can be detected, allowing analysis of those pages during execution. An indication may then be passed to an anti-malware software to analyze the executable further.

Abstract: In a system including a terminal device where a plurality of apps are installed and can be executed and a management device capable of communicating with the terminal device; even if the terminal device does not have an advanced security function such as a secure boot, the validity of apps is determined in conjunction with the reliable management device. The management device stores specific values uniquely calculated respectively from a plurality of apps installed on the terminal device, as a plurality of installation-time specific values. The system causes the terminal device to calculate a specific value uniquely calculated from one app, as an execution-time specific value, and determines that the app is authentic if the calculated execution-time specific value matches one of the installation-time specific values stored in the management device.

Abstract: A vehicular data conversion apparatus includes: an acquisition portion that acquires vehicle data from a vehicle; a first storage portion that stores a data processing method for outputting the vehicle data to an outside of the vehicle in accordance with a classification level corresponding to the vehicle data acquired by the acquisition portion; and an output portion that outputs the vehicle data that has been converted in accordance with the data processing method stored in the first storage portion.

Abstract: An aspect includes storing data elements in a storage space of a memory device. The storage space is allocated for an account of a subscriber of a universal subscriber identification system. An aspect also includes assigning subscriber-inputted security levels to the data elements. The security levels define varying degrees of access protections associated with the data elements. An aspect further includes generating a security envelope that includes a data element selected from the storage space. The security envelope is configured with an access protection scheme that is commensurate with a corresponding assigned security level. An aspect also includes providing access to the selected data element by another subscriber of the universal subscriber identification system via the security envelope. The access is provided in accordance with the access protection scheme.

Abstract: An authentication request including at least one of a user identifier and a wearable device identifier of a user is received at a server from a terminal. The server stores a relationship between the user identifier, the wearable device identifier, and a server authentication key. Downlink authentication information is acquired by the server. A detection instruction including the downlink authentication information and the wearable device identifier is issued to the terminal. A detection acknowledgment returned by the terminal is received by the server. The detection acknowledgment includes uplink authentication information generated by a wearable device designated in the detection instruction, according to a device authentication key and the downlink authentication information. The device authentication key is the same as, or corresponds to, the server authentication key.

Abstract: A request a request to perform a cryptographic operation is received, the request including a first identifier assigned to a key group, the key group comprising a plurality of second identifiers, with the plurality of second identifiers corresponding to a plurality of cryptographic keys. A second identifier is determined, according to a distribution scheme, from the plurality of second identifiers, and the cryptographic operation is performed using a cryptographic key of the plurality of cryptographic keys that corresponds to the second identifier that was determined.

Abstract: Disclosed herein are systems and methods of executing scanning software, such an executable software program or script (e.g., PowerShell script), by a computing device of an enterprise, such as a security server, may instruct the computing device to search all or a subset of computing devices in an enterprise network. The scanning software may identify PowerShell scripts containing particular malware attributes, according to a malicious-code dataset. The computing system executing the scanning software may scan through the identified PowerShell scripts to identify particular strings, values, or code-portions, and take a remedial action according to the scanning software programming.

Abstract: The present embodiments relate to entry and management of identifiers and credentials. The present embodiments display a credential affordance that, upon selection, provides a credential-assistance user interface for enabling swift access to various credential and management options. The credential affordance can be displayed based on a determination by electronic device that a webpage includes a text entry field associated with a set of one or more restricted resources (e.g., document and/or webpage).

Abstract: The present disclosure provides method and system for dynamically adapting privacy and security for IoT communication. The method determines allowance of pre-engagement communication between communicating local entity (CLE) and communicating remote entity (CRE) based on perception information formed for the CRE. The method determines session filters to be applied during pre-engagement communication to identify violations. Further, if interest level for the pre-engagement communication is greater than a predefined threshold, engagement communication is established between the CRE and CLE. During the engagement communication, engagement filters are determined and applied to identify any violations. Further, during the engagement communication, one or more privacy and security related events are identified and actions are also identified to handle the one or more privacy and security related events, for dynamically adapting privacy and security for IoT communication.

Abstract: A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed.

Abstract: A system may include a client device to connect to a network and a network device communicatively coupled to the client device. The network device may determine that the client device has been authenticated to the network via a captive portal page. The network device may further create a ticket corresponding to the client device. Possession of the ticket by the client device may indicate authentication of the client device to the network. The network device may then transmit the ticket to the client device for storage on the client device. The stored ticket may enable the client device to remain authenticated to the network after a period of inactivity.

Abstract: A method for providing external access into a secured networked virtualization environment, includes performing a leadership election amongst nodes of the secured networked virtualization environment to elect a leader node, assigning a cluster virtual IP address to the leader node and generating a reverse tunnel, using a processor, by the leader node to allow for an external entity to communicate with the secured networked virtualization environment.

Abstract: The present disclosure discloses a message attack defense method and apparatus. The method includes: receiving, by a controller, a report message sent by at least one switch; respectively storing, by the controller in a switch queue corresponding to each switch, the received report message that is sent by each switch; and performing, by the controller, round-robin scheduling on the switch queue corresponding to each switch.

Abstract: Instructions and logic support suspending and resuming migration of enclaves in a secure enclave page cache (EPC). An EPC stores a secure domain control structure (SDCS) in storage accessible by an enclave for a management process, and by a domain of enclaves. A second processor checks if a corresponding version array (VA) page is bound to the SDCS, and if so: increments a version counter in the SDCS for the page, performs an authenticated encryption of the page from the EPC using the version counter in the SDCS, and writes the encrypted page to external memory. A second processor checks if a corresponding VA page is bound to a second SDCS of the second processor, and if so: performs an authenticated decryption of the page using a version counter in the second SDCS, and loads the decrypted page to the EPC in the second processor if authentication passes.

Abstract: A method for identifying user information includes obtaining a first user identifier of a user in a social network; obtaining identity authentication information corresponding to the first user identifier; determining whether the identity authentication information is associated with a second user identifier; and storing, when the identity authentication information is associated with the second user identifier, an association relationship between the first user identifier and the second user identifier.

Abstract: Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Abstract: When a user enters a resource provider location with a portable communication device, the portable communication device provides an indication to a transaction processing system that the portable communication device is currently at the resource provider location. At a later time when the user conducts a transaction with a portable transaction device, the fact that the user's portable communication device had been detected at the resource provider a short time ago is taken into account as a positive indicator that the transaction is not fraudulent. By verifying that both the portable communication device and the portable transaction device are present at the resource provider, the risk of approving a fraudulent transaction from a stolen portable transaction device can be reduced.