Abstract: A host identification engine receives network traffic from a network and uses one or more artifact extractors to extract artifact data items that can identify a host. The artifact data items can be stored in a host signature database. Network addresses to which the hosts correspond can be stored in a network address database. A mapping table can be implemented to match the data in the signature database and network database to generate durable host identification data that can accurately track hosts as they use different identification data and/or move between hosts.

Abstract: A computer readable storage medium includes executable instructions to receive a service execution request from a closed domain. The service execution request has mark-up language expressions characterizing a form definition within a closed domain. The service execution request is hosted as a resident service responsive to service requests. A request for the resident service is received. In response to the request, the resident service is executed to form a rendered object with a format universally observed in the open domain. The rendered object corresponds to the form definition within the closed domain. The rendered object is sent across the open domain to an end user. Open domain data prompted by the rendered object is received.

Abstract: Functionality is disclosed herein for regulating bandwidth that is available for network traffic flowing through a data communications network. In response to attack traffic being detected, one or more traffic regulators are set to control an available bandwidth to be used by the attack traffic. The one or more traffic regulators are adjusted until an attack is no longer detected. After the attack ends, the traffic regulator may be disabled or set to a different mode of operation.

Abstract: According to one aspect, a method includes coupling first and second security units in series between first and second networks. The first security unit obtains packets from the first network, and the second security unit obtains the packets from the first security unit. The first security unit includes first logic arranged to provide security. The second security unit includes second logic arranged to provide security. The method also includes configuring the second security unit in a bypass mode such that the second logic does not provide security, and obtaining a first packet from the first network via the first security unit. The first packet is identified as secure by the first logic. Finally, the method includes providing the first packet from the second security unit to the second network by passing the first packet through the second unit without using the second logic to provide security.

Abstract: A method for secure communications between a transmitting computer and a receiving computer includes transmitting data from the transmitting computer over a first one-way link to a data security engine, receiving and validating the data within the data security engine, and, after validating the data, transmitting the data from the data security engine to the receiving computer over a second one-way link.

Abstract: A measure of similarity between an identifier of a sender of the message and each identifier of one or more identifiers of each trusted contact of a plurality of trusted contacts of a recipient of the message is determined. In the event the sender of the message is not any of the trusted contacts but at least one of the measure of similarity between the identifier of the sender of the message and a selected identifier of a selected trusted contact of the plurality of trusted contacts meets a threshold, the message is modified, if applicable, to alter content of a data field that includes an identification of the sender of the message. The data field is one of a plurality of data fields included in a header of the message.

Abstract: Disclosed are devices and methods for processing an image document in a client-server environment such that privacy of text information contained in the image document is preserved. Specifically, in a client-server environment, an image document can be processed using a local computerized device of a client to create an obfuscated document by identifying word images in the image document and scrambling those word images. The obfuscated document can be received by a server of a service provider over a network (e.g., the Internet) and processed by previously trained software (e.g., a previously trained convolutional neural network (CNN)) to recognize specific words represented by the scrambled images in the obfuscated document without having to reconstruct the image document. Since the image document is neither communicated over the network, nor reconstructed and stored on the server, privacy concerns are minimized.

Abstract: A method of providing a household key to a client device, comprising receiving a key request including a subscriber identifier at an update server from a client device, and determining whether the subscriber identifier has previously been associated with a household encryption key. The household encryption key can be configured to be used by the client device to encrypt recordings of media content it makes and/or decrypt recordings of media content it previously made or that it receives from another client device that encrypted the recording using the household key. If the subscriber identifier has previously been associated with a household encryption key, the update server retrieves the household key and sends it to the client device. If the subscriber identifier has not previously been associated with a household encryption key, the update server retrieves a new household key from a pool, associates the new household key with the subscriber identifier, and sends it to the client device.

Abstract: Digital data is optically broadcast through an environment by controllably switching the brightness or chrominance of LED solid state lamps, or of other illumination sources (e.g., television screens and backlit computer displays). This optical data channel is useful to convey cryptographic key data by which devices within the environment can authenticate themselves to a secure network. In some embodiments, the optical modulation is sensed by the camera of a smartphone. The row data output by the smartphone's camera sensor is processed to extract the modulated data signal. In some monochrome embodiments, data communication speeds far in excess of the camera's frame rate (e.g., 30/second), or even the camera's row rate (e.g., 14,400/second) are achieved. Still greater rates can be achieved by conveying different data in different chrominance channels. A great number of other features and arrangements are also detailed.

Abstract: A method for confidential electronic communication between a sender workstation and a receiver workstation is provided, whereby privacy is guaranteed for the electronic communications transmitted over the public Internet. The method of confidential communication is equipped with message tracking and message receipt verification. The system for implementing the method includes a sender server that creates a session content encryption key along with a message envelope that includes a content encryption key encrypted message and a confidential mail token. The content encryption key is stored securely inside the sender organization's system which transmits the message envelope to an intended recipient. The intended recipient processes the message envelope in order to generate a message receipt verification, which is transmitted to the sender. The message receipt verification is processed by the sender server to verify that the message envelope reached the intended recipient.

Abstract: A method, system and computer program product for secure mobile affirmative consent management is provided and includes receiving from a requesting individual a request to manage affirmative consent with a different individual. In response, the requesting individual is prompted to specify a self-assessed indication of sobriety and a sobriety test is administered to the requesting individual and a performance scored. The scored performance is compared with a pre-stored typical performance for individuals having a same self-assessed indication and the self-assessed indication is validated based upon the comparison. A payload is received from the different individual, and combined with data identifying the requesting individual, and including the validated self-assessed indication. Finally, the combination is stored in remote storage.

Abstract: Managing access to digital content within a particular domain, including: receiving the digital content at a first client device; decrypting the received digital content at the first client device using a first key; transcoding the digital content to another format; re-encrypting the transcoded content using a second key, wherein the second key is obtained by one of: (1) directly from a server; or (2) indirectly by deriving it locally based on information received from the server; and transmitting the re-encrypted content to a second client device, wherein the second client device obtains the second key and decrypts the re-encrypted content at the second client device.

Abstract: To protect customer data and provide increased workflow security for processing requested by a customer, a secure communicational channel can be established between a customer and one or more hardware accelerators such that even processes executing on a host computing device hosting such hardware accelerators are excluded from the secure communicational channel. An encrypted bitstream is provided to hardware accelerators and the hardware accelerators obtain therefrom cryptographic information supporting the secure communicational channel with the customer. Such cryptographic information is stored and used exclusively from within the hardware accelerator, rendering it inaccessible to processes executing on a host computing device. The cryptographic information can be a shared secret, an appropriate one of a pair of cryptographic keys, or other like cryptographic information.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for storing and retrieving encrypted data. In one aspect, a method includes receiving, at a server computer separate from a user device, a first encrypted resource encrypted by use of a public encryption key, wherein the public encryption key is paired with a private encryption key according to an asymmetric encryption key scheme; retrieving, by the server computer, a second encrypted resource encrypted by use of the public key; augmenting, by the server computer, the first encrypted resource with the second encrypted resource to form an encrypted data tuple; encrypting, by the server computer, the encrypted data tuple; and storing, by the server computer, the encrypted data tuple as the second encrypted resource.

Abstract: An approach is provided for providing authentication using hashed personally identifiable information. The authentication platform processes and/or facilitates a processing of personally identifiable information associated with a device, a user of the device, or a combination thereof to cause, at least in part, a generation of hashed personally identifiable information. Next, the authentication platform causes, at least in part, a transmission of the hashed personally identifiable information to one or more network nodes in place of the personally identifiable information for use in one or more operations acting on the personally identifiable information.

Abstract: Technologies are disclosed herein for epoch-based expiration of temporary security credentials. A temporary security credential is issued that identifies one or more epochs and that specifies one or more versions of the identified epochs during which the temporary security credential is valid. The temporary security credential may then be utilized to request access to another system, service or component. In order to determine whether such a request may be granted, current epoch versions for the epochs identified in the temporary security credential are obtained. The current epoch versions for the identified epochs are then compared to epoch versions specified in the temporary security credential to determine if the request can be granted. The current epoch versions may be periodically modified in order to expire previously issued temporary security credentials. A temporary security credential might also specify an expiration time after which the temporary security credential is no longer valid.

Abstract: A method for implementing response function agnostic, challenge-response authentication on a CE device includes sharing a series of proxy responses to a series of authentication challenges with a service provider, receiving an associated actual response from an initialization phase response function for each of the authentication challenges, where at least one of the initialization phase response function and a parameter required for the initialization phase response function is withheld from the service provider, encrypting each of the proxy responses with its associated actual response, thereby generating a series of encrypted proxy responses, storing the encrypted proxy responses on the CE device, receiving one of the authentication challenges from the service provider, inputting the authentication challenge to an operation phase response generator on the CE device, where the operation phase response generator is configured with the same response function used by the initialization phase response generator

Abstract: An assembly management system allows a software service provider (SSP) to compile and upload client-specific client application code into a repository. The SSP deploys a client application comprising non-client-specific code to various clients. When a user logs in, a call is made to a web service, which queries the repository for code specific to the requesting client. If available, the web service sends a response with the name and version of the assembly to which the client is subscribed. If the locally-saved version does not match the version of the assembly in the repository, and if the SSP has permission to write to the client's disk, the web service retrieves the assembly and commits it to the disk. If the SSP does not have permission, the assembly is streamed to the client device and retained and executed in memory for the duration of the login.

Abstract: In a networked environment, a client side application executed on a client device may transmit a request to an authorization service for access to a resource. The authorization service may authenticate the user of client device and/or the client device based on user credentials and/or a device identifier. In response to authenticating the user and/or the client device, the authorization service may send to the client side application a request for confirmation that the client device complies with a distribution rule associated with the resource, where the distribution rule requires a specific application or specific type of application to be installed, enabled and/or executing on the client device as a prerequisite to accessing the resource. If the client device complies with the distribution rule, the client side application accesses the resource. Accessing the resource may include receiving an authorization credential required for access to the resource.

Abstract: Technologies and implementations for providing a data center access and management settings transfer service are generally disclosed.

Abstract: A wireless local area network system establishes a PASSPOINT™ connection between a mobile station and a hotspot using an enhanced single SSID method or an enhanced dual SSID method. In the dual SSID method, an access point associates and authenticates a mobile device to a secondary SSID of the access point during enrollment and provisioning. After enrollment, the access point authenticates the mobile station to a primary SSID of the access point using the credential that the mobile station received from an online sign-up (“OSU”) server in connection with the secondary SSID. In the single SSID method, an access point performs two levels of authentication. During authentication, communications are limited to an 802.1x controlled port running on the mobile station and access point. After a first authentication, communications between the OSU server and the mobile station are unblocked. After the second authentication, all traffic from the mobile station is unblocked.

Abstract: In some embodiments, the instant invention provides for a central identification management computer system that includes at least: a computer programmed with software instructions that at least include: code to receive a user registration request from a user who desires to establish a user identification profile; code to independently verify profile information of the user; code to register the user identification profile with the central identification management computer system; code to receive an identification request; code to generate a timed unique alpha-numeric identifier where the at least one first timed unique alpha-numeric identifier is associated with the user identification profile stored in the database of the central identification management system; code to transmit the timed unique alpha-numeric identifier in response to identification request; and code to record, in a permanent identification usage log, the timed unique alpha-numeric identifier, and a timestamp related to the identification

Abstract: Systems and methods are provided for determining applications that are co-installed on a device. In an aspect, a system includes a registration component that receives, from a device, a request to register a first application provided on the device with a notification service, the request comprising an account identifier associated with a user identity, a session token, and an identifier for the first application. The session token is derived from an authentication token that is unique to the user identity and the device. The system further includes an authentication component configured to authenticate the user identity using the session token, and a fingerprint component configured to receive a fingerprint of the authentication token based on authentication of the user identity using the session token, wherein the registration component is configured to associate the account identifier, the identifier for the first application, and the fingerprint with one another in a database.

Abstract: A method for managing user accounts in an application of an application provider, includes: receiving a request for proof of authentication to authenticate a user attempting to access the application, the user being registered with an identity provider having a trust relationship with the application provider; obtaining, from a local database, user data including authentication data and access rights data; authenticating the user by the authentication data; determining the user right to access the application, by the access rights data; determining the existence or absence of a user account associated with the user, by querying an external database managed by the application provider; if the user has the right to access the application and there is no user account associated with the user: triggering provisioning of the user account at an entity, generating a proof of authentication associated with the user, sending the proof of authentication to the application provider.

Abstract: Some embodiments implement end-to-end certificate pinning for content intake from various content providers and for content distribution to various end users. To ensure secure retrieval of content provider content, the content distributor pins the content provider to one or more certificate authorities. Accordingly, the content distributor only retrieves content from a sender identified as the content provider when the sender identity is verified with a certificate issued by a certificate authority pinned to the content provider. To ensure secure delivery of content from the content distributor to an end user, the content distributor modifies the pinset of the user browser to pin the content distributor to one or more certificate authorities. Thereafter, the user browser only accepts content from a sender identified as the content distributor when the sender identity is verified with a certificate issued by a certificate authority pinned to the content distributor in the browser pinset.

Abstract: The present invention relates to a method for accessing service/data of a first network from a second network for service/data access via the second network, comprising the steps of a) Pairing of a user device with the first network, b) Attaching the user device to the second network, c) Authenticating the user device with the second network, d) Providing connectivity information for services/data of the first network to the second network, e) Providing available services/data information by the first network to the second network, f) Accessing a service and/or data of the first network by the second network. The present invention relates also to a system for accessing service/data of a first network from a second network for service/data access via the second network.

Abstract: A method and system for providing a secure network. The system can have a URL programming interface, a server, and a database connected to the server. The server can be configured to receive requests from the URL programming interface. The server can include a file manager, an authentication server, a resource server, and a collaboration server.

Abstract: A system, method, and computer-readable medium for challenge-response authentication are provided. A plurality of codes is received over a communication network based on input provided by way of a user interface displaying a plurality of images. An alphanumeric string is generated based on the received plurality of codes and based on a table that associates each one of the plurality of codes with a respective one of the plurality of images and with a respective one of a plurality of alphanumeric characters. A determination is made as to whether to grant authorization based on whether the generated alphanumeric string matches an alphanumeric user identifier stored in a memory device in association with a user.

Abstract: A system, method, and computer readable medium that facilitate user authentication via voice biometrics in a network system featuring interactive voice response system access is provided. The voice biometric authentication mechanisms alleviate identity theft occurring via specific interactive voice response transactions. A voice biometrics authentication system interfaces with an interactive network platform and may be hosted by a third party provider of voice biometric technologies.

Abstract: A server-side biometric authentication system is disclosed that can split data knowledge and processes, so that extensive collusion would be required in order for a fraudster to compromise the system. Biometric data provided by a user during authentication can be matched with a combination of pieces of a biometric template stored across two or more server(s), rather than on a consumer device as is typically done. More specifically, at the time of enrollment, a biometric template can be split into two or more fragments. Each of the fragments can be encrypted and stored on a template storage server. At a later point in time, during authentication, biometric data provided by a user (e.g., from a fingerprint) can be compared against a reconstructed version of the biometric template where each fragment of the template is retrieved from a matcher computer and combined together.

Abstract: A system and method for delegating permissions to a third party are presented. A request to access a first computing resource of a computer server is received from a first user. The first user is prompted to supply a first authentication credential for access to the first computing resource of the computer server and the first authentication credential is received from the first user. After the first authentication credential is received, a request to access a second computing resource of the computer server is received from the first user. An authentication database is accessed to identify a second user associated with the second computing resource, and a request for a second authentication credential is transmitted to a second user. The second authentication credential is received from the second user. When the second authentication credential is received from the second user, the first user is given access to the second computing resource.

Abstract: The present disclosure generally relates to techniques for managing a remote authorization to proceed with an action, such as creating a secure network connection. In some examples, a requesting device receives selection of one or more options. The requesting device transmits a request to proceed with an action to an authenticating device. The authenticating device concurrently displays an indication of the request to proceed with the action, information about the selected one or more options, and an indication of the requesting device. The authenticating device receives authorization to proceed with the action and transmits a response to the requesting device regarding the request to proceed with the action.

Abstract: An example method for accessing a target resource in accordance with aspects of the present disclosure includes retrieving a configuration from a local profile associated with a user on a device, automatically completing a login form for a web interface based on the configuration, identifying a target resource by parsing a list of resources received from a server in response to the completed login form, and automatically launching the identified target resource based on the configuration.

Abstract: Securing access to one or more applications in an enterprise zone (e.g., a set of protected applications) is disclosed. A last activity time associated with a use of at least one mobile application in the protected subset may be retrieved from a shared storage location associated with a protected subset of two or more protected mobile applications. It may be determined that the last activity time is within a session expiration time period associated with the protected subset. Access to one or more applications in the protected subset may be allowed without credential verification based at least in part on the determination.

Abstract: A system for integrating modules of computer code may include a sandbox validator for receiving a first module and verifying that the first module complies with one or more sandbox constraints. A computing device may execute the first module within a runtime environment. A module integrator may operate within the runtime environment for receiving a request from the first module to access a service provided by a second module and only allowing the first module to access the service when the first module is authorized to access the service according to a service authorization table. The sandbox validator may ensure the first module correctly identifies itself when requesting a service provide by another module and that the first module includes runtime policing functions for non-deterministic operations. A service authorizer may generate an authorization policy for the first module, which is sent to the computing device along with the first module.

Abstract: A legitimate voice or video communication application modifies data in a communication session to produce a watermark. The watermark is a piece of information that is part of a communication session that is not readily observable, but can be verified later on. The purpose of a watermark is to verify that the communication session is a legitimate communication session and does not pose a security breach. The video or audio communication session is monitored for a watermark. In response to determining that the communication session contains the watermark, the communication session is allowed continue. In response to determining that the communication session does not contain the watermark, the communication session is identified as a potential security breach. If the communication session is identified as a potential security breach, the communication session can be dropped and a user can be notified of the potential security breach.

Abstract: A computer-based method for providing information about a potential security incident ascertained from received internet protocol (IP) packets is described. The method includes capturing IP packets from a network, stripping packet header data from the captured IP packets, calculating a cyclic redundancy code (CRC) from one or more fields of the packet header data, determining whether any packet header data has occurred multiple times by comparing the calculated CRC to stored CRCs in each of successive entries in a cache, and storing, in a database, only a single instance of packet header data for any packet header data that is determined to have occurred multiple times.

Abstract: The present disclosure discloses a system and method for dynamically modifying role based access control for a client based on the activity. Generally, a client device is granted access to a network resource based on a first reputation score assigned to the client device. The activity of the client device is monitored. Responsive to monitoring the activity of the client device, a second reputation score is determined for the client device based on the activity. The access by the client device to the network resource is then modified to be granted based on the second reputation score.

Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.

Abstract: A machine may be configured to detect an anomalous event based on metrics pertaining to a production system. For example, the machine analyzes a time series of values associated with a metric pertaining to a production system. The machine identifies a pattern associated with the time series based on the analysis of the time series. The pattern may describe an occurrence of particular values at particular timestamps of the time series. The machine determines a range of potential values for a next timestamp in the time series based on the pattern. The machine assigns a score value to an actual value associated with the metric and corresponding to the next timestamp. The assigning of the score value may be based on a comparison of the actual value and the range of potential values. The machine identifies the actual value as a candidate for an alert based on the score value.

Abstract: Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

Abstract: Devices, systems, and methods of detecting whether an electronic device or computerized device or computer, is being controlled by a legitimate human user, or by an automated cyber-attack unit or malware or automatic script. The system monitors interactions performed via one or more input units of the electronic device. The system searches for abnormal input-user interactions; or for an abnormal discrepancy between: the input-unit gestures that were actually registered by the input unit, and the content that the electronic device reports as allegedly entered via such input units. A discrepancy or abnormality indicates that more-possibly, or necessarily or certainly, a malware or automated script is controlling the electronic device, rather than a legitimate human user. Optionally, an input-output aberration or interference is injected, in order to check for manual corrective actions that only a human user, and not an automated script, is able to perform.

Abstract: Systems and methods for identifying and remediating malware-compromised mobile devices are disclosed. A computer-implemented method includes accessing, by a computing device, malware risk data; determining, by the computing device, a mobile device is at risk from malware based on the malware risk data; identifying, by the computing device, a set of connections of a user of the mobile device, wherein each connection in the set of connections is associated with a user computer device; identifying, by the computing device, at least one user computer device from the set of connections at risk from the malware; and outputting, by the computer device, a malware notification for the mobile device at risk and at least one user computer device at risk.

Abstract: An adaptable network security system includes trust mediator agents that are coupled to each network component. Trust mediator agents continuously detect changes in the security characteristics of the network and communicate the detected security characteristics to a trust mediator. Based on the security characteristics received from the trust mediator agents, the trust mediator adjusts security safeguards to maintain an acceptable level of security. Trust mediator also uses predetermined rules in determining whether to adjust security safeguards. Despite inevitable changes in security characteristics, an acceptable level of security and efficient network operation are achieved without subjecting users of the network to over burdensome security safeguards.

Abstract: Provided are methods and systems for detecting a DoS attack when initiating a secure session. A method for detecting a DoS attack may commence with receiving, from a client, a request to initiate a secure session between the client and a server. The method may continue with sending a pre-generated key to the client. The method may further include establishing that the request from the client is suspected of the DoS attack. The establishment may be performed based on further actions associated with the client.

Abstract: A method includes performing, by a processor of a network controller of a network: storing device identifications corresponding to respective ones of a plurality of devices connected via the network, respectively, storing an association between a first one and a second one of the plurality of devices, the association being represented as a pairing identification code corresponding to the first and second ones of the plurality of devices, receiving a communication from an intruder device, the communication comprising the device identification corresponding to one of the first and the second ones of the plurality of devices, sending a request to the intruder device to communicate the pairing identification code, and denying access to the network to the intruder device responsive to the intruder device failing to communicate the pairing identification code.

Abstract: A domain name registering entity (such as a domain registry, registrar, or reseller) or an independent proxy registration service may offer a domain name hijack protection to their actual or potential customers. When a domain name transfer request or notice is received, the domain name registering entity or the proxy registration service may ignore or decline it. Customers may be given an ability to turn the domain name hijack protection service on and off, as well as an ability to adjust a variety of settings associated with the service.

Abstract: This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device.

Abstract: Techniques for identity and policy based routing are presented. A resource is initiated on a device with a resource identity and role assignments along with policies are obtained for the resource. A customized network is created for the resource using a device address for the device, the resource identity, the role assignments, and the policies.

Abstract: A device may receive information that identifies a failover configuration associated with a user device. The failover configuration may identify a backup user device. The device may receive information indicating that a failover condition, identified in the failover configuration, has been satisfied. The device may identify the backup user device based on receiving the information indicating that the failover condition has been satisfied. The device may contact the backup user device based on identifying the backup user device. The device may determine that a service request, associated with a service and intended for the user device, is to be forwarded to the backup user device based on contacting the backup user device. The service may be identified by the failover configuration. The device may forward the service request to the backup user device to permit the backup user device to obtain the service rather than the user device.