Abstract: A method of linking a security policy stored in a policy database that is specific to an application in the application layer with a new corresponding process launched in the LINUX layer in a security system for an operating system running on a device that comprises a LINUX-based kernel. The system architecture is defined by a middleware layer between the LINUX layer associated with the kernel and the higher application layer comprising the applications.

Abstract: An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.

Abstract: A microprocessor includes an architected register having a bit. The microprocessor sets the bit. The microprocessor also includes a fetch unit that fetches encrypted instructions from an instruction cache and decrypts them prior to executing them, in response to the microprocessor setting the bit. The microprocessor saves the value of the bit to a stack in memory and then clears the bit, in response to receiving an interrupt. The fetch unit fetches unencrypted instructions from the instruction cache and executes them without decrypting them, after the microprocessor clears the bit. The microprocessor restores the saved value from the stack in memory to the bit in the architected register, in response to executing a return from interrupt instruction. The fetch unit resumes fetching and decrypting the encrypted instructions, in response to determining that the restored value of the bit is set.

Abstract: A method for generating and delivering a message via a web service is provided. A message for a recipient is converted to a URL and sent. A request is received from a sender to send a message to a recipient. A URL message is created in response to receiving the request to send the message to the recipient and the URL message is sent to the recipient. A URL message response is received from the recipient and a landing message is sent to the recipient in response to receiving the URL message response. The landing message includes a hint requesting an answer from the recipient. An answer is received from the recipient and the message is sent to the recipient in response to receiving the answer.

Abstract: A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections.

Abstract: A method and system for validating a form, that includes providing, to a client, the form comprising a primary token, receiving, in response to the client loading the page form, a request for a secondary token, providing the secondary token in response to receiving the request, and receiving the form comprising the primary token and a secondary token from a client. The method further includes validating the form, where validating the form includes obtaining a first primary token hash from the secondary token, applying a first hash function to the primary token to obtain a second primary token hash, and determining that the first primary token hash and the second primary token hash match. The method further includes accepting the form upon validating the form.

Abstract: A method, an apparatus and a system for preventing DDoS (Distributed Denial of Service) attacks in a cloud system. The method for preventing DDoS attacks in a cloud system includes: monitoring, by a protection node in a cloud system, data traffic input into virtual machines, where the cloud system includes the protection node and multiple virtual machines, and data streams communicated between the virtual machines pass through the protection node; extracting data streams to be input into virtual machines if it is detected that the data traffic input into the virtual machines is abnormal; sending the extracted data streams to a traffic cleaning apparatus for cleaning; receiving the data streams cleaned by the traffic cleaning apparatus; and inputting the cleaned data streams into the virtual machines. The technical solutions provided in the embodiments of the present disclosure can effectively prevent DDoS attacks between virtual machines in the cloud system.

Abstract: A device receives capability information associated with a next hop device of a wireless local area network (WLAN). The device also determines, based on the capability information, whether the next hop device is capable of implementing security for traffic, where the security includes a media access control (MAC) security standard and a layer 2 link security standard. The device further creates, via the MAC security standard, a secure channel with the next hop device when the next hop device is capable of providing security for traffic.

Abstract: Methods and apparatus are provided for generating a garbled circuit for a client in a leakage-resilient manner, for use in secure function evaluation between the client and a server. The garbled circuit is generated by obtaining a token from the server, wherein said token comprises a leakage-protected area; querying the token gate-by-gate, wherein for each gate of said garbled circuit, the token interacts with the leakage-protected area to generate a garbled table for the gate; and receiving the garbled circuit from the token. The client can interact with the server to obtain garbled inputs; and then evaluate the garbled circuit on the garbled inputs to obtain a garbled output. A final output can be obtained by matching the garbled output with an output table in the garbled circuit.

Abstract: In one embodiment, detecting network data, retrieving a whitelist associated with the detected network data, and selectively applying an intrusion prevention policy based on the retrieved whitelist are provided.

Abstract: A method and device for clustering virus files is provided. The method involves statically analyzing binary data of virus files to be clustered, so as to obtain PE structure data of the virus files. Further, based on a comparison of the PE structure data, those virus files with PE structure data meeting a specific similarity may be categorized into the same category. The device may include a first data analyzing module configured to extract PE structure data of virus files to be clustered by static analysis of binary data of the virus files. A first clustering module of the device may compare the PE structure data and cluster the virus files having the PE structure data meeting a specific similarity into the same category. The solution may improve efficiency of clustering computer virus files, reduce resource consumption, and avoid the risk of virus infection caused by dynamically running the virus files.

Abstract: A microprocessor is provided with a method for decrypting encrypted instruction data into plain text instruction data and securely executing the same. The microprocessor includes a master key register file comprising a plurality of master keys. Selection logic circuitry in the microprocessor selects a combination of at least two of the plurality of master keys. Key expansion circuitry in the microprocessor performs mathematical operations on the selected master keys to generate a decryption key having a long effective key length. Instruction decryption circuitry performs an efficient mathematical operation on the encrypted instruction data and the decryption key to decrypt the encrypted instruction data into plain text instruction data.

Abstract: A method of establishing secure communication between a first mobile computing device and a second mobile computing device includes generating a first self-signed key at the first mobile computing device, pairing the first device with a second device, the pairing including receiving user input of a passcode and after receiving the user input sending the first public key to the second mobile computing device and receiving a second public key from the second mobile computing device, storing the second public key in a database of trusted devices, the database of trusted devices being stored in the first mobile computing device, receiving in the first mobile computing device a list of mobile computing devices connected to a mobile network, matching the list of mobile computing device against the database of trusted devices, and establishing secure communication between the first mobile computing device and the second mobile computing device.

Abstract: A secure deterministic fabric includes switches that segregate data traffic requiring disparate levels of authentication or having different safety levels. Data may be segregated physically, utilizing different hardware; or virtually, by allocating certain assets such as memory blocks exclusively for certain levels of authentication. The secure deterministic fabric may include elements for safety monitoring and multi-level security monitoring.

Abstract: This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.

Abstract: A communications system comprising a service processing system configured to receive a privacy request indicating a communication comprising a first user associated with a first communication device and a second user associated with a second communication device, send a query indicating the communication to a privacy system, receive a privacy message indicating whether the second user is private, and send a privacy instruction to the first communication device; the privacy system configured to receive the query, determine a privacy list for the first user, process the query with the privacy list to determine whether the second user is on the privacy list, and send the privacy message to the service processing system indicating that the second user is private; and the first communication device configured to receive the privacy instruction, and update a log, wherein, according to the privacy instruction, the second user is not indicated.

Abstract: Described systems and methods allow a biometric authentication system to process authentication requests, such as requests to authenticate handwritten signatures, received from a plurality of client systems, each covered by a service level agreement (SLA). The biometric authentication system includes a load balancer configured to distribute authentication tasks to a plurality of worker machines. In some embodiments, task distribution is performed according to an ability of each worker to process urgent tasks, to an ability of each worker to process non-urgent tasks, and further according to a relationship between a count of urgent requests and a count of non-urgent requests received by the biometric authentication system.

Abstract: A highly efficient access control system and method employing XACML standard based policies and rules provides high performance resource access control of information systems of large enterprises. The system and method extracts plain rules from the XACML policies, transforms the plain rules into atomic rules, and compresses and indexes the atomic rules for fast lookup and retrieval. Access requests are decomposed into atomic requests which are compressed using the same value mapping as the rules. Index keys derived from compressed atomic request triplets are used to look up applicable rules which are used to evaluate requests for access to information system resources.

Abstract: A broadband gateway, which enables communication with a plurality of devices, handles at least one physical layer connection to at least one corresponding network access service provider. Security boundaries such as conditional access (CA) and/or digital right management (DRM) boundaries associated with the broadband gateway are identified based on security profiles associated with the plurality of devices and/or a service from networks. The identified security boundaries are utilized to determine or negotiate CA information for content access for the service. The received content may be distributed according to the determined CA information and the security profiles of the corresponding devices. The broadband gateway may be automatically and dynamically configured based on the identified security boundaries to secure content distribution to the devices.

Abstract: To improve network reliability and management in today's high-speed communication networks, we propose an intelligent system using adaptive statistical approaches. The system learns the normal behavior of the network. Deviations from the norm are detected and the information is combined in the probabilistic framework of a Bayesian network. The proposed system is thereby able to detect unknown or unseen faults. As demonstrated on real network data, this method can detect abnormal behavior before a fault actually occurs, giving the network management system (human or automated) the ability to avoid a potentially serious problem.

Abstract: Packet communication apparatus connects plural LANs to each other, in termination of a WAN that conducts data communication using handshake communication protocol. Apparatus buffers data packets between the LANs, and transfers, as a proxy, response packets and data packets to a terminal device. The apparatus stops transmission of data packets belonging to an arbitrary packet flow when the reception of the response packets belonging to the packet flow from the WAN is ceased for a network outage detection time or more set, while transmitting data packets belonging to the arbitrary packet flow. The apparatus retransmits a first data packet whose corresponding response packet is not received, belonging to the packet flow immediately after the data packet transmission stops, and retransmits all data packets whose corresponding response packets are not received, belonging to the packet flow, when receiving the response packets from the WAN.

Abstract: The present disclosure presents a system, method and apparatus herein enabling secure coupling of a computing device, such as a mobile device with an endpoint, such as an application server. The computing device can include any electronic device such as a computer, a server, an application server, a mobile device or tablet. The endpoint can be any electronic device as well that is located within an enterprise network. In at least one embodiment, the secure coupling of the mobile device with a computing device can include a security gateway server. In one example, the security gateway server can be a tunnel service server. In another embodiment, an application server can include a tunnel service module to provide the secure coupling with the mobile device.

Abstract: The disclosure discloses a method for protecting security of layer-3 mobility user plane data in Next Generation Network (NGN), includes: performing authentication by a terminal with an authentication server; after the authentication is passed, obtaining a shared key material by both the terminal and the authentication server; generating, by the terminal and the authentication server, a mobility data security key according to the shared key material; transmitting, by the authentication server, the generated mobility data security key to a mobility data transmission module; protecting security of the layer-3 mobility user plane data, by the terminal and the mobility data transmission module, by using the mobility data security key. The disclosure also discloses a system for protecting security of layer-3 mobility user plane data in NGN.

Abstract: A method of communicating in a secure communication system, comprises the steps of assembling a message at a sender, then determining a security level, and including an indication of the security level in a header of the message. The message is then sent to a recipient.

Abstract: An example method includes receiving a request for a cloud capability set during an Internet Key Exchange negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities, mapping the request to one or more cryptographic modules that can support the cloud capability set, and offloading the VPN tunnel to the one or more cryptographic modules. The request can be an Internet Security Association and Key Management Protocol (ISAKMP) packet listing the one or more cloud capabilities in a private payload. The method may further include splitting the VPN tunnel between the cryptographic modules if no single cryptographic module can support substantially all the cloud capabilities in the cloud capability set. In some embodiments, the request is compared with a service catalog comprising authorized cloud capabilities.

Abstract: According to one embodiment, a computer system executing a computer program is coupled to multiple secure network domains configured in a multi-level security architecture. The computer program simultaneously establishes a voice connection with a first terminal configured on a first secure network domain and a second terminal configured on a second secure network domain. The computer program may then selectively couple an electroacoustical transducer to the first terminal or the second terminal, and generate an indicator on a user interface indicating the security level of the selected terminal.

Abstract: A system includes an application access manager driver and an operating system (OS) kernel module in a kernel-mode address space of an OS. The system also includes application modules, a public application whitelist, a public application whitelist manager, a user/group application whitelist, and a user/group application whitelist manager in a user-mode address space of the OS. A method includes receiving a request to launch an application, calling a “create process” function in the OS kernel module, calling a pre-registered “create process” callback function to the application access manager driver, and determining whether the application is allowed to execute based on whether the application access manager driver identifies the application as an allowable process in either public application whitelist or user/group application whitelist.

Abstract: This disclosure is directed to systems and methods for handling the processing of a next protocol negotiation extension for a transport layer security (TLS) session. A device, intermediary to a client and a server, may receive a client hello message from the client in a handshake to establish a transport layer security (TLS) session with the server. The client hello message may include a next protocol negotiation extension. The device may include a first TLS processor that is software based and a second TLS processor that is hardware based. The device may determine that the client hello message includes the next protocol negotiation extension. The device may establish, responsive to the determination, the TLS session using the first TLS processor. The device may process, upon establishment of the TLS session using the first TLS processor, encrypted data for the TLS session using the second TLS processor.

Abstract: The present invention is directed towards systems and methods for managing one or more SSL sessions. A first node from a cluster of nodes intermediary between a client and a server may receive a first request from the client to use a first session established with the server. The first request may include a session identifier of the first session. The first node may determine that the first session is not identified in a cache of the first node. The first node may identify, via a hash table responsive to the determination, an owner node of the first session from the cluster using a key. The key may be determined based on the session identifier. The first node may send a second request to the identified owner node for session data of the first session. The session data may be for establishing a second session with the server.

Abstract: The invention presented herein consists of systems and methods of secure storage for sensitive and confidential data, such as personal identity data, along with methods of securely accessing that data, and transferring information from that data, as necessary.

Abstract: A system in a cloud services environment comprises one or more service offerings, one or more service instances and one or more service support utilities. Each of the one or more service offerings is described by at least one service descriptor. Each of the one or more service instances is obtained from at least one of the one or more service offerings. Each of the one or more service support utilities is customized by at least one service descriptor. A service comprises at least one component and a service descriptor comprises one or more models.

Abstract: A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/authorization evidence, AE, when a successful authentication/authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers.

Abstract: A mechanism is provided for automatically logging into a cloud based system that does not accept token log-on credentials generated by a single sign-on service. In an embodiment, a one-time password is automatically generated and persisted. The generated password is used to log in automatically to a cloud based system that does not accept tokens generated by the web-ID providers and for connecting to other services. Examples of such systems may include Windows, Linux, and iOS.

Abstract: Recommending a security policy to a firewall, includes receiving a request from a firewall for a recommendation as to whether the firewall should allow or block a detected present communication for which the firewall does not have an existing security policy. Information about past blocked and allowed communications at other firewalls on a network is searched to identify past communications that are similar to the present communication. The identified past communications are assigned a respective positive or negative vote. A positive vote indicates a past communication was allowed and a negative vote indicates a past communication was not allowed. A positive recommendation is sent to the requesting firewall to allow the present communication if the positive votes outnumber the negative votes, and a negative recommendation is sent to the requesting firewall to block the present communication if the negative votes outnumber the positive votes.

Abstract: Systems and methods may provide for receiving web content and detecting an access control attribute associated with the web content. Additionally, the access control attribute may be monitored for a disablement condition. In one example, the disablement condition may be detected, an access policy may be determined in response to the disablement condition, and the access policy may be implemented.

Abstract: A method is described for negotiating the use of multi-link ciphering and for the generation of unique keys for each of the links using a single 4-way handshake protocol exchange.

Abstract: Techniques to enforce policies with respect to managed files and/or endpoints are disclosed. A policy to be applied with respect to one or more files included in a synchronization set and/or an endpoint associated with the synchronization set is received. Compliance with the policy is ensured across a plurality of heterogeneous endpoints associated with the synchronization set.

Abstract: The present invention provides a new method for user centered privacy which works across all 3rd party sites where users post content, or even for encryption of emails. Users have an identity with a Hyde-It Identity provider (HIP) which authenticates the user to a Hyde-It Service (HITS) which performs key distribution. The functionality can be invoked through a user toolbar, built into the browser or be downloaded on demand via a bookmarklet.

Abstract: An apparatus for generating a decryption key for use to decrypt a block of encrypted instruction data being fetched from an instruction cache in a microprocessor at a fetch address includes a first multiplexer that selects a first key value from a plurality of key values based on a first portion of the fetch address. A second multiplexer selects a second key value from the plurality of key values based on the first portion of the fetch address. A rotater rotates the first key value based on a second portion of the fetch address. An arithmetic unit selectively adds or subtracts the rotated first key value to or from the second key value based on a third portion of the fetch address to generate the decryption key.

Abstract: A method of extending an integrity measurement in a trusted device operating in an embedded trusted platform by using a set of policy commands to extend a list of Platform Configuration Registers (PCRs) for the device and the current values of the listed PCRs and an integrity value identifying the integrity measurement into a policy register, verify a signature over the integrity value extended into the policy register, and, if verification succeeds, extend a verification key of the trusted platform, plus an indication that it is a verification key, into the policy register, compare the integrity value extended into the policy register with a value stored in the trusted platform, and, if they are the same: extend the stored value, plus an indication that it is a stored value, into the policy register, and extend the integrity measurement in the trusted device if the value in the policy register matches a value stored with the integrity measurement.

Abstract: A system and method for processing certificates located in a certificate search. Certificates located in a certificate search are processed at a data server (e.g. a mobile data server) coupled to a computing device (e.g. a mobile device) to determine status data that can be used to indicate the status of those certificates to a user of the computing device. Selected certificates may be downloaded to the computing device for storage, and the downloaded certificates are tracked by the data server. This facilitates the automatic updating of the status of one or more certificates stored on the computing device by the data server, in which updated status data is pushed from the data server to the computing device.

Abstract: A method of ensuring secure and cost effective communication of aeronautical data to and from an aircraft is provided. The method includes uplinking air-ground aircraft data communications via an aeronautical safety data link and downlinking air-ground aircraft data communications via a consumer data link separated from the aeronautical safety data link by a one-way firewall.

Abstract: A method, system and computer program product related to an authentication security protocol, which associates a unique Abbreviated Session Identifier (ASI) with some application data packets transmitted, for example, from a client to a server. The present technology can be a modified version of the Transport Layer Security (TLS) protocol. A method of authentication comprises an initial setup comprising negotiating a secure network connection between client and server using TLS, providing a unique ASI by the server, associating the ASI with a TLS protocol session identifier, transmitting the unique ASI and the TLS protocol session identifier to the client, and establishing the secure network connection between the client and server. Subsequent data packets transferred between the client and server may include the unique ASI.

Abstract: A device is enabled to display Internet TV by accessing a management server with a secret unique ID and receiving back from the server, assuming the ID is approved, a user token and a service list of content servers with knowledge of the user token. A user can select a content server which causes the device to upload its user token and in response receive a content list from the content server, from which content can be selected for display. Neither list may be modified by the device and the device can access only content on a content list.

Abstract: A network element supports Transmission Control Protocol Authentication Option (TCP-AO) with a Key Management Protocol (KMP) to authenticate TCP segments over a TCP session. The network element negotiates multiple traffic keys to authenticate TCP segments over a TCP session with a peer network element, and protects the TCP session with the negotiated traffic keys.

Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract: An apparatus for providing link layer security in a Physical Layer Transceiver (PHY) is disclosed. In one embodiment, the apparatus may comprise analog circuitry configured to interface with a data transmission medium, digital circuitry configured to interface with a Media Access Controller (MAC); and a crypto engine coupled to the digital circuitry. Single interface and multiple interface schemes are provided to control both PHY and crypto functions. Embodiments are disclosed where the PHY controls the crypto device, and where the crypto device controls the PHY.

Abstract: A process for converting a DTCP-IP transport stream into HLS format, comprising receiving an encrypted DTCP-IP transport stream comprising DTCP frames at a secondary device from a source device, with each of the plurality of DTCP frames comprising encrypted 16-byte portions, forming chunks from the DTCP frames by grouping encrypted 16-byte portions into a chunk, adding HLS padding bytes to the end of each chunk and encrypting the HLS padding bytes to form an encrypted chunk, loading each of the encrypted chunks and a playlist to a media proxy server at the secondary device, loading a DTCP key onto a security proxy server, and providing the playlist, each of the encrypted chunks, and the DTCP key to a native media player on the secondary device, such that the native media player follows the playlist to decrypt the encrypted chunks using the DTCP key and plays back the chunks.

Abstract: Information objects model real-world objects or concepts that may be associated with users, such as vehicles, homes, people, animals, accounts, places, and the like. The objects have a set of associated properties, which have corresponding required protection levels indicating a level of permission that another user must have to the object in order to be able to receive and access the value of that property in the object. Objects are stored by a framework using techniques that reduce or eliminate the possibility of unauthorized access. For example, an object is durably stored in encrypted form in device storage, with the values of properties encrypted in different manners according to the different corresponding protection levels. When sharing an object with another user or other entity, the required protection levels of the object properties are respected in order to prohibit the other entity from obtaining access to unauthorized portions of an object.

Abstract: A client includes a security agent configured to create a client certificate that corresponds to one or more client identifiers. A server includes a server certificate and is in communication with the security agent. The server is configured to facilitate establishing an initial mutually authenticated transport layer security (TLS) session with the client based on the client certificate and the server certificate. The server is also configured to extract the client certificate from the security agent once the TLS session is established. The server is configured to store the certificate as being associated with only the corresponding client identifier(s) and to categorize the association between the client certificate and the corresponding client identifier(s) as being secure but not trusted for the client until the identity of the client has been verified. Moreover, the server is configured to receive an indication that the identity of the client has been verified.