Abstract: A streaming environment includes at least a first processing element of a first compute node and a second processing element of a second compute node. A tuple encryption operation is determined of the first processing element and the second processing element. The first processing element includes a first encryption key for encrypting the tuples as the leave the first processing element. An encryption workload is measured of the tuple encryption operation of a processing workload of the use of the first encryption key of a transfer of the stream of tuples. A threshold of the tuple encryption operation is determined. The second processing element is migrated to the first compute node and fused to the first compute node with the first processing element. The tuple encryption operation is removed from the first processing element.

Abstract: Systems for controlling access to a database are provided. A system may include a computing platform that may receive a request to access a database from a computing device. A unique identifier of the computing device may be compared to pre-registered device identifiers to determine whether the computing device is authorized to access the database. If not, the computing platform may prevent the computing device from accessing the database. If the computing device is authorized to access the database, the system may receive credentials from a user associated with the computing device. The system may determine whether the credentials of the user match credentials of a user authorized to access the database. If not, the system may prevent the user from accessing the database. If the user authorized to access the database, the system may determine one or more types of data the user is authorized to access.

Abstract: A method for computer system forensics includes receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers. Messages transmitted by the host computers are monitored so as to detect, for each monitored message, a respective process that initiated the message. Responsively to the identification, a forensic indicator is extracted of the respective process that initiated the anomalous message.

Abstract: A terminal device includes: a memory unit to store a lock program for locking the terminal device; a condition checking unit to determine whether the terminal device is in a state of a preset condition for terminal protection when the lock program is executed; a lock control unit to allow the terminal device to be locked by the lock program when the terminal device is determined to be in a state of the preset condition for terminal protection; and a information deleting unit to delete an unlock key for use in unlocking the locked terminal device from the memory unit after the terminal device is locked.

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: The embodiments herein provide a method for converting data in an electronic device. The method includes determining a plurality of parameters associated with a user and a zone. Further, the method includes generating a key using the plurality of parameters associated with the user and the zone. Further, the method includes converting the data in the electronic device from a first format to a second format using the key. Further, the method includes performing at least one action on the data in the second format.

Abstract: A method for controlling display of content, the content including a plurality of display pages of a sequence, the method comprising: displaying a first display page on the display screen, receiving a first user input for changing from the first display page to a second display page of the content, the second display page being a neighboring display page of the first display page in the sequence, detecting the second user input when the second display page is a locked display page, extracting the fingerprint information from the second user input when the second user input is detected, and displaying the second display page when the second display page is accessible based on the fingerprint information or a third display page when the second display page is not accessible based on the fingerprint information.

Abstract: A system and associated method for controlling access to features of a device are provided. The system includes a feature access component that maintains an access control register configured to store an access control parameter indicating whether a user has access to a feature of the device. Responsive to receiving a request to modify the access control register to enable or disable access to the feature, an access authentication parameter is set to an authentication key of the request and an access parameter is set to a value of the request (e.g., 1 “Enable”). The access authentication parameter and access parameter are evaluated utilizing an authentication algorithm. Responsive to successfully authenticating the request, the access control register is modified based upon the value of the access parameter, such as to indicate that the user is now authorized to read and/or modify a parameter and/or invoke a service to execute.

Abstract: A streaming environment includes at least a first processing element of a first compute node and a second processing element of a second compute node. A tuple encryption operation is determined of the first processing element and the second processing element. The first processing element includes a first encryption key for encrypting the tuples as the leave the first processing element. An encryption workload is measured of the tuple encryption operation of a processing workload of the use of the first encryption key of a transfer of the stream of tuples. A threshold of the tuple encryption operation is determined. The second processing element is migrated to the first compute node and fused to the first compute node with the first processing element. The tuple encryption operation is removed from the first processing element.

Abstract: Sharing content includes classifying content perceived by a sharing user, determining a set of recipient candidates likely to be interested in the content based upon the classification of the content and prior sharing activity of the recipients with respect to content of the same or similar classification, and presenting to the sharing user one or more members of the set of recipient candidates for sharing the content being perceived by the sharing user.

Abstract: In an approach for providing auditable retrieval of privileged credentials in a privilege identity management (PIM) system, a processor invokes a checkout of a PIM credential, based on, at least, a determination that a PIM server cannot be accessed. A processor receives a request to access the PIM credential by a user. A processor receives validation of the request to access the PIM credential and an identity of the user. A processor retrieves the PIM credential from a database, wherein the database stores a plurality of PIM credentials owned by a system owner.

Abstract: Disclosed is a system for escalating security protocol requirements. The system typically includes a processor, a memory, and a security protocol module stored in the memory.

Abstract: Systems and methods for discovering content sources and/or delivering content to applications resident on mobile devices are described. In some embodiments, the systems and methods transmit information identifying one or more applications resident on a mobile device to a server, receive, from the server, information associated with content items available for retrieval from a content server and associated with the identified one or more applications, and cause the mobile device to retrieve at least one of the content items available for retrieval from the content server.

Abstract: A system on chip having two or more responder units and two or more protection units is provided. Each of the responder units comprises a set of responder elements. Each of the protection units is associated with and protects one of the responder units and is arranged to provide a group mapping. The group mapping assigns one or more group identifiers to each of the responder elements of the respective responder unit.

Abstract: A cryptography service allows for management of cryptographic keys in multiple environments. The service allows for specification of policies applicable to cryptographic keys, such as what cryptographic algorithms should be used in which contexts. In some contexts, the cryptography service, upon receiving a request for a key, provides a referral to another system to obtain the key.

Abstract: Methods, systems, apparatus, and non-transitory computer readable media are described for identifying users who are likely to have unauthorized access to secure data files in an organizational network. Various aspects may include presenting the identified users on a display for a system administrator and/or security analyst to resolve. For example, the display may include a graph data structure with users represented as nodes and connections between users represented as edges. Each connection may be a pair of users belonging to a same security group. Nodes of the graph data structure may be clustered according to a clustering coefficient. Moreover, the graph data structure display may be organized and color coded in such a manner, that a system administrator and/or security analyst may quickly and easily view the users who are most likely to have unauthorized access to secure data files. The authorized access may then be remedied or taken away.

Abstract: A system comprises client devices that include user interfaces that comprise workspaces that can be used to display a live history of a multimedia collaboration session. The workspaces can be private and can be configured to display information representative of media elements that can be shared within the multimedia collaboration session, but that are only viewable to a participant associated with a particular client device. The private workspaces can be used to preview information before publishing it to other participants or to view a live history of the multimedia collaboration session.

Abstract: Devices, systems, and methods of detecting whether an electronic device or computerized device or computer, is being controlled by a legitimate human user, or by an automated cyber-attack unit or malware or automatic script. The system monitors interactions performed via one or more input units of the electronic device. The system searches for abnormal input-user interactions; or for an abnormal discrepancy between: the input-unit gestures that were actually registered by the input unit, and the content that the electronic device reports as allegedly entered via such input units. A discrepancy or abnormality indicates that more-possibly, or necessarily or certainly, a malware or automated script is controlling the electronic device, rather than a legitimate human user. Optionally, an input-output aberration or interference is injected, in order to check for manual corrective actions that only a human user, and not an automated script, is able to perform.

Abstract: A mobile terminal and controlling method thereof are disclosed. The present invention includes a touchscreen; a memory configured to store access point (AP) information; a 1st wireless communication unit configured to perform a communication with an AP (access point); and a controller configured to control a user interface for remotely controlling an external device to be displayed on the touchscreen or to be in a displayable state when the AP connected to the 1st wireless communication unit matches the stored AP information.

Abstract: A method and system for authenticating of the pairing of computing devices is described. In an example, a passphrase is established on computing devices. The pairing between two devices is initiated by a first device by communicating independently generated data, wherein the generated data is used along with the passphrase on each of the devices to derive a common pairing key. The pairing is authenticated by using at least a first portion of the common pairing key through a key exchange protocol. Further, a shared secret code is derived using a second portion of the common pairing key and stored to be used indirectly to secure future communication between the paired devices.

Abstract: A method for analyzing a program may include obtaining the program and obtaining a points-to analysis that may include points-to tuples. The method may further include obtaining a result of a query based on the program. The method may further include extracting a data-flow trace specification that includes flow tuples. Each flow tuple may include a source variable defined in a first method and a sink variable defined in a second method. The method may further include adding, in a recursive manner until a termination condition is triggered, a trace edge to a data-flow trace graph for each points-to tuple of a list of points-to tuples. The respective points-to tuple and a first flow tuple may be used to form a first points-to tuple that is added to the list of points-to tuples. The list of points-to tuples may be initialized to the result of the query.

Abstract: Customers seeking to acquire new products or services may need to be authorized for the new products or services. The authorization can depend on customer and product information, as well as on different authorization conditions such as qualification, re-qualification, and eligibility conditions. To efficiently authorize a customer for products or services under different authorization conditions, a table stores authorization rules including flags associating the rules with particular authorization conditions. Hence, among the rules that pertain to authorizing the customer for a product or service, one subset of rules can be associated with one authorization condition while a different subset is associated with another authorization condition. The customer is selectively determined to be authorized for the product or service under an authorization condition when the product or service information and/or the customer information satisfy all of the rules associated with the selected authorization condition.

Abstract: Embodiments relate to operating a data processing system. An aspect includes receiving a request for data storage by an application server, said request comprising restricted-access data. Another aspect includes processing the request in the first application server thereby extracting said restricted-access data from the request. Another aspect includes encrypting said restricted-access data with a cryptographic key associated with said privacy regime to a cipher representation. Another aspect includes defining a masking rule relative to the field designated for storage of the cipher representation, the masking rule defining a set of privacy regimes applicable to processing of the restricted-access data. Another aspect includes forwarding the cipher representation and the masking rule to the shared database by a database client.

Abstract: A computer-implemented method for evaluating network security may include (1) receiving, by a security server, a request to report a network risk score for an organization based on telemetry data describing file downloads at computers managed by the organization over a specified period of time, (2) identifying the telemetry data describing file downloads at the computers managed by the organization over the specified period of time, (3) searching the telemetry data to match file downloads over the specified period of time to at least one file that was previously categorized, prior to the request, as a hacking tool, (4) calculating the network risk score based on the telemetry data, and (5) reporting, automatically by the security server in response to the request, the calculated network risk score. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for learning aspects of messages in an industrial control system is provided. The method includes obtaining a plurality of messages. The method includes starting at a first message field, proceeding via recursion to each next message field, and identifying message values at that message field as constant when constant in messages in a group, as random when random in messages in a group, as length when expressive of a shared length of messages in a group, as opcode when correlated with a shared structure of messages in a group, and otherwise as parameter. The method includes subdividing message groups into subgroups according to the identified message values at that message field, with the recursion applied to each subgroup. A method and system for monitoring messages in an industrial control system is provided.

Abstract: A processing device such as a router or other network device implements a locator-identifier mapping system associating identifiers of respective endpoints with respective locators in accordance with a locator-identifier separation protocol. A first one of the endpoints comprises a storage server associated with a storage array. In conjunction with reconfiguration of the storage server, the locator-identifier mapping system updates a particular one of the locators corresponding to the endpoint identifier of the storage server. The reconfiguration of the storage server may comprise, for example, a migration of the storage server within a given data center, or from a first data center to a second data center. The locator of the storage server illustratively specifies a subnet of the storage server. The processing device may comprise a router operating as at least one of an ingress tunnel router and an egress tunnel router in accordance with the locator-identifier separation protocol.

Abstract: Embodiments relate to systems and methods for generating exportable encoded identifications of networked machines based on installed package profiles. A physical or virtual client machine can host a set of installed software packages, including operating system, application, and/or other software. A package manager tracks the set of installed packages and updates available for the installed set. The package manager can be configured to capture an inventory of the installed packages, and generate an encoded identification of the entire package complement and/or selected subsets of those packages. In aspects, the encoded identification can be based on a set of attributes of the installed packages and/or their constituent files, such as file names, version numbers, size, and/or other attributes. The encoded identification for the client machine can be transmitted to one or more remote management platforms, such as package servers, network management servers, or others for remote operations on the client machine.

Abstract: A computer system with multiple security levels, the system comprising a high-power processing device (130), a low-power processing device (110), and an interface unit (120) comprising functions for moving classified information between the high-power device (130) and the low-power device (110) according to formal rules for confidentiality and/or integrity. Additional security aspects, e.g. availability, may readily be accommodated. A method for implementing multiple levels of security along a number of independent security axes on the system is also disclosed.

Abstract: Techniques for assigning roles to users within a computing system are described herein. A matrix representation of a probabilistic assignment of roles to users is created based at least in part on existing permissions. The matrix representation is then iteratively perturbed and the resulting perturbation is evaluated using an objective function, with perturbation decisions based at least in part on making the objective function converge to a threshold value. When the solution converges, the resulting assignment matrix may be used to assign roles to users.

Abstract: A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired.

Abstract: A streaming environment includes at least a first processing element of a first compute node and a second processing element of a second compute node. A tuple encryption operation is determined of the first processing element and the second processing element. The first processing element includes a first encryption key for encrypting the tuples as the leave the first processing element. An encryption workload is measured of the tuple encryption operation of a processing workload of the use of the first encryption key of a transfer of the stream of tuples. A threshold of the tuple encryption operation is determined. The second processing element is migrated to the first compute node and fused to the first compute node with the first processing element. The tuple encryption operation is removed from the first processing element.

Abstract: A request related to an access to a network by a first user device may be received. The user device may be included in a plurality of user devices associated with a first first-level security profile assigned to the user. An application extension to an application executing on the first user device may be accessed in response to the request related to the access. A network connectivity file may be provided to the application extension. The network connectivity file may include network configuration information for the first user device. The network configuration information may be associated with a first second-level security profile assigned to the first user device. Instructions to configure the first user device to access the network based at least in part on the network configuration information in the network connectivity file may be provided.

Abstract: Implementations disclosed herein provide a managed security service that distributes processing tasks among a number of network security modules working in parallel to process component portions of a replayed network traffic stream. If a network security module detects a potential security threat, the network security module may generate a delivery request specifying other information potentially useful in further investigation of the potential security threat. The delivery request is communicated to a plurality of other processing entities, such as the other network security modules, and any processing entity currently receiving the requested information may respond to the delivery request. Once a source of the requested information is determined, the requested information is routed to the origin of the request.

Abstract: A system includes a first electronic device configured to attach to an industrial machine or one or more areas of an industrial facility. The first electronic device is configured to transmit a signal indicative of a potentially hazardous condition with respect to personnel of the industrial facility. The system also includes a second electronic device communicatively coupled to the first electronic device and configured to attach to a hardhat of the personnel of the industrial facility. The second electronic device is configured to receive the signal from the first electronic device, determine whether a parameter of the signal is above a threshold, and generate an alarm when the parameter of the signal is above the threshold. The alarm is configured to indicate the potentially hazardous condition to the personnel.

Abstract: Embodiments for preventing data loss in a business environment are provided. In some embodiments, a secure endpoint file export application assigns users to different classes having different permissions for accessing and writing data. In an embodiment, the system and method are configured to identify a plurality of users in a business environment; classify the plurality of users according to business needs; assign the users to one of at least two classes based on the classification; determine that the first user is permitted to access the data; transmit the secure file to a second user who is permitted to write the data in the secure file to removable media; write the data in the secure file to the removable media; and track a location of the removable media.

Abstract: Embodiments for preventing data loss in a business environment are provided. In some embodiments, a secure endpoint file export application assigns users to different classes having different permissions for accessing and writing data. In an embodiment, the system and method are configured to identify a plurality of users in a business environment; classify the plurality of users according to business needs; assign the users to one of at least two classes based on the classification; determine that the first user is permitted to access the data; transmit the secure file to a second user who is permitted to write the data in the secure file to removable media; write the data in the secure file to the removable media; and track a location of the removable media.

Abstract: Systems and techniques are provided for dynamic authorization. A signal may be received from a sensor. A concept may be determined from the signal. The concept may be a location of a computing device, an action being performed with the computing device, an identity of a user of the computing device, or a temporal context for the computing device. A current pattern may be determined from the concept. The current pattern may be matched to a stored pattern. The stored pattern may be associated with a security outcome. The security outcome may be sent to be implemented. A security message may displayed indicating the security outcome and part of the stored pattern that was matched to the current pattern. The security outcome may be causing presentation of an authentication prompt or not causing presentation of an authentication prompt.

Abstract: Systems and methods for providing identification tests. In some embodiments, a system and a method are provided for generating and serving to a user an animated challenge graphic comprising a challenge character set whose appearance may change over time. In some embodiments, marketing content may be incorporated into a challenge message for use in an identification test. The marketing content may be accompanied by randomly selected content to increase a level of security of the identification test, hi some embodiments, a challenge message for use in an identification test may be provided based on information regarding a transaction for which the identification test is administered. For example, the transaction information may include a user identifier such as an IP address. In some embodiments, identification test results may be tracked and analyzed to identify a pattern of behavior associated with a user identifier. A score indicative of a level of trustworthiness may be computed for the user identifier.

Abstract: A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers.

Abstract: Security for network communications is internally generated by an industrial control system (ICS). The ICS is assembled in a known-good environment prior to connecting to another network. While in the known-good environment, one or more components of the ICS auto-negotiate (40) with other components, assigning (42) security tokens. These certificates are used to internally secure communications between the components prior to any connection to other devices and without relying on external provisioning of the security tokens during commissioning (30) of the ICS.

Abstract: Techniques to facilitate protecting control programs used in an industrial automation environment are disclosed herein. In at least one implementation, control system content provided by a primary entity is received along with a primary security authority provided by the primary entity, wherein the primary security authority defines primary usage rights for the control system content granted to a secondary entity. A secondary security authority provided by the secondary entity is received, wherein the secondary security authority defines secondary usage rights for the control system content that further restrict the primary usage rights. A request is received from a user associated with the secondary entity to perform an action associated with the control system content, and the request is processed with the secondary security authority to determine if the user is authorized to perform the action associated with the control system content based on the secondary usage rights.

Abstract: Accessing a security enabled application may require certain access privileges that are not readily available or associated with the application at the time a user is seeking access via a login operation. In operation, an access attempt to a security enabled application may include identifying user credentials associated with the access attempt, generating a query based on the user credentials to identify whether the user credentials are associated with a predetermined group membership. A response to the query may be received that includes group information corresponding to the user and the group information may be compared to a set of predetermined rules to determine whether the group information includes privilege rules used to grant access to the access attempt.

Abstract: Systems and methods are disclosed that implement a coordinated cyber security program for a power generation plant to establish and/or maintain cyber security controls for the power generation plant through a comprehensive life cycle approach.

Abstract: Systems and techniques for controlling access to data are described. Data is delivered to a repository in such a way that access to the data can be controlled, for example, by encrypting the data before delivery. The power to provide a requester with the ability to gain access to the data is divided, so that multiple entities can provide the requester with a portion of the information needed to gain access to the data. The portions of the information may be partial keys that can be assembled into a complete key. The requester can gain access to the data only if it receives all portions of the information needed to gain access to the data, and different criteria may be used to decide whether or not to provide each portion of the information to the requester.

Abstract: Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.

Abstract: Systems and methods are presented for receiving, at a server computer, a plurality of request messages to analyze potentially fraudulent electronic communications, each request message of the plurality of request messages comprising an electronic communication.

Abstract: An information storing device includes a storage device in which one or more storage areas are generated for storing electronic data therein, wherein in the storage device at least one of first and second processes is set on a storage area basis; a storing part configured to, when the information storing device has received electronic data and a designation of the storage area from one of a plurality of electronic apparatuses, store the received electronic data in the storage area designated by the received designation; and an executing part configured to, when the received electronic data is stored by the storing part, perform the first process on the stored electronic data if the first process is set in the storage area in which said electronic data is stored, and perform the second process using the stored electronic data if the second process is set in the storage area in which said electronic data is stored.

Abstract: A collaborative authoring application provides an authoring environment in which two or more users can edit a document concurrently. Each user edits a copy of the document, sends updates to a master copy of the document, and receives updates from the master copy of the document. The authoring environment generally inhibits the users from providing conflicting editing instructions to the master copy of the document. For example, each user can generate a content lock about one or more data units within the document. The authoring environment may synchronize content locks automatically and content only at the request of the user.

Abstract: A validating server receives from a client device a first request that does not include a cookie for a validating domain that resolves to the validating sever. The first request is received at the validating server as a result of a proxy server redirecting the client device to the validating domain upon a determination that a visitor belonging to the client device is a potential threat based on an IP (Internet Protocol) address assigned to the client device used for a second request to perform an action on an identified resource hosted on an origin server for an origin domain. The validating server sets a cookie for the client device, determines a set of characteristics associated with the first client device, and transmits the cookie and a block page to the client device that has been customized based on the set of characteristics, the block page indicating that the second request has been blocked.

Abstract: A hierarchy is defined that includes encryption keys associated with different first and second levels of the hierarchy, where the second level includes fewer of the encryption keys than the first level. The encryption keys of the first level secure a plurality of data objects. The encryption keys of the first level are grouped into key groups that respectively include one or more of the encryption keys of the first level. The one or more of the encryption keys of the first level included in each of the key groups are secured with a respective one of the encryption keys of the second level.