Abstract: A system for securing control plane traffic in a sliced communication network that is adapted to run a plurality of network functions includes a plurality of security guards, each placed at an edge of an internal security zone, wherein the internal security zone is formed by grouping one or more network functions. Each security guard is configured to receive an incoming message from a requestor external to corresponding internal security zone and validate the extracted information against each other, and against a service specification policy for the communication network, and against threat intelligence analytics data. Each security guard is configured to compute one or more risk scores indicating risk perception or incidence of attack for its associated internal security zone and to initiate one or more attack preventive measures if a computed risk score exceeds a predetermined threshold. such as modifying or correcting or dropping the incoming message.

Abstract: Methods, systems, and computer readable media for ingress message rate limiting are disclosed. One method includes, at a network node, receiving a service request message from a service consumer network function and extracting, from the received service request message, an access token that includes a consumer network function instance identifier identifying the service consumer network function. The method further includes determining, using the consumer network function instance identifier, that an allowed ingress message rate associated with the service consumer network function has been reached or exceeded and in response to determining that the allowed ingress message rate associated with the service consumer network function has been reached or exceeded, performing a message rate limiting action.

Abstract: Systems and methods for enhanced hash transforms are disclosed. In particular embodiments, biometric data is concatenated with non-biometric data for generating a fixed-sized vector, and furthermore performing various permutations and projections on the vector. The resulting vector may be stored in a registry, and a corresponding key may be generated and provided to the user associated with the biometric data. The hash transformation may be a lossy process, such that the resulting hash includes less bytes than the initial biometric data, and a hash reversal fails to generate an exact copy of the original biometric data.

Abstract: The disclosure provides systems and processes for applying neural networks to detect intrusions and other anomalies in communications exchanged over a data bus between two or more devices in a network. The intrusions may be detected in data being communicated to an embedded system deployed in vehicular or robotic platforms. The disclosed system and process are well suited for incorporation into autonomous control or advanced driver assistance system (ADAS) vehicles including, without limitation, automobiles, motorcycles, boats, planes, and manned and un-manned robotic devices. Data communicated to an embedded system can be detected over any of a variety of data buses. In particular, embodiments disclosed herein are well suited for use in any data communication interface exhibiting the characteristics of a lack of authentication or following a broadcast routing scheme—including, without limitation, a control area network (CAN) bus.

Abstract: A deep-learning based method evaluates similarities of entities in decentralized identity graphs. One or more processors represent a first identity profile as a first identity graph and a second identity profile as a second identity graph. The processor(s) compare the first identity graph to the second identity graph, which are decentralized identity graphs from different identity networks, in order to determine a similarity score between the first identity profile and the second identity profile. The processor(s) then implement a security action based on the similarity score.

Abstract: An apparatus comprising: a unit configured to verify whether a first region that specifies a verification range of a first boot code and a second region that specifies a verification range of a second boot code have been altered; a unit configured to, when the first region has not been altered, verify whether the first boot code has been altered; a unit configured to, when the first boot code has been altered and the second region has not been altered, verify whether the second boot code has been altered; and a unit configured to, when the second boot code has not been altered, restore the first boot code using the second boot code, wherein the first and second regions are regions that are not rewritten after a start of the apparatus.

Abstract: According to an embodiment, a number-theoretic transform processing apparatus for a noise in lattice-based cryptography includes a processor configured to perform number-theoretic transform of the noise using a precomputation table including a combination of products of one or more elements that belong to a subspace of a finite field Zq and indicate coefficients of the noise, with one or more number-theoretic transform constants.

Abstract: Systems and methods are described for delivering messages from one or more service hosts to clients via a network. A first request identifying the client is received at the message server, and a connection is established and maintained between the message server and the client in response to the first request. When a subsequent request that identifies the client is received from the service host, a message is transmitted from the message server to the client over the previously-established connection. The methods and techniques may be used, for example, to provide messages from various services to placeshifting devices or other clients communicating via the network.

Abstract: A multi-tenant system sends jobs for execution on a secondary platform such as a cloud based platform. The multi-tenant system sends tenant data for multiple tenants to the secondary platform. The multi-tenant system obtains job-level credentials from the secondary platform, for example, security tokens that provide access to tenant data for a fixed length of time. The multi-tenant system uses the job-level credentials for enforcing tenant level data isolation for jobs executed on the secondary platform. This ensures that the jobs executing on the secondary platform do not access, modify, or delete data of tenants not related to the job.

Abstract: A computer includes a memory and a processor programmed to execute instructions stored in the memory. The instructions include identifying a function in a binary file, assigning one of a plurality of classifications to the function, and determining that the function requires stack cookie protection based at least in part on the classification assigned to the function.

Abstract: An exemplary random number generation system leverages the r includes at least one solar power panel of a solar power system, at least one sensor and a random number generator. The sensor senses one or more output parameters (e.g., voltage or current) from the solar power system and provides the sensed parameter to the random number generator, which uses the sensed parameter to generate a number that is truly random (i.e., is not deterministic). As an example, the random number generator may receive multiple samples of the measured parameter and generate a random number based on a difference of the multiple samples. If desired, the random number generator may include an algorithm to remove biasing in the random number.

Abstract: Various embodiments relate to a method for multiplying a first and a second polynomial in a ring q [X]/(Xn+1) where q is a positive integer.

Abstract: Example methods are provided to for automated determination of a minimal set of privileges that are required to execute a workflow in a virtualized computing environment. While the workflow is being executed, interactions with a user interface are recorded. The interactions include application program interface (API) calls. The method identifies the privileges that are used to execute the API calls, and the identified privileges are combined to form the minimal set of privileges. A model is generated that associates the minimal set of privileges to the workflow, and the model is applied to determine the privileges to assign to users that will be performing the same workflow.

Abstract: Technologies are provided for clockless physically unclonable functions (PUFs) in reconfigurable devices. Embodiments of the disclosed technologies include processing circuitry configured to perform numerous operations. The operations can include receiving a challenge continuous pulse signal, and generating a response continuous pulse signal by iteratively extending the challenge continuous pulse signal in time-domain. In some configurations, the iteratively extending includes generating a next continuous pulse signal by operating on a prior continuous pulse signal according to a stretching function, and generating a second next continuous pulse width signal by operating on the next continuous pulse signal according to a folding function.

Abstract: A security threat detection system is used to monitor the physical resource usage of a hosted application in a PaaS service in order to detect anomalous behavior indicative of a security threat. The system analyzes the historical usage of the application's physical resources in order to determine the normal range of consumption of a resource by the application. A security threat alert is then provided when the application's resource consumption exceeds the normal range of consumption.

Abstract: A system, method, and computer-readable storage medium provide single sign-on (SSO) in a nested virtualization environment by routing authentication tokens received from an authentication server through the hierarchy of virtual machines (VMs) using secure data communications tunnels between each hypervisor and its respective VMs. A key store stores SSO authentication tokens for users of the nested VMs, and a key controller ensures that each login by a user to a separate VM is associated with its own token. Each login request is uniquely tagged to identify the particular VM requesting credentials, so that the responsive authentication token can be properly routed through the hierarchy. Moreover, session preferences may be associated with each user and/or each VM, enabling a rules evaluator to determine, for each login request, whether SSO functionality should be provided or whether the user should be required instead to provide new login credentials.

Abstract: Some embodiments provide a method for securing communication of data messages of a particular machine that includes a dynamic first level address. The method identifies a fixed second level address for a particular data. The fixed second level address is associated with an interface of the particular machine. Based on the fixed second level address, the method identifies a set of security policies for securing the communication of the particular data message. The method applies the set of security policies to the particular data message.

Abstract: A processing system includes a branch prediction structure storing information used to predict the outcome of a branch instruction. The processing system also includes a register storing a first identifier of a first process in response to the processing system changing from a first mode that allows the first process to modify the branch prediction structure to a second mode in which the branch prediction structure is not modifiable. The processing system further includes a processor core that selectively flushes the branch prediction structure based on a comparison of a second identifier of a second process and the first identifier stored in the register. The comparison is performed in response to the second process causing a change from the second mode to the first mode.

Abstract: A method for executing a cryptographic operation is provided comprising acts comprising: (i) sampling a first polynomial, wherein one or more (e.g., one, some and/or all) coefficients of the first polynomial are determined; (ii) sampling a second polynomial, wherein a selection of k coefficients of the second polynomial is determined; (iii) multiplying the first polynomial with the second polynomial to determine a result; and (iv) using the result of the multiplication in the cryptographic operation. A security device arranged to perform one, some and/or all of the acts is provided.

Abstract: A computing device and method of controlling access to a computing device. An application to be used when the computing device is in a locked state is selected, wherein in the locked state, only use of the selected application is permitted. The computing device enters the locked state. Use of the selected application without unlocking the computing device is allowed.