Abstract: Systems and methods for relocating executable instructions to arbitrary locations are described, in which the relocation of the instructions may be arbitrary or random, and may operate on groups of instructions or individual instructions. Such relocation may be achieved through hardware or software, and may use a virtual machine, software dynamic translators, interpreters, or emulators. Instruction relocation may use or produce a specification governing how to relocate the desired instructions. Randomizing the location of instructions provides defenses against a variety of security attacks. Such systems and methods may provide many advantages over other instruction relocation techniques, such as low runtime overhead, no required user interaction, applicability post-deployment, and the ability to operate on arbitrary executable programs.

Abstract: Systems, methods, and other embodiments are disclosed for data-driven user authentication misuse detection. In one embodiment, for each of multiple authentication attempts to a computing device by a user via user authentication log messages: user authentication log data having user attribute values is collected; the user authentication log data is transformed into a tracer data structure having the user attribute values organized in a common format; the tracer data structure is augmented with timestamp data to generate an event data structure, where the timestamp data represents a time at which the user authentication log data is observed by the computing device; a user behavior model filter, representing account usage patterns of the user, is updated based at least in part on the event data structure. A malicious authentication attempt to the computing device by a malicious user is detected based on, at least in part, the user behavior model filter.

Abstract: Systems and methods for controlling access to multiple applications on a computing device are provided. One embodiment of a system includes an access device configured to: receive a request to access a first application and a device identifier; authenticate the user using a user credential associated with the user and store the device identifier in association with a login identifier in response to authentication of the user. The access device can be further configured to receive a request to access a second application and the device identifier. The access device can allow access to the second application based on the previous authentication of the user.

Abstract: Methods and systems are provided for creation and implementation of firewall policies. According to one embodiment, a firewall maintains a log of observed network traffic flows. An administrator may request the firewall to generate a customized report based on the logged network traffic by extracting information from the log based on specified report parameters. The report includes aggregated network traffic items and one or more corresponding action objects. Responsive to receipt of a directive to implement an appropriate firewall policy for one or more network traffic items based on interaction with one or more action objects by the administrator, the firewall then automatically defines and establishes an appropriate firewall policy.

Abstract: Systems and methods for providing assistance for performing a physically unclonable function (PUF) are provided. Disclosed systems can include a PUF bitcell including at least two voltage-compensated proportional-to-absolute (PTAT) generators, each of which can be configured to generate a first voltage and a second voltage that is different from the first voltage by a voltage difference. The voltage difference can be resistant to temperature variations and variations, if any, in the supply voltage. The system can further include a comparator, which can be electrically coupled to each of the at least two PTAT generators, and can be configured to receive the first voltage and the second voltage generated therefrom, determine a polarity of each of the voltage differences, and generate a random bit.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: A method for generation of blocks for a partitioned blockchain includes: storing blocks comprising a partitioned blockchain, wherein each block includes a header and transaction entries; receiving transaction data entries for each of a plurality of subnets; generating a hash value of the header included in the most recently added block; generating a new block header, the new block header including the generated hash value, a timestamp, and a sequence of pairs including a pair for each of the plurality of subnets, each pair including a subnet identifier associated with the respective subnet and a merkle root of each of the transaction data entries received for the respective subnet; generating a new block, the new block including the generated new block header and the transaction data entries for each of the plurality of subnets; and transmitting the new block to a plurality of nodes associated with the partitioned blockchain.

Abstract: A secure start system for an autonomous vehicle (AV) can include a compute stack and a communications router. The communications router can include an encrypted router drive and an input interface to receive a boot-loader that includes a basic decryption key to decrypt the encrypted router drive and enable network communications with a backend system. The secure start system can utilizes a tunnel key from the backend system to establish a private communications session with a backend data vault, and retrieve a set of decryption keys from the backend data vault, via the private communications session, to decrypt a plurality of encrypted drives of the AV.

Abstract: A chipset including one or more system-on-chips. The chipset includes a memory-mapped device, an Ethernet interface, and a remote management controller. The memory-mapped device includes a test access port and is configured to access a register based on an address of a memory corresponding to the register. The Ethernet interface is configured to receive Ethernet frames transmitted over an Ethernet network. One or more of the Ethernet frames are received from a host device. The one or more of the Ethernet frames are received to test the one or more system-on-chips. The remote management controller is coupled to the test access port. The remote management controller is configured to, based on the one or more of the Ethernet frames, remotely control operation of the memory-mapped device or another device in the one or more system-on-chips, and restrict (a) testing of the one or more system-on-chips or the memory-mapped device, and (b) access by the host device to the register.

Abstract: Systems, methods, and software for operating a content delivery node to monitor requests for content transferred by at least an end user device to detect when the requests comprise an attack on the content delivery node. Responsive to detecting the attack on the content delivery node, the content delivery node establishes a rate limit in the content delivery node on at least the requests for the content associated with the end user device, and transfers an indication of the attack comprising the rate limit for delivery to another content delivery node that directs the other content delivery node to apply the rate limit to further requests for the content before the further requests are received by the other content delivery node.

Abstract: A system for viewing at a client device a series of three-dimensional virtual views over the Internet of a volume visualization dataset contained on centralized databases employs a transmitter for securely sending volume visualization dataset from a remote location to the centralized database, more than one central data storage medium containing the volume visualization dataset, and a plurality of servers in communication with the centralized databases to create virtual views based on client requests. A resource manager load balances the servers, a security device controls communications between the client device and server and the resource manager and central storage medium. Physically secured sites house the components. A web application accepts at the remote location user requests for a virtual view of the volume visualization dataset, transmits the request to the servers, receives the resulting virtual view from the servers, and displays the resulting virtual view to the remote user.

Abstract: In one embodiment, a security provisioning service automatically establishes trust in a device. Upon receiving a provisioning request, a security provisioning service identifies a verification item that is associated with the provisioning request. The security provisioning service performs one or more verification operations based on the provisioning request to determine whether the provisioning request is authorized. If the provisioning request is authorized, then the provisioning service establishes a verifiable identification for the device that is assured by the secure provisioning service and then executes the provisioning request. By automatically performing the verification operations to establish trust in the device, the provisioning service eliminates manual identification assurance operations that are performed as part of a conventional security provisioning process.

Abstract: The present disclosure relates to systems and methods for facilitating trusted handling of genomic and/or other sensitive information. Certain embodiments may use a virtualized execution environment to execute code and/or programs that wish to access and/or otherwise use genomic and/or other sensitive information. In some embodiments, data requests from the code and/or programs may be routed through a transparent data access proxy configured to transform requests and/or associated responses to protect the integrity of the genomic and/or other sensitive information.

Abstract: Disclosed herein is a system to validate information about a user, or users, derived from publicly-accessible data. The system comprises a validation system that uses private data about the user to validate the user information derived from the publicly-accessible data. The validation system may receive a validation request in connection with an inconclusive result derived from the publicly-accessible data.

Abstract: A method and system for unlocking and deleting a file or a folder. The method for unlocking the file or the folder comprises: receiving an unlock request of a file or a folder, wherein the unlock request includes an input parameter; verifying whether the input parameter complies with a preset condition; if the input parameter complies with the preset condition, correcting a deformed path format of the file or the folder and/or the special file name of the file or the special folder name of the folder according to a preset rule; determining whether restrictive setting of the corrected file or folder is present; and if yes, cleaning the restrictive setting of the file or the folder.

Abstract: In some embodiments of the invention a method provides for processing a mention in textual content being input to a content provider. The method can include detecting input by a user of the content provider of the mention and identifying a member of a mention provider such as a social network based on the mention while maintaining privacy of information about the member with respect to the content provider. In some embodiments a computer program product for processing the mention includes a computer readable storage medium having program instructions embodied therewith. In some embodiments of the invention, a system for processing the mention includes a computer system readable media with a program module embodied therewith to detect the mention in the textual content as provided to a content provider. A network adapter with the system can provide the program module or program modules over a network.

Abstract: The present disclosure is directed to attack detection through signal delay monitoring. An example system may comprise at least one device including a physical interface. At least one signal delay monitor may determine whether a signal being transmitted to the device is received as expected at the physical interface and indicate a potential attack when the signal is determined to not be received as expected. Determining whether the signal is received as expected may include determining whether the signal is received within a window defining a time period in which receipt of the signal is expected. An example signal monitor may comprise at least a new data reception monitoring module and an expected reception window monitoring module. These modules may include logic to determine whether the signal is received within the window. An indication of a potential attack may trigger, for example, security-related actions in the system.

Abstract: In one embodiment, attack detectability metrics are received from nodes along a path in a network. The attack detectability metrics from the nodes along the path are used to compute a path attack detectability value. A determination is made as to whether the path attack detectability value satisfies a network policy and one or more routing paths in the network are adjusted based on the path attack detectability value not satisfying the network policy.

Abstract: An apparatus includes a processor and a bus encryption unit. The processor is configured to communicate information over a secured data bus, and to communicate respective addresses over an address bus. The bus encryption unit is configured to generate an encryption key based on multiple addresses that appeared on the address bus, and to encrypt the information communicated between the processor and the secured data bus with the encryption key.

Abstract: The present invention provides a terminal single sign-on configuration, authentication method, and system. The terminal single sign-on authentication method includes obtaining a VPN login information for accessing a private virtual network, where the application service system is installed on a mobile terminal; and uploading the VPN login information to a server for verification. When the VPN login information is successfully verified, a recorded script associated with the VPN login information is obtained from the server, the recorded script containing a plurality of operations and login parameters corresponding to input controls in a user interface of the application service system for authentication. The method further includes according to the recorded script, automatically replaying the plurality of operations to input the login parameters to the corresponding input controls in the user interface, such that an authentication process for the application service system is completed automatically.