Abstract: A method for managing operation of a circuit includes activating a trigger engine, receiving signals from a target circuit, and detecting a hardware trojan based on the signals. The trigger engine may generate a stimulus to activate the hardware trojan, and the target circuit may generate the received signals when the stimulus is generated. The trigger engine may be a scan chain which performs a circular scan by shifting bit values through a series of flip-flops including a feedback path. The target circuit may be various types of circuits, including but not limited to a high-speed input/output interface. The hardware trojan may be detected based on bit-error rate information corresponding to the signals output from the target circuit.

Abstract: Aspects include circuitry that includes a first global generation counter (GGC) that is increased upon decoding of a branch instruction and a second GGC that is increased upon a completion of the branch instruction. Upon a triggered rollback, the first GGC is reset. The circuitry also includes a generation tag memory associated with a register that receives loads during a side-channel attacks which is set to the first GGC upon a first load, and a determination unit to determine, for a second load from an address depending on the register of the first load, a generation tag value associated with the register of the second load as a function of the first GGC, the second GGC, and the generation tag value associated with the register of the first load. A wait queue is configured to block the second load, if the generation tag is larger than the second GGC.

Abstract: User behavior data of multiple users is acquired, and multiple user eigenvalues of user behavior data of each user under preset multiple user behavior dimensions are extracted. A user eigenvector of each user is determined based on the multiple eigenvalues of this user. Multiple user classes are obtained by clustering the user eigenvectors of multiple users are clustered through a preset clustering algorithm. A central vector of each user class is determined based on the user eigenvectors included in this user class. A difference eigenvector of each user class is determined, wherein a distance between the difference eigenvector and a central vector of an aggregation class to which the difference eigenvector belongs is not within a preset distance range. A user characterized by the difference eigenvector is determined as an abnormal user.

Abstract: Systems, methods, and non-transitory computer-readable media can determine a first dataset provided by a first party, wherein the first dataset includes a set of vectors that are each associated with a user identifier. A second dataset provided by a second party can be determined, wherein the second dataset includes a set of vectors that are each associated with a user identifier. One or more vectors in the first dataset can be matched to vectors in the second dataset based on a secure multi-party computation without revealing respective graph information of the first party or the second party. Respective mappings between vectors in the first dataset to a set of shared universal identifiers can be provided to the first party. Respective mappings between vectors in the second dataset to the set of shared universal identifiers can be provided to the second party.

Abstract: An information provision apparatus includes a memory configured to store personal data for each user, and a processor coupled to the memory and configured to in response to receiving a request for first personal data of a first user from a terminal device, determine difference between first data stored in the memory as the first personal data at a first time of receiving the request and second data stored in the memory as the first personal data at a second time before the first time, provision of the second data being permitted, perform, in accordance with the difference, determination of whether provision of the first data is permitted, and when it is determined that the provision of the first data is permitted, transmit the first data to the terminal device.

Abstract: A system may be disclosed in the present disclosure, comprising: an interface service unit configured to perform at least one of sending data to or receiving data from one or more users via a user interface; and a transmission unit including: a blockchain adaptor configured to transmit data to a plurality of different types of blockchains, via a blockchain interface, according to data format and communication mode requirements of each of the plurality of different types of blockchains and a transmission controller configured to trigger a smart contract running on a blockchain of the plurality different types of blockchains via the blockchain interface, and control a data transmission under instructions from the smart contract, wherein the data transmission is based on data received from the user interface.

Abstract: Described is a system for continuously predicting and adapting optimal strategies for attacker elicitation. The system includes a global bot controlling processor unit and one or more local bot controlling processor units. The global bot controlling processor unit includes a multi-layer network software unit for extracting attacker features from diverse, out-of-band (OOB) media sources. The global controlling processing unit further includes an adaptive behavioral game theory (GT) software unit for determining a best strategy for eliciting identifying information from an attacker. Each local bot controlling processor unit includes a cognitive model (CM) software unit for estimating a cognitive state of the attacker and predicting attacker behavior. A generative adversarial network (GAN) software unit predicts the attacker's strategies.

Abstract: A handshake message includes a field containing random data that is filled with data used to derive keying material on the source and destination computers. The data may be elliptic curve data and may include a representation of the data used by the destination computer to verify that elliptic curve data is present. The data may additionally include data for deriving second keying material on a second destination computer that the first destination computer forwards to the second computer, receives a response, and returns data from the response as part of its own handshake message.

Abstract: A computer-implemented method for detecting a security status of a computer system may include: in response to satisfaction of a predetermined trigger condition associated with an electronic application installed on a memory of the computer system, performing a security check process on the computer system; in response to the security check process determining that a security status of the computer system is currently compromised, performing a first security action; and in response to the security check process determining that the security status is formerly compromised, performing a second security action.

Abstract: There is disclosed a computing/data processing device comprising: a plurality of computing units, each computing unit comprising a computing resource; the computing device comprising at least three computing units, each computing unit comprising a/the same computing resource; each computing unit further comprising a computing unit access manager, each unit access manager being adapted to control access to the computing resource of the respective computing unit in response to at least one request; wherein, the computing unit access manager only allows a response to the at least one request if a majority of the computing units provide a same response to the at least one request; and wherein, the computing device comprising a network-on-a-chip, is provided on a chip and/or comprises an integrated chip (IC) or microprocessor. The IC beneficially comprises a Field-Programmable Gate Array (FPGA) device.

Abstract: A system for preventing an excess user authentication token utilization condition in an enterprise computer environment, the system including an excess user authentication token utilization condition predictor operable for calculating a number of additional group memberships of each of the enterprise users that can be expected to result in an excess user authentication token utilization condition, a group membership estimator operable, for each the enterprise user, for estimating a number of additional group memberships of the enterprise user that will be created by an anticipated activity, and an anticipated excess user authentication token utilization condition alerter operable, before initiation of the anticipated activity, for providing an alert if the anticipated activity can be expected to result in an excess user authentication token utilization condition.

Abstract: A method and system for generating an encrypted and authenticated message for authenticating a first component of an electronic device as the originator of the message are disclosed. The method and system comprise encrypting a block of information based on a key associated with a second component of the electronic device to generate an encrypted block of information; accessing, from a memory of the first component, a previous version of a dynamic unique key, the previous version of the dynamic unique key being at least partially based on a original unique key; generating a current version of the dynamic unique key based on the previous version of the dynamic unique key; generating a message authentication code based on the encrypted block of information and the current version of the first dynamic unique key; and transmitting, to the second component, the encrypted block of information and the message authentication code.

Abstract: According to an aspect, there is provided a first node for use in a system, wherein the first node is configured to determine a plurality of keys for enabling a computation by a plurality of worker nodes in the system, wherein the computation comprises a plurality of computation parts, wherein the plurality of computation parts comprises one or more types of computation part, and wherein an output from one computation part to another computation part is a shared block; and publish the determined plurality of keys for access by at least one input node in the system, the plurality of worker nodes, and at least one recipient node in the system; wherein the plurality of keys comprises a computation part prove key for each part of the computation; a computation part verification key for each part of the computation; a shared block commitment generation key for each shared block; an input commitment generation key for each input node and computation part combination; and an output commitment generation key for each

Abstract: Systems and methods for automatically disseminating a private key are presented. A first message requesting a key proxy instance is received from a first user device. The first message comprises a first symmetric key. A key proxy server is directed to allocate a key proxy instance for communication with the first user device based on a device public key that corresponds to the first user device. A unique URL corresponding to the key proxy instance is received from the key proxy server. A second message comprising the unique URL is sent to the first user device. The second message is encrypted using the first symmetric key and signed using a server private key. A third message comprising the URL of the key proxy instance is received from the first user device and forwarded to a second user device.

Abstract: A network device may identify a plurality of security policies associated with the network device. The network device may generate respective sets of local key pairs for the plurality of security policies, wherein the respective sets of local key pairs are to facilitate negotiating security associations involving the network device. The network device may store the respective sets of local key pairs in a key data structure of the network device to permit the network device to provide, to a source device, a local public key for a security association with the source device.

Abstract: Securing at rest data on a cloud hosted server includes, for each cloud hosted instance of a computer program, creating a key encrypted key (KEK) using a unique customer master key (CMK) corresponding to the instance, but only an encrypted form of the KEK is persisted in a database for the corresponding instance whereas the unencrypted KEK is retained in memory of the encryption process only. Thereafter, in response to a request to persist data by a corresponding instance of the computer program, a data key (DK) is randomly generated and encrypted with the KEK in memory for the corresponding instance. The data itself also is encrypted with the DK and an envelope with the encrypted DK and the encrypted data returned to the requestor, thus ensuring that the data and the encryption keys are never moved or persisted in an un-encrypted form.

Abstract: Pre-filtering detection of an injected script on a webpage accessed by a computing device. The method may include receiving an indication of access to the webpage at a web browser of the computing device; identifying a web form associated with the webpage; determining that the webpage has been previously visited by the computing device; recording at least one current domain associated with at least one current object request made by the web form; determining a difference of a count of the at least one current domain associated with the at least one current object request and a count of at least one historical domain associated with at least one historical object request previously made by the webpage; identifying the webpage as suspicious based on determining that the difference is greater than zero and less than a domain threshold; and initiating a security action on the webpage based on the identifying.

Abstract: An apparatus including a processor and a memory, where the processor and the memory are configured to provide a secure execution environment and the memory stores a hardware unique key and a class key. The processor is configured to recover, in the secure execution environment, a certificate signing key based on the class key, where the certificate signing key is associated with a certificate authority. The processor is further configured to derive a device key pair based on the hardware unique key, where the device key pair includes a device public key and a device private key, and generate a device certificate based on the device public key and the certificate signing key. The generated device certificate is configured to be validated based on a public key associated with the certificate authority.

Abstract: A vehicle-oriented service providing system includes an in-vehicle device and configured to receive commands applied to a control device inside the vehicle, a vehicle information server configured to transmit the commands to the in-vehicle device, and a push information server configured to mediate the transmission of the commands from the vehicle information server to the in-vehicle device. In the commands, a security level prescribed in advance for each of the commands is set. The vehicle information server performs encryption corresponding to the security level on the commands, and requests the push information server for transmission. The in-vehicle device is configured to wait for commands from the push information server. The in-vehicle device is configured to decrypt the received encrypted commands, and solely when encryption corresponding to a security level equal to or higher than the security level set in advance in the commands is performed, execute the commands.

Abstract: To revoke a digital certificate (160p), activation of the digital certificate is blocked by withholding an activation code from the certificate user (110). The certificates are generated by a plurality of entities (210, 220, 838) in a robust process that preserves user privacy (e.g. anonymity) even in case of collusion of some of the entities. The process is suitable for connected vehicles, e.g. as an improvement for Security Credential Management System (SCMS).