Abstract: A counterattack method against a hacked node in a controller area network (CAN) bus physical layer includes: setting node IDs (NIDs), which are different unique IDs, for each of a plurality of nodes connected to a CAN bus line; determining that an error frame is generated when at least one of a node using a forged NID, a node using a different NID, and a node using a non-existent NID is found; increasing counts of a transmit error counter (TEC) and a receive error counter (REC) of a transmitting node and a receiving node whenever the error frame is generated; and allowing a node of which the count of the TEC or REC is greater than a set threshold value to enter a bus-off state to block the node.

Abstract: In some implementations, a host processor associated with a vehicle may select, from a plurality of devices that are configured to communicate with the host processor for performing security functions, a first device to serve as a primary device and a second device to serve as a secondary device. The first device may include a first memory with an embedded hardware security module and may be associated with a first set of nodes of the vehicle. The second device may include a second memory with an embedded hardware security module and may be associated with a second set of nodes of the vehicle. The host processor may determine, based on a signal, a failure associated with the first device or the second device. The host processor may initiate a remediation process based on the failure associated with the first device or the second device. Numerous other implementations are described.

Abstract: A set SP(i) of k secure computation apparatuses selected from a set PA of n secure computation apparatuses repeats processing of multiplying a share according to a secret sharing scheme, by power-of-2 number 2?(SP(i)) with the share ?(SP(i)) as an exponent, the share ?(SP(i)) being obtained by secret sharing of ? according to a replicative secret sharing scheme, and redistribution the value obtained in the processing is redistributed into the set SP(i+1) of k secure computation apparatuses selected from the set PA of n secure computation apparatuses. However, the final time is not re-dispersed. Thus, a share of a multiplicative rotation result is obtained. However, the final time is not re-dispersed. Thus, a share of a multiplicative rotation result is obtained.

Abstract: A Hybrid TEE device allows a Trusted Execution Environment (TEE) by incorporating hardware comprising a Cache Purging Controller, a Memory Isolation Gateway, and a Memory Clean Up into a System on a Chip device, a general purpose computing device, or a special purpose or proprietary computing or electronic device. The addition of the hardware enables a method of protecting the Trusted Execution Environment and thus reducing vulnerability to malicious software or other program code.

Abstract: A process includes providing a first signal to a first conductive mesh of a semiconductor package to provide a wireless transmission, and receiving, by a second conductive mesh of the semiconductor package, the wireless transmission to provide a second signal. The process includes determining a signature of the second signal and generating, by a cryptographic security parameter generator of the semiconductor package, a cryptographic security parameter based on the signature.

Abstract: Methods, systems, and devices for secure operating system update are described. A first message including a first value and a request associated with an operating system that is stored in a write-protected area of memory may be transmitted to a server. In response to the first message, a second message including data associated with the operating system, a second value corresponding to the first value, and a signature of the server may be received. The data associated with the operating system may be validated based on the signature of the server and a comparison of the second value and the first value. Based on validating the data associated with the operating system, the data associated with the operating system may be written to the write-protected area of memory.

Abstract: Techniques for controlling data access using machine learning are provided. In one aspect, first, second, and third training data sets are generated from a set of historical access records and a set of historical data records, where the access records correspond to requests for data and comprise information identifying whether the request satisfies one or more data access rules, and the data records correspond to data elements and comprise information identifying whether the data element satisfies the one or more data access rules. One or more machine learning models are trained based on the first, second, and third training data sets to generate an output identifying whether requests for data should be granted.

Abstract: Systems, apparatuses, and computer program products are disclosed for authenticating a user using a knowledge factor identification transaction with a challenge authentication token. An example method includes providing a logon request, wherein the logon request comprises a user identifier received from a user. The example method further includes receiving a challenge sequence and generating a password structure, wherein the password structure is based on a static password received from the user and the challenge sequence. The example method further includes generating a challenge authentication token comprising the user identifier, the password structure, and a client timestamp and providing the challenge authentication token. The example method further includes receiving an authorization decision message, wherein the authorization decision message is indicative of whether the challenge authentication token was verified.

Abstract: Methods for exchanging a predecessor domain registrar for the authentication and configuration of digital certificates of IoT devices with a new registrar. The predecessor registrar and the devices are stored using a blockchain. The method may include: determining by the predecessor the number of nearby attestations needed; entering the new registrar into the blockchain; gathering the attestations of the devices using the new registrar; checking whether the new registrar fulfills the defined number; accepting the technical installation with the new registrar as authentication and configuration entity for the devices; sending voucher requests to the new registrar; forwarding the voucher requests to an authorization authority; checking whether the respective device belongs to the new registrar; and if so, issuing a voucher for the corresponding device using the authorization authority and sending the voucher to the corresponding device.

Abstract: Systems and methods related to flush plus reload cache side-channel attack mitigation are described. An example method for mitigating a side-channel timing attack in a system including a processor having at least one cache is described. The method includes receiving a first instruction, where the first instruction, when executed by the processor, is configured to flush at least one cache line from the at least one cache associated with the processor. The method further includes, prior to execution of the first instruction by the processor, automatically mapping the first instruction to a second instruction such that the at least one cache line is not flushed from the at least one cache even in response to receiving the first instruction.

Abstract: Methods, apparatus, and software for efficient encryption in virtual private network (VPN) sessions. A VPN link and an auxiliary link (and associated sessions) are established between computing platforms to support end-to-end communication between respective application running on the platforms. The VPN link may employ a conventional VPN protocol such as TLS or IPsec, while the auxiliary link comprises a NULL encryption VPN tunnel. To transfer data, a determination is made to whether the data are encrypted or non-encrypted. Encrypted data are transferred over the auxiliary link to avoid re-encryption of the data. Non-encrypted are transferred over the VPN link. TLS and IPsec VPN agents may be used to assist in setting up the VPN and auxiliary sessions. The techniques avoid double encryption of VPN traffic, while ensuring that various types of traffic transferred between platforms is encrypted.

Abstract: A server can receive a device public key and forward the device public key to a key server. The key server can perform a first elliptic curve Diffie-Hellman (ECDH) key exchange using the device public key and a network private key to derive a secret X1. The key server can send the secret X1 to the server. The server can derive an ECC PKI key pair and send to the device the server public key. The server can conduct a second ECDH key exchange using the derived server secret key and the device public key to derive a secret X2. The server can perform an ECC point addition using the secret X1 and secret X2 to derive a secret X3. The device can derive the secret X3 using (i) the server public key, a network public key, and the device private key and (ii) a third ECDH key exchange.

Abstract: The application relates to a method of attesting a state of a computing environment comprising a plurality of components and a plurality of dependency relationships between the plurality of components. The method comprising the steps of A) generating a directed acyclic graph comprising a plurality of nodes and a plurality of directed edges connecting the nodes, comprising and B) generating an attest of the state of the computing environment using the directed acyclic graph. Generating a directed acyclic graph comprises: A1) associating a node with each component; A2) associating a node with each dependency relationship and assigning the node with a hash value of data descriptive of said dependency relationship; A3) connecting, using directed edges—each node associated with a dependency relationship to a node(s) associated with a component(s) included in the respective dependency relationship; and A4) assigning each node with a hash value of all of its subnodes.

Abstract: Configuration item data from information technology resources of an air-gapped network are collected for an information technology configuration management database. The collected configuration item data is filtered using a specified item data property including by automatically identifying a collected information of interest about a discovered information technology asset among the collected configuration item data and irreversibly modifying the collected information of interest about the discovered information technology asset included in the collected configuration item data. Based on a type of content that has been modified in the collected information of interest, a new automatic rule indicating the type of content to be avoided during a future data collection is determined. At least a portion of the filtered collected configuration item data is stored on a portable physical storage medium within the air-gapped network.

Abstract: Disclosed are systems and methods to compare two or more machine learning models to determine the comparative performance of those models. Markers may be assigned to data items and data item marker scores generated for those data items, independent of the machine learning models. Each of the machine learning models to be compared may then process the data items and generate respective model scores for those data items. A sub-set of the data items may then be generated for each machine learning model based on the model scores assigned to the data items by the respective model. A model marker score may then be computed for each machine learning model based on the marker scores assigned to each of the data items of the sub-set of data items determined for each model. Finally, the model marker scores may be compared to determine which machine learning model has the highest performance.

Abstract: Examples described herein relate to offload circuitry comprising one or more compute engines that are configurable to perform a workload offloaded from a process executed by a processor based on a descriptor particular to the workload. In some examples, the offload circuitry is configurable to perform the workload, among multiple different workloads. In some examples, the multiple different workloads include one or more of: data transformation (DT) for data format conversion, Locality Sensitive Hashing (LSH) for neural network (NN), similarity search, sparse general matrix-matrix multiplication (SpGEMM) acceleration of hash based sparse matrix multiplication, data encode, data decode, or embedding lookup.

Abstract: A computer device, including at least a processor and a memory, can be configured to control process components on a computer device. An agent can intercept a request to instantiate a new process component. The request can originate on the computing device from an instance of a particular process component amongst a set of process components. The agent can determine whether to permit the intercepted request by validating the relationship using a policy with rules as well as and determining a trusted owner is among the set of identified owners. The agent can permit the intercepted if the determination is to permit the intercepted request.

Abstract: A device that is configured to receive user activity information that includes information about user interactions with a network device for a plurality of users. The device is further configured to input the user activity information into a first machine learning model that is configured to receive user activity information and to output a set of bad actor candidates based on the user activity information. The device is further configured to filter the user activity information based on the set of bad actor candidates. The device is further configured to input the filtered user activity information into a second machine learning model that is configured to receive the filtered user activity information and to output system exposure information that identifies network security threats. The device is further configured to identify network security actions based on the network security threats and to execute the network security actions.

Abstract: In order to provide an information matching system achieving an information matching scheme that takes a lower cost and uses secure biometric information, the information matching system includes a concealment apparatus, a decryption apparatus, and a similarity calculating apparatus. The concealment apparatus transmits, to the similarity calculating apparatus, concealed information including information concealing obtained matching information by linear conversion using random numbers. The similarity calculating apparatus calculates, from obtained one or more pieces of registration information and the concealed information received from the concealment apparatus, a concealed similarity which is a value concealing a similarity between the matching information and the registration information, and to transmit the calculated concealed similarity to the decryption apparatus.

Abstract: A method including receiving, at a data distribution platform, a selection of a data package comprising a high fidelity data package. The method also includes filtering, automatically by a filtering application of the data distribution platform, the high fidelity data package to form a marketing data package. Filtering includes removing sufficient data from the high fidelity data package such that the marketing data package is a marketing data package. The method also includes publishing the marketing data package within the data distribution platform.