Abstract: Example methods are provided to for automated determination of a minimal set of privileges that are required to execute a workflow in a virtualized computing environment. While the workflow is being executed, interactions with a user interface are recorded. The interactions include application program interface (API) calls. The method identifies the privileges that are used to execute the API calls, and the identified privileges are combined to form the minimal set of privileges. A model is generated that associates the minimal set of privileges to the workflow, and the model is applied to determine the privileges to assign to users that will be performing the same workflow.

Abstract: Technologies are provided for clockless physically unclonable functions (PUFs) in reconfigurable devices. Embodiments of the disclosed technologies include processing circuitry configured to perform numerous operations. The operations can include receiving a challenge continuous pulse signal, and generating a response continuous pulse signal by iteratively extending the challenge continuous pulse signal in time-domain. In some configurations, the iteratively extending includes generating a next continuous pulse signal by operating on a prior continuous pulse signal according to a stretching function, and generating a second next continuous pulse width signal by operating on the next continuous pulse signal according to a folding function.

Abstract: A security threat detection system is used to monitor the physical resource usage of a hosted application in a PaaS service in order to detect anomalous behavior indicative of a security threat. The system analyzes the historical usage of the application's physical resources in order to determine the normal range of consumption of a resource by the application. A security threat alert is then provided when the application's resource consumption exceeds the normal range of consumption.

Abstract: A system, method, and computer-readable storage medium provide single sign-on (SSO) in a nested virtualization environment by routing authentication tokens received from an authentication server through the hierarchy of virtual machines (VMs) using secure data communications tunnels between each hypervisor and its respective VMs. A key store stores SSO authentication tokens for users of the nested VMs, and a key controller ensures that each login by a user to a separate VM is associated with its own token. Each login request is uniquely tagged to identify the particular VM requesting credentials, so that the responsive authentication token can be properly routed through the hierarchy. Moreover, session preferences may be associated with each user and/or each VM, enabling a rules evaluator to determine, for each login request, whether SSO functionality should be provided or whether the user should be required instead to provide new login credentials.

Abstract: Some embodiments provide a method for securing communication of data messages of a particular machine that includes a dynamic first level address. The method identifies a fixed second level address for a particular data. The fixed second level address is associated with an interface of the particular machine. Based on the fixed second level address, the method identifies a set of security policies for securing the communication of the particular data message. The method applies the set of security policies to the particular data message.

Abstract: A processing system includes a branch prediction structure storing information used to predict the outcome of a branch instruction. The processing system also includes a register storing a first identifier of a first process in response to the processing system changing from a first mode that allows the first process to modify the branch prediction structure to a second mode in which the branch prediction structure is not modifiable. The processing system further includes a processor core that selectively flushes the branch prediction structure based on a comparison of a second identifier of a second process and the first identifier stored in the register. The comparison is performed in response to the second process causing a change from the second mode to the first mode.

Abstract: A computing device and method of controlling access to a computing device. An application to be used when the computing device is in a locked state is selected, wherein in the locked state, only use of the selected application is permitted. The computing device enters the locked state. Use of the selected application without unlocking the computing device is allowed.

Abstract: A method for executing a cryptographic operation is provided comprising acts comprising: (i) sampling a first polynomial, wherein one or more (e.g., one, some and/or all) coefficients of the first polynomial are determined; (ii) sampling a second polynomial, wherein a selection of k coefficients of the second polynomial is determined; (iii) multiplying the first polynomial with the second polynomial to determine a result; and (iv) using the result of the multiplication in the cryptographic operation. A security device arranged to perform one, some and/or all of the acts is provided.

Abstract: A system that uses a computing device to encrypt data by obtaining multiple series of random numbers, and then time-correlating these series to form a series of composite elements. By selecting a section of the series of composite elements, the computing device can obtain a key for encrypting data.

Abstract: A method can be used for generating personalized profile package data for integrated circuit cards. The method includes encrypting data records corresponding to profile data with a respective data protection key thereby obtaining encrypted data records. Each record includes a number of personalization fields to store different types of personalization values. The method also includes encrypting a file for a profile package with a master encryption key thereby obtaining an encrypted file for the profile package. The file includes fields to be personalized corresponding to one or more of the personalization fields to store different types of personalization values. The encrypted file for the profile package and encrypted data records are transmitted to a data preparation entity where the encrypted data records and the encrypted file can be decrypted and combined to obtain personalized profile packages.

Abstract: A data processing system has a processor, a system memory, and a hypervisor. The system memory stores program code and data in a plurality of memory pages. The hypervisor controls SLAT (second level address translation) read, write, and execute access rights of the plurality of memory pages. A portion of the plurality of memory pages are classified as being in a secure enclave portion of the system memory and a portion is classified as being in an unsecure memory area. The portion of the memory pages classified in the secure enclave is encrypted and a hash is generated for each of the memory pages. During an access of a memory page, the hypervisor determines if the accessed memory page is in the secure enclave or in the unsecure memory area based on the hash. In another embodiment, a method for accessing a memory page in the secure enclave is provided.

Abstract: An artificial intelligence (AI) platform to support optimization of container builds and virtual machine mounts in a distributed computing environment. A provisioning file is subject to natural language processing (NLP) and a corresponding vector representation of the file is created and subject to evaluation by a set of artificial neural networks (ANN). A first ANN assesses the representation of the file with respect to compliance and operability, and the second ANN selectively assesses the representation of the file with respect to provisioning efficiency. The provisioning file is selectively process based on the provisioning efficiency, with the processing directed at provisioning a container build or mounting a VM.

Abstract: The present disclosure relates to a pre-5th-Generation (5G) or 5G communication system to be provided for supporting higher data rates Beyond 4th-Generation (4G) communication system such as Long Term Evolution (LTE). Embodiments herein provide method and system for end-to-end security over signaling plane in a mission critical data (MCData) communication system. The proposed method includes various ways of securing MCData data payload transmitted over signaling plane using short data service (SDS). The proposed method allows usage of multiple security keys to encrypt the MCData SDS message as per the requirements. Various Keys such as, signaling plane key or media plane key or a dedicated MCData data payload signaling key can be used independently or in a combination thereof to achieve the desired security context. The proposed method allows protection of all the application level components with the signaling plane security context.

Abstract: A method for generating a synthetic dataset involves generating discretized synthetic data based on driving a model of a cumulative distribution function (CDF) with random numbers. The CDF is based on a source dataset. The method further includes generating the synthetic dataset from the discretized synthetic data by selecting, for inclusion into the synthetic dataset, values from a multitude of entries of the source dataset, based on the discretized synthetic data, and providing the synthetic dataset to a downstream application that is configured to operate on the source dataset.

Abstract: Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingly, the behavioral threat detection engine provides event indications, in the form of event packets, to one or more virtual machines, such that corresponding rules are able to process the events accordingly. Eventually, a rule may make a determination as to the presence or absence of a behavior. As a result, execution of the associated virtual machine may be halted, thereby indicating to the behavioral threat detection engine that a determination has been made. Thus a behavioral threat detection engine employs a behavior-based approach to detecting malicious or potentially malicious behaviors.

Abstract: A provisioning client obtains an identifier from a public server and a one-time password from a trusted server. The provisioning client combines the one-time password with the identifier to create an activation code for a client device and presents the activation code to the client device. The activation code enables the client device to download trusted cryptographic information from the trusted server in a communication session that is secured using the one-time password.

Abstract: A conference management system (“system”) facilitates data compliance in recording conversations between users. A host user can send an electronic invitation for a meeting to participants. Upon accessing the invitation, the participants can be presented with two options to join the conference—a first option using which a participant can join the meeting by providing consent to recording the meeting and a second option using which the participant can join the meeting by opting-out of recording of the meeting. When a participant opts-out of the recording of the meeting, the conference management system ensures that the recording is performed in compliance with a data compliance policy applicable to the participant who opted out of recording.

Abstract: Disclosed is a dual-link wireless ad hoc network and a security defense method in an emergency scene, aiming at comprehensively improving its security defense capability. The method comprises: sending, by a source node, the secret key and other messages which are not security defense messages through the second link; detecting, by a destination node, abnormal messages from the acquired valid messages after matching with abnormal message feature library, filtering the abnormal messages out, and quickly broadcasting the features of new abnormal messages through the first link; checking, by a new node to be added to the network, the identity and hardware state, authorizing the new node without abnormality, and broadcasting the authorization result information through the first link; adding, by other nodes receiving the security defense messages, the features of the new abnormal messages to their own abnormal message feature library, and allowing the entry of the new node.

Abstract: Apparatuses, systems, and methods for a wireless device to perform methods for improvements to security checks in a fifth generation (5G) New Radio (NR) network, including mechanisms to avoid redundant access stratum (AS) security checks. The wireless device may determine that an on-demand system information block (SIB) request is pending transmission and may buffer the on-demand SIB in response to determining that a connection establishment procedure will be initiated within a specified time period. The wireless device may then perform a unified security procedure for the on-demand SIB request and the connection establishment procedure, including confirming connection security. Further, in response to confirming connection security, the wireless device may use an on-demand SIB received from the network without confirming a corresponding on-demand SIB signature.

Abstract: Provided is a method for assigning a time-to-live (“TTL”) value for a domain name system (“DNS”) record at a recursive DNS server. The method comprises obtaining, from a client, the TTL value for the DNS record; and storing, in a memory of the recursive DNS server, the TLL value, an identifier of the client, and the DNS record.