Abstract: A dynamically generated search query is generated based on rarity scores associated with raw-level computer events. Event data is pre-processed using historical information about the frequency, or rarity, of instances of individual events. Each event is assigned one or more labels that identify the event based on the historical information. The rarity scores represent probabilities of events occurring with the same labels. The rarity scores are associated with n-grams of the labels (e.g., a combination of two labels, three labels, etc.). A label n-gram score is calculated based on newly observed events and the rarity scores corresponding to the label n-grams. The search query is generated based on the label n-gram score. The search query is executed against a database to retrieve information, such as diagnostics, used to alert an administrator to events that are potentially anomalous.

Abstract: Techniques are described herein for security hardened processing devices. For example, a method can include performing a secure boot of a processing device of a computer system. The processing device is configured as a root of trust for a secure boot process. The computer system can include the processing device and a non-volatile memory storing a basic input/output system (BIOS) for the secure boot process. The method can include identifying a set of programmable fuses of the processing device, deriving an encryption key using a value encoded by the set of programmable fuses in the processing device, and authenticating the BIOS to perform the secure boot process using a key derivation algorithm based on the encryption key.

Abstract: A computing system has a computing device. The computing system has an input data path, which unidirectionally connects an interface device to the computing device, and an output data diode, which unidirectionally connects the computing device to the interface device. The input data path has a data lock which is connected to the interface device by a first terminal and to the computing device by a second terminal. The data lock has a storage unit for storing data and is configured such that the storage unit can be selectively connected solely to the first or second terminal but not to both terminals simultaneously. The computing device accepts data from the interface device solely if the data is transmitted to the computing device from the interface device via the input data path within a transmission session initiated by the computing device using the output data diode.

Abstract: Various examples are provided related to software and hardware architectures that enable lightweight and real-time Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attack detection. In one example, among others, a method for detection and localization of denial-of-service (DoS) attacks includes detecting, by a router of an intellectual property (IP) core in a network-on-chip (NoC) based system-on-chip (SoC) architecture, a compromised packet stream based at least in part upon a packet arrival curve (PAC) associated with the router; identifying, by the IP core, a candidate IP core in the NoC as a potential attacker based at least in part upon a destination packet latency curve (DLC) associated with the IP core; and transmitting, by the router, a notification message indicating that the candidate IP core is the potential attacker to a router of the candidate IP core.

Abstract: A computer-implemented method includes identifying behavioral characteristics of a user related to operation of a computing device prior to an online account session. The method includes comparing the behavioral characteristics to a behavioral profile previously developed based on prior behavioral characteristics of the user, and determining an appropriate mark difficulty level based on a variation between the behavioral characteristics and the behavioral profile. The method includes selecting, from a plurality of prompts stored in a prompt database, a prompt that comprises instructions to draw a mark having the appropriate mark difficulty level, where other prompts of the plurality of prompts comprise instructions to draw other marks different from the mark, and providing the prompt to the user as part of a logon process for the online account session.

Abstract: According to one aspect, there is provided a server for use in evaluating a monitoring function to determine if a trigger condition is satisfied. The server comprises a processing unit and a memory unit. The memory unit is for storing a current monitoring state Ss of the server or an encrypted current monitoring state S of the monitoring function, the current monitoring state Ss of the server relating to the current monitoring state S of the monitoring function that is based on an evaluation of one or more previous events. The processing unit is configured to receive an indication of a first event from a first client node and evaluate the monitoring function to determine if the first event satisfies the trigger condition.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, devices, and processes that securely distribute and manage cryptographic keys within a computing environment using permissioned distributed ledgers. By way of example, an apparatus may receive a registration request and a first digital signature applied to the registration request from a device. Based on a validation of the first digital signature, the apparatus may approve the registration request and apply a second digital signature to the registration request and the first digital signature. In some examples, the second digital signature may be indicative of the approval of the registration request by the apparatus. The apparatus may also transmit the registration request and the first and second digital signatures to a computing system, which may validate the first and second digital signatures and perform operations that record a public cryptographic key of an application program executed at the device onto a distributed ledger.

Abstract: A communication device may obtain second security information in a case where a first instruction for establishing a second wireless connection with a second parent station is accepted under a state where a first wireless connection with a first parent station is established, and determine whether a second security level indicated by the second security information is lower than a first security level indicated by first security information in a memory. The communication device may execute at least one process of a notification process or an acceptance process in a case where it is determined that the second security level is lower than the first security level and establish the second wireless connection with the second parent station without executing the at least one process in a case where it is determined that the second security level is not lower than the first security level.

Abstract: One example method includes logging into websites through devices including insecure devices. A logon device may store credentials. The logon device is configured to connect with an insecure device and then communicate with a website for authentication purposes without exposing a user's credentials to the insecure device. After the user is authenticated, the session is transferred to the insecure device.

Abstract: Provided is a method including receiving, by a user device, a request from an identity service to approve communicating a user proof-of-identity to a relying party. A user of the user device is prompted to request a one-time transaction identifier based on the request. Based on a first input from the user, the user device requests the one one-time transaction identifier from the identity service. In response to the request for the one-time transaction identifier, the user device receives the one-time transaction identifier from the identity server and displays the one-time transaction identifier on a first user device screen. The user inputs the one-time transaction identifier on a second user device screen and the user device communicates the one-time transaction identifier to the identity service. In response to receiving the at least one inputted one-time transaction identifier, the relying party determines whether to approve or deny a transaction.

Abstract: A method including receiving, by a manager device from an infrastructure device, an invitation link to enable the manager device to manage network services provided by the infrastructure device; receiving, by the manager device from the infrastructure device based on the manager device activating the invitation link, seed information to be utilized by the manager device to determine authorization information; transmitting, by the manager device to the infrastructure device during an active communication session and based on determining the authorization information, a manager request related to an action to be performed regarding the network services, a portion of the manager request being signed based on utilizing a first portion of the authorization information; and performing, by the manager device, the action regarding the network services based on a verification that the communication session is currently active is disclosed. Various other aspects are contemplated.

Abstract: An information processing device includes: an obtainer that obtains, from an anomaly detection sensor that detects an anomaly in a network, a detection log related to the anomaly in the network and the detection time of the anomaly indicated in the detection log; an occurrence time determiner that determines the occurrence time of an attack on the network based on the obtained detection time, and records the determined occurrence time; and an end time determiner that determines the expected end time of the attack on the network based on the obtained detection log, and records the determined expected end time.

Abstract: A method including transmitting, by an infrastructure device to a manager device, an invitation link to enable the manager device to manage network services provided by the infrastructure device; transmitting, by the infrastructure device to the manager device based at least in part on the manager device activating the invitation link, seed information to be utilized by the manager device to determine authorization information; receiving, by the infrastructure device from the manager device during an active communication session, a manager request related to an action to be performed regarding the network services, the manager request being signed based at least in part on utilizing a first portion of the authorization information; and enabling, by the infrastructure device, performance of the action regarding the network services based at least in part on verifying that the communication session is currently active is disclosed. Various other aspects are contemplated.

Abstract: A messaging system for exchanging messages between nodes in a network via a broker that uses a publish-subscribe message protocol, which nodes have object identifications (IDs). Messages between the nodes are routed using the object IDs of the nodes. Secure communication is provided using authentication according to digital certificates being used as first and second tiers by a commissioning broker and a data broker, respectively, in which the second tier certificate used by the data broker has a shorter lived expiration time.

Abstract: A method for generating fingerprints of web domains and reacting to artifacts electronically received from those web domains is disclosed. When artifacts from a first web domain and artifacts from a second web domain have been transmitted over a network, a system generates, via a hashing function that consults registry information, a first hash for the first web domain and a second hash for the second web domain and identifies a correlation between the first web domain and the second web domain based on shared subsets of the first hash and second hash. Upon receiving a notification that artifacts from the first web domain had been determined to negatively impact the functioning of a secondary computing system; and based on the identified correlation between the first web domain and the second web domain, the system automatically quarantines artifacts from the second web domain from interacting with the secondary computing system.

Abstract: In an example system for private key recovery performed by a processor of a key recovery computing system, a key recovery computing system is configured to provide an original private key. The original private key is associated with a storage location of a blockchain-based asset. The key recovery computing system is configured to receive supplemental recovery information provided by a user via a user computing device. A recovery seed is derived from at least a subset of the supplemental recovery information, wherein the recovery seed is non-invertible. The original private key and the recovery seed are stored relationally to the supplemental recovery information. In some embodiments, the processor is further configured to cryptographically protect at least one of the original private key and the recovery seed via a universal second-factor authentication (U2F) device.

Abstract: In various embodiments, a computer-implemented method comprises determining that a first property associated with a dashboard is modified at a first device, determining that the dashboard is accessible at a second device, where the first device and the second device are coupled via a trusted tunnel bridge, and in a real-time response to determining that the first property was modified, transmitting, to the second device via the trusted tunnel bridge, an update that causes the second device modify the dashboard based on the modified first property.

Abstract: The present disclosure provides for improving security in a meter or an intelligent electronic device (IED) through the use of a security key which is unique to each meter or IED. Such a key may be used to prevent password reuse among multiple meters. Such a key may also be used to encrypt critical components of the software, such that only when running on the correct meter can the components of the software be decrypted. Such a key may also be used to uniquely identify the device in a larger data collection and management system. The security key can also be used to prevent the direct copying of meters. The present disclosure also provides for a meter or IED that stores functional software separately from core software.

Abstract: Methods and apparatus to assign demographic information to panelists are disclosed.

Abstract: A same wireless access profile is installed on each of multiple mobile communication devices. The wireless access profile includes outer identity information and anonymous inner identity information for each service. The anonymous inner identity information includes a credential used by each of the multiple mobile communication devices to use the service. To use the service such as access a remote network, a respective mobile communication device communicates an anonymous username and password assigned to the service to a policy server during first level authentication. The policy server stores a network address of the authenticated mobile communication device. During second level authentication, the policy server receives an identity of the mobile communication device from a network gateway. The policy server provides access control information (assigned to the service) to the network gateway.