Abstract: Software vulnerabilities affecting devices can be determined using a vulnerability identifier uniquely identifying a vulnerability and version check information for use in determining software versions affected by the vulnerability. The version check information comprises one or more version rules providing a definition of how a software version number is tokenized and one or more Boolean expressions on those tokens to identify impacted versions of software according to the one or more version rules. In checking software for a vulnerability, the software version is determined and checked using the Boolean expression according to the version definition.

Abstract: Systems and methods for protecting from external monitoring attacks cryptographic data processing operations involving universal polynomial hash functions computation.

Abstract: A software package is received so that functions within the software package that implement or use cryptographic primitives can be identified. Further, a set of calls with each of the identified functions are determined. A call site analysis is performed based on the set of calls to determine cryptographic algorithm parameters. Thereafter, based on the set of calls and the call site analysis, a cryptography bill of materials (CBOM) detailing cryptographic primitives within the software package is generated. This CBOM can be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: Methods and systems for secure computation and communication are provided. The method includes transforming identifications of a first dataset using a first transforming scheme, and transforming attributes of the first dataset using a second transforming scheme. The method also includes dispatching the transformed first dataset, receiving a second dataset, transforming identifications of the received second dataset, dispatching the identifications of the transformed received second dataset, and receiving a set of identifications. The method further includes generating a first intersection of the received set of identifications and the transformed received second dataset, generating a first share based on the first intersection, receiving a second share, and constructing a result based on the first share and the second share.

Abstract: A system and method for identifying security control gaps. A method includes integrating with a set of security controls deployed with respect to a computing environment, wherein integrating with the set of security controls further comprises deploying an artifact in the computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the set of controls; identifying at least one computing asset to be protected by the set of security controls; identifying at least one security control gap in the computing environment based on a configuration of the set of security controls, wherein each security control gap is defined with respect to one of the identified at least one computing asset; and performing at least one remediation action with respect to the identified at least one security control gap.

Abstract: Distribution and management of services in virtual environments is described herein. In one or more implementations, a service distribution and management model is implemented in which system services and applications are seamlessly distributed across multiple containers which each implement a different runtime environment. In one or more implementations, a system for distributing access to services in a host operating system of a computing device includes a host operating system configured to implement a host runtime environment, and one or more services implemented by the host operating system. The system further includes a service control manager configured to enable communication between a client stub of a service implemented in a client runtime environment and a service provider of the service that is implemented in a service runtime environment that is separate from the first client runtime environment.

Abstract: The invention relates to a system and method for managing the data streams for unified governance of a plurality of intensive computing solutions (70) accessible to a user client (2) from an aggregated interface (10), said intensive computing solutions including at least two solutions selected among: a high performance computing server (71), a server dedicated to supervised or unsupervised learning (72) and a server dedicated to quantum computing (73); said method being implemented at least partly by said computer system including: at least one database (25a) configured to store execution data for intensive computing operations; said method including the steps of storing (300) execution data for the intensive computing solutions (70) and transmitting (400) execution data for the intensive computing solutions to the aggregated interface (10).

Abstract: Systems and methods to facilitate cryptographic attestation chains using bonded oracles are disclosed. Exemplary implementations may publish a bond identifier that identifies a bond; record an initial attestation on a public registry, wherein the initial attestation includes an initial nonce that is based on a secret value; generate a sequence of attestations that form a chain; publish the sequence of attestations; initiate redemption of the bond, wherein the redemption is delayed by a wait period; compare individual nonces of previously published attestations to previously recorded nonces in the sequence; responsive to a match between the previously recorded nonces, publish a notification regarding nonce reuse that exposes both the secret value and the bond; responsive to exposure of the secret value, forfeit the bond identified by the bond identifier; responsive to the redemption transaction being recorded and further responsive to expiration of the wait period, redeem the bond; and/or other steps.

Abstract: A system and method for providing access to third-party application programming interfaces (APIs) as a service. In particular, an API access manager can be configured to execute one or more serverless functions selected form a database of serverless functions in order to obtain data from one or more third-party APIs. Retrieved data can be used to evaluate compliance with one or more information security policies.

Abstract: Techniques for implementing and enforcing a security policy in a secure element are disclosed. The secure element enforces the security policy to grant and/or deny access, such as from an application processor, to configuration of the device peripheral components and access to data of the device peripheral components across one or more bus architectures, such as an I3C bus. Implementing an access control policy in a secure element allows execution of code within the isolated secure element hardware processor, preventing software attacks that may emanate from code running in the application processor. This design also benefits from hardware protections against physical attacks.

Abstract: Disclosed are methods, systems and non-transitory computer readable memory for container image or host deduplication in vulnerability management systems. For instance, a method may include: obtaining source data from at least one source, wherein the source data includes a plurality of assets and/or findings; extracting data bits for each asset or finding from the source data; determining a first asset or finding concerns a first container image or first host based on the data bits for the first asset or finding; in response to determining the first asset or finding concerns the first container image or first host, obtaining a container image dataset or a search structure; determining whether the data bits match any of the plurality of sets of values of the container image dataset or the search structure; and, based on a match result, generating or updating records for the first container image or the first host.

Abstract: Disclosed are methods, systems and non-transitory computer readable memory for container image or host deduplication in vulnerability management systems. For instance, a method may include: obtaining source data from at least one source, wherein the source data includes a plurality of assets and/or findings; extracting data bits for each asset or finding from the source data; determining a first asset or finding concerns a first container image or first host based on the data bits for the first asset or finding; in response to determining the first asset or finding concerns the first container image or first host, obtaining a container image dataset or a search structure; determining whether the data bits match any of the plurality of sets of values of the container image dataset or the search structure; and, based on a match result, generating or updating records for the first container image or the first host.

Abstract: A method for anonymizing movement data of road users equipped with a position detection device involves collecting movement data in the form of individual time- and position-related data records and transmitting the collected movement data to a backend server. At least some data records are transmitted indirectly via at least one other vehicle, or the position or time reference in at least some data records is made noisy prior to the transmission.

Abstract: Provided are systems, methods, and computer-readable medium for identifying security risks in applications executing in a cloud environment. In various implementations, a security monitoring and management system can obtain application data from a service provider system. The application data can include a record of actions performed by an application during use of the application by users associated with a tenant. The application executes in a service platform provided for the tenant by the service provider system. In various implementations, the application data is analyzed to identify an event associated with a security risk, where the event is identified from one or more actions performed by the application. The system can determine an action to perform in response to identifying the event. In various examples, an agent executing on the service platform can add instrumentation codes used by the application, where the instrumentation provides the application data.

Abstract: An enterprise network has endpoints, which are computers with a computer program that needs patches to remove vulnerabilities. A plot of a percentage of vulnerable endpoints over time is generated. Patching cycles and residual phases are identified in the plot. A Residual Vulnerable Percentage (RVP) is determined from the plot, the RVP being an average of percentage of vulnerable endpoints in a residual phase. A Time to Patch Managed (TTPM) is determined from the plot as a time period from a beginning of a patching cycle to a beginning of a residual phase in the patching cycle. A performance indicator that is based on the RVP or the TTPM is compared to a corresponding reference to determine if a corrective action needs to be performed to address deficiencies in the efficiency and/or effectiveness of the patching process.

Abstract: The present disclosure relates to Overlay Content Forwarding (OCF) Methods to transfer data across a wide area network without introducing a single point of data breach or wire-tapping on a Zero Trust Data transfer paradigm. Methods are applied on a system built upon Data Transport Controllers (DTC) and USC with AIOps capabilities. System modules are deployed across various geo locations in a Wide Area Network, operating at the control of Universal Security Controller (USC). USC extracts system, security and storage activity telemetry data from DTC controllers, update Routes through XML updates and Routing update exchanges, to orchestrate Autonomous, de-duplicated, segmented data forwarding across exclusive path overlay network guided by AIOps mechanisms. Data is segmented in unintelligible manner based on information theory and sent across different, exclusive path across DTC nodes in an overlay network in different application sessions and reassembled at destination DTC node to recover the original content.

Abstract: Techniques are described for monitoring and analyzing input/output (I/O) messages for patterns indicative of ransomware attacks affecting computer systems of a cloud provider, and for performing various remediation actions to mitigate data loss once a potential ransomware attack is detected. The monitoring of I/O activity for such patterns is performed at least in part by I/O proxy devices coupled to computer systems of a cloud provider network, where an I/O proxy device is interposed in the I/O path between guest operating systems running on a computer system and storage devices to which I/O messages are destined. An I/O proxy device can analyze I/O messages for patterns indicative of potential ransomware attacks by monitoring for anomalous I/O patterns which may, e.g., be indicative of a malicious process attempting to encrypt or otherwise render in accessible a significant portion of one or more storage volumes as part of a ransomware attack.

Abstract: A system and method provide for automated management of policies in an application platform. A plurality of policy groups are established, each according to a set of included policies and a set of assigned application groups, where each policy defines a requirement and an automated response, and each application group is defined according to a rule to determine whether an application is contained within. A configuration file for each policy group associates each assigned application group with each included policy. An automatic configuration, according to the configuration file for each of the policy groups, configures an admission controller of the application platform to selectively test an application contained within an application group and designated for deployment to the application platform, to determine whether it meets the requirement of each policy associated with the application group, and to selectively execute the automated response based on a failure to fulfill the requirement.

Abstract: Accurate and reliable time is acquired by a user equipment (UE) from a base station in a wireless network. The base station may obtain the time, e.g., UTC time or a GNSS time, and ciphers at least a portion of the time before broadcasting the time. The UE determines a propagation delay between the UE and the base station based on a timing advance, known locations of the UE and the base station, or a measured round trip propagation time (RTT) between the UE and the base station. A corrected time can be determined based on the time received from the base station and the propagation delay. A digital signature included with the time broadcast by the base station increases reliability. Spoofing of the broadcast time by an attacking device may be detected by the UE based on the propagation delay being outside an expected range.

Abstract: An encoding method for enabling privacy-preserving aggregation of private data can include obtaining private data including a private value, determining a probabilistic status defining one of a first condition and a second condition, producing a multiset including a plurality of multiset values, and providing the multiset for aggregation with a plurality of additional multisets respectively generated for a plurality of additional private values. In response to the probabilistic status having the first condition, the plurality of multiset values is based at least in part on the private value, and in response to the probabilistic status having the second condition, the plurality of multiset values is a noise message. The noise message is produced based at least in part on a noise distribution that comprises a discretization of a continuous unimodal distribution supported on a range from zero to a number of multiset values included in the plurality of multiset values.