Abstract: Systems and methods for protecting from external monitoring attacks cryptographic data processing operations involving computation of a universal polynomial hash function, such as GHASH function. An example method may comprise: receiving an input data block, an iteration result value, and a mask value; performing a non-linear operation to produce a masked result value, wherein a first operand of the non-linear operation is represented by a combination of the iteration result value and the input data block, and the second operand of the non-linear operation is represented by a secret hash value, and wherein one of the first operand or the second operand is masked using a mask value; determining, based on the mask value, a mask correction value; and producing a new iteration result value by applying the mask correction value to the masked result value.

Abstract: There is provided a method of communication between functional blocks in a system-on-chip.

Abstract: A method and system of selecting a software testing regimen for a software application. The method comprises receiving, at a security assessing server computing device, a Quality of Service (QoS) performance level in conjunction with a set of technical attributes of the software application, determining a security vulnerability diagnostic score for the software application based at least in part on the set of technical attributes and the QoS performance level, and selecting the software testing regimen in accordance with the QoS performance level and the security vulnerability diagnostic score.

Abstract: A method for protection from cyber attacks in a CAN (Controller Area Network), of a vehicle including the steps of selecting periodic messages having a transmission periodicity, grouping the periodic messages, and performing an analysis of messages of the nodes that exchange the received periodic messages, which includes obtaining times of arrival at the respective nodes of a set of periodic messages that have the same message identifier, computing average-offset values over successive subsets, of a given number of messages, accumulating the average-offset values for each identifier to obtain accumulated-offset values, identifying linear parameters by computing an angular coefficient, of a regression, and an intercept, or identification error, computing a correlation coefficient of the average offset of pairs of messages identified as coming from the same node, determining whether the correlation coefficient is higher than a first given threshold, determining whether the angular coefficient between two consec

Abstract: Embodiments for providing enhanced data protection for storage systems in a computing environment by a processor. One or more queries received by a storage system may be identified. Approval or denial of transmission of data with the storage system may be regulated in relation to the one or more queries based a queried metadata and a plurality of rules and administrative policies.

Abstract: Software vulnerabilities affecting devices can be determined using a vulnerability identifier uniquely identifying a vulnerability and version check information for use in determining software versions affected by the vulnerability. The version check information comprises one or more version rules providing a definition of how a software version number is tokenized and one or more Boolean expressions on those tokens to identify impacted versions of software according to the one or more version rules. In checking software for a vulnerability, the software version is determined and checked using the Boolean expression according to the version definition.

Abstract: A software package is received so that functions within the software package that implement or use cryptographic primitives can be identified. Further, a set of calls with each of the identified functions are determined. A call site analysis is performed based on the set of calls to determine cryptographic algorithm parameters. Thereafter, based on the set of calls and the call site analysis, a cryptography bill of materials (CBOM) detailing cryptographic primitives within the software package is generated. This CBOM can be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: Systems and methods for protecting from external monitoring attacks cryptographic data processing operations involving universal polynomial hash functions computation.

Abstract: Methods and systems for secure computation and communication are provided. The method includes transforming identifications of a first dataset using a first transforming scheme, and transforming attributes of the first dataset using a second transforming scheme. The method also includes dispatching the transformed first dataset, receiving a second dataset, transforming identifications of the received second dataset, dispatching the identifications of the transformed received second dataset, and receiving a set of identifications. The method further includes generating a first intersection of the received set of identifications and the transformed received second dataset, generating a first share based on the first intersection, receiving a second share, and constructing a result based on the first share and the second share.

Abstract: Distribution and management of services in virtual environments is described herein. In one or more implementations, a service distribution and management model is implemented in which system services and applications are seamlessly distributed across multiple containers which each implement a different runtime environment. In one or more implementations, a system for distributing access to services in a host operating system of a computing device includes a host operating system configured to implement a host runtime environment, and one or more services implemented by the host operating system. The system further includes a service control manager configured to enable communication between a client stub of a service implemented in a client runtime environment and a service provider of the service that is implemented in a service runtime environment that is separate from the first client runtime environment.

Abstract: A system and method for identifying security control gaps. A method includes integrating with a set of security controls deployed with respect to a computing environment, wherein integrating with the set of security controls further comprises deploying an artifact in the computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the set of controls; identifying at least one computing asset to be protected by the set of security controls; identifying at least one security control gap in the computing environment based on a configuration of the set of security controls, wherein each security control gap is defined with respect to one of the identified at least one computing asset; and performing at least one remediation action with respect to the identified at least one security control gap.

Abstract: Systems and methods to facilitate cryptographic attestation chains using bonded oracles are disclosed. Exemplary implementations may publish a bond identifier that identifies a bond; record an initial attestation on a public registry, wherein the initial attestation includes an initial nonce that is based on a secret value; generate a sequence of attestations that form a chain; publish the sequence of attestations; initiate redemption of the bond, wherein the redemption is delayed by a wait period; compare individual nonces of previously published attestations to previously recorded nonces in the sequence; responsive to a match between the previously recorded nonces, publish a notification regarding nonce reuse that exposes both the secret value and the bond; responsive to exposure of the secret value, forfeit the bond identified by the bond identifier; responsive to the redemption transaction being recorded and further responsive to expiration of the wait period, redeem the bond; and/or other steps.

Abstract: The invention relates to a system and method for managing the data streams for unified governance of a plurality of intensive computing solutions (70) accessible to a user client (2) from an aggregated interface (10), said intensive computing solutions including at least two solutions selected among: a high performance computing server (71), a server dedicated to supervised or unsupervised learning (72) and a server dedicated to quantum computing (73); said method being implemented at least partly by said computer system including: at least one database (25a) configured to store execution data for intensive computing operations; said method including the steps of storing (300) execution data for the intensive computing solutions (70) and transmitting (400) execution data for the intensive computing solutions to the aggregated interface (10).

Abstract: A system and method for providing access to third-party application programming interfaces (APIs) as a service. In particular, an API access manager can be configured to execute one or more serverless functions selected form a database of serverless functions in order to obtain data from one or more third-party APIs. Retrieved data can be used to evaluate compliance with one or more information security policies.

Abstract: Techniques for implementing and enforcing a security policy in a secure element are disclosed. The secure element enforces the security policy to grant and/or deny access, such as from an application processor, to configuration of the device peripheral components and access to data of the device peripheral components across one or more bus architectures, such as an I3C bus. Implementing an access control policy in a secure element allows execution of code within the isolated secure element hardware processor, preventing software attacks that may emanate from code running in the application processor. This design also benefits from hardware protections against physical attacks.

Abstract: Disclosed are methods, systems and non-transitory computer readable memory for container image or host deduplication in vulnerability management systems. For instance, a method may include: obtaining source data from at least one source, wherein the source data includes a plurality of assets and/or findings; extracting data bits for each asset or finding from the source data; determining a first asset or finding concerns a first container image or first host based on the data bits for the first asset or finding; in response to determining the first asset or finding concerns the first container image or first host, obtaining a container image dataset or a search structure; determining whether the data bits match any of the plurality of sets of values of the container image dataset or the search structure; and, based on a match result, generating or updating records for the first container image or the first host.

Abstract: A method for anonymizing movement data of road users equipped with a position detection device involves collecting movement data in the form of individual time- and position-related data records and transmitting the collected movement data to a backend server. At least some data records are transmitted indirectly via at least one other vehicle, or the position or time reference in at least some data records is made noisy prior to the transmission.

Abstract: Disclosed are methods, systems and non-transitory computer readable memory for container image or host deduplication in vulnerability management systems. For instance, a method may include: obtaining source data from at least one source, wherein the source data includes a plurality of assets and/or findings; extracting data bits for each asset or finding from the source data; determining a first asset or finding concerns a first container image or first host based on the data bits for the first asset or finding; in response to determining the first asset or finding concerns the first container image or first host, obtaining a container image dataset or a search structure; determining whether the data bits match any of the plurality of sets of values of the container image dataset or the search structure; and, based on a match result, generating or updating records for the first container image or the first host.

Abstract: The present disclosure relates to Overlay Content Forwarding (OCF) Methods to transfer data across a wide area network without introducing a single point of data breach or wire-tapping on a Zero Trust Data transfer paradigm. Methods are applied on a system built upon Data Transport Controllers (DTC) and USC with AIOps capabilities. System modules are deployed across various geo locations in a Wide Area Network, operating at the control of Universal Security Controller (USC). USC extracts system, security and storage activity telemetry data from DTC controllers, update Routes through XML updates and Routing update exchanges, to orchestrate Autonomous, de-duplicated, segmented data forwarding across exclusive path overlay network guided by AIOps mechanisms. Data is segmented in unintelligible manner based on information theory and sent across different, exclusive path across DTC nodes in an overlay network in different application sessions and reassembled at destination DTC node to recover the original content.

Abstract: An enterprise network has endpoints, which are computers with a computer program that needs patches to remove vulnerabilities. A plot of a percentage of vulnerable endpoints over time is generated. Patching cycles and residual phases are identified in the plot. A Residual Vulnerable Percentage (RVP) is determined from the plot, the RVP being an average of percentage of vulnerable endpoints in a residual phase. A Time to Patch Managed (TTPM) is determined from the plot as a time period from a beginning of a patching cycle to a beginning of a residual phase in the patching cycle. A performance indicator that is based on the RVP or the TTPM is compared to a corresponding reference to determine if a corrective action needs to be performed to address deficiencies in the efficiency and/or effectiveness of the patching process.