Abstract: Secure operations can be performed using security module instances offered as a web service through a resource provider environment. State data and cryptographic material can be loaded and unloaded from the instance as needed, such that the instance can be reused for operations of different customers. The material and data can be stored as a bundle encrypted using a key specific to the hardware security module and a key specific to the resource provider, such that the bundle can only be decrypted in an instance of that type of security module from the associated manufacturer and operated by that particular resource provider. The customer is then only responsible for the allocation of that instance during the respective cryptographic operation(s).

Abstract: A password hardcoding checking method and apparatus based on PCA, and a medium. the checking method includes: step one, data collection, involving: collecting function code blocks in which data of password hardcoding that is subject to a false alarm is located; step two, extracting feature values in the function code blocks collected in step one, so as to obtain a feature set; step three, using the function code blocks collected in step one to serve as samples to construct a PCA model; and step four, on the basis of the PCA model constructed in step three and the feature set obtained in step two, detecting whether there is a false alarm in password hardcoding. by means of the method, the false alarm rate of hardcoding checking in code scanning is reduced, and the working efficiency of a developer and a code auditor is improved.

Abstract: Time-based functionality restrictions may be provided. Periodic scans may be performed to identify requests to perform functions on user devices, to determine whether the functions are compliant with compliance rules associated with the user devices that specify time periods during which the user devices are authorized to perform the functions, and to perform remedial actions if the functions are not compliant with the compliance rules.

Abstract: Examples include service authentication for a principal. A request to access a first service of a plurality of services of a network may be received from a principal by an identity intermediary. An identifier of the first service may be stored at the identity intermediary, and an unsigned credential of the principal and a principal identifier may be transferred from the identity intermediary to a credential provider. The principal identifier and the credential signed by the credential provider may be received, and the signed credential may be transmitted to the first service for authentication.

Abstract: Systems and methods are disclosed for aggregating and indexing a patient operational longitudinal record and extracting statistics therefrom. In one example, a system for storing and indexing entries in a patient operational longitudinal record may include at least one memory storing instructions and at least one processor configured to execute the instructions to: receive a health update from an authenticated device; map the health update to a health record; apply at least one stored rule to the health update and the health record to determine additional operational data; index and store the health update and the additional operational data in association with the health record; and allow access to the health record based on an associated security protocol.

Abstract: Source code is managed through a source code management system and one or more static application security testing scanners check the source-code for vulnerabilities. The scanners generate vulnerability reports that are processed by a vulnerability tracker. The vulnerability tracker computes the scopes of identified vulnerabilities from the source-code and generates scope and offset fingerprints (e.g., hashes that uniquely identify vulnerabilities based on their surrounding scope). The fingerprints used for deduplication and vulnerability tracking. The vulnerability tracker may generate a refined vulnerability report that includes a set of deduplicated vulnerabilities with the corresponding fingerprints. The refined vulnerability report and related data may be stored in a vulnerability database for use in vulnerability management.

Abstract: Apparatus, methods, and articles of manufacture or disclosed for implementing risk scoring systems used for vulnerability mitigation in a distributed computing environment. In one disclosed example, a computer-implemented method of mitigating vulnerabilities within a computing environment includes producing a risk score indicating at least one of: a vulnerability component, a security configuration component, or a file integrity component for an object within the computing environment, producing a signal score indicating a factor that contributes to risk for the object, and combining the risk score and the signal score to produce a combined risk score indicating a risk level associated with at least one vulnerability of the computing system object. In some examples, the method further includes mitigating the at least one vulnerability by changing a state of a computing object using the combined risk score.

Abstract: An event analysis system is provided. During operation, the system can determine an event description associated with the switch from an event log of the switch. The event description can correspond to an entry in a table in a switch configuration database of the switch. A respective database in the switch can be a relational database. The system can then obtain an event log segment, which is a portion of the event log, comprising the event description based on a range of entries. Subsequently, the system can apply a pattern recognition technique on the event log segment based on the entry in the switch configuration database to determine one or more patterns corresponding to an event associated with the event description. The switch can then apply a machine learning technique using the one or more patterns to determine a recovery action for mitigating the event.

Abstract: According to one or more embodiments, an electronic device comprises: a display device; a memory for storing at least one source code and a comparison file including any one of a modification and a vulnerability, in which each of at least one character string included in a patch file corresponding to the at least one source code is classified; and a processor functionally connected to the memory and the display device, wherein the processor can be set to load the at least one source code stored in the memory, compare a character string included in the comparison file corresponding to the at least one source code with a character string included in the source code, and provide, through an output device, at least one piece of information from among pieces of information about whether the identified source code is patched, the probability that the source code is patched, and a vulnerability in the source code, on the basis of the result of the comparison.

Abstract: Exemplary embodiments may use word embeddings to enhance scanning of programming code scripts for sensitive subject matter, such as confidential subject matter. The scanning may be performed by a neural network in some exemplary embodiments. The neural network initially may be trained on a corpus of programming code scripts to identify keywords relating to sensitive subject matter, such as passwords, tokens or credentials. The neural network may not only identify instances of the keywords but also may identify related terms as well. The output of the scan may be a ranked list of terms in the programming code script that may relate to sensitive subject matter.

Abstract: Deferred verification of the integrity of data operations over a set of data that is hosted at an untrusted module (UM) is controlled. The controlling includes generating a request for a data operation on the set of data. The request includes an authentication portion. The request is sent to the UM. A response to the request is received from the UM. The response includes cryptographic verification information attesting the integrity of the data operation with respect to prior data operations on the set of data. The response includes results from deferred verification at a trusted module (TM).

Abstract: A method, system, and non-transitory computer readable medium are described for providing a sender a plurality of ephemeral keys such that a sender and receiver can exchange encrypted communications. Accordingly, a sender may retrieve information, such as a public key and a key identifier, for the first receiver from a local storage. The retrieved information may be used to generate a key-encrypting key that is used to generate a random communication encryption key. The random communication encryption key is used to encrypt a communication, while the key-encrypting key encrypts the random communication key. The encrypted communication and the encrypted random communication key are transmitted to the first receiver.

Abstract: Systems and methods are described herein for facilitating use of artificial intelligence platforms to generate network mappings for conducting blockchain actions. The system may access an internal index for an artificial intelligence platform, wherein the internal index comprises on-chain self-executing program characteristics and off-chain self-executing program characteristics and wherein the on-chain self-executing program characteristics and off-chain self-executing program characteristics are archived in the internal index based on respective temporal identifiers.

Abstract: Various systems and methods for user-authorized onboarding of a device using a public authorization service are described herein. In an example, a 3-way authorization protocol is used to coordinate device onboarding among several Internet of Things (IoT) Fog users (e.g., devices in a common network topology or domain) with principles of least privilege. For instance, respective onboarding steps may be assigned for performance by different Fog ‘owners’ such as respective users and clients. Each owner may rely on a separate authorization protocol or user interaction to be notified of and to give approval for the specific onboarding actions(s) assigned. Further techniques for implementation and tracking such onboarding actions as part of an IoT network service are also disclosed.

Abstract: Example implementations include a method for using tokens between two entities including a client device and a server, by generating, by a first one-way function of the client device, a first intermediate value from a transaction count corresponding to a number of transactions involving an original data, the first intermediate value being unique to a first verification transaction at a server, generating, by a second one-way function of the client device, a second intermediate value from the first intermediate value, the second intermediate value being unique to a second verification transaction at the server, sending, by the client device, a first token based on the first intermediate value to the server to execute the first verification transaction, and sending, by the client device, a second token based on the second intermediate value to the server to execute the second verification transaction.

Abstract: An apparatus and method for updating cyber security support based on real time changes are provided. The apparatus includes a processor and a memory communicatively coupled to the at least a processor. The memory contains instructions configuring the at least a processor to receive a cyber profile associated with a digital environment and receive a risk profile associated with the cyber profile. Further, the memory contains instructions configuring the at least a processor analyze the cyber profile and the risk profile and calculate a cyber-attack safeguard quantifier for a cyber-attack safeguard based on the analysis of the cyber profile and risk profile. Additionally, the memory contains instructions configuring the at least a processor monitor for a digital environment variation and update the cyber-attack safeguard quantifier.

Abstract: Systems and methods for combining input data and machine learning models that remain secret to each entity are described. This disclosure can allow groups of entities to compute predictions based on datasets that are larger and more detailed collectively than individually, without revealing their data to other parties. This is of particular use in artificial intelligence (AI) tasks in domains which deal with sensitive data, such as medical, financial, or cybersecurity.

Abstract: Embodiments herein provide a blockchain based platform and method for assessment and verification of Software Bill of Materials (SBOM) across a software supply chain life cycle using blockchain. The method comprising generating the SBOM automatically from a software source code to automate governance of a software asset using blockchain smart contracts, publishing the generated SBOMs to a permissioned blockchain through secure publish, automatically recording timestamps and ownership stamps to the published SBOM's, analysing the software asset for supply chain information to verify if the software asset meets the minimum policy requirements for compliance based on provenance, licensing, vulnerability and security criteria set by the company, determining if a third-party software component is approved for use in the company's applications based on policy and compliance rules and identifying current vulnerabilities and potential remediation for software in use by the company.

Abstract: Aspects of vulnerability scanning are disclosed. In one example, configuration and context information of a first device for which vulnerability scanning is to be performed is obtained. The configuration information includes telemetry data of the first device. A second device is provisioned based on the configuration information to create a cloned first device. The vulnerability scanning is performed on the cloned first device based on the context information to obtain a scan report.

Abstract: Targeted lockdown of a computer system for an identified vulnerability is provided. The targeted lockdown includes configuring a vulnerability lockdown module implemented on a computer system to perform targeted actions to change a configuration of the computer system. The targeted actions may be configured based at least in part on a type of data stored on the computer system and a potential severity of an impact on the computer system if the vulnerability is exploited. The vulnerability lockdown module may implement a vulnerability lockdown mode by causing the computer system to perform the targeted actions to change the configuration of the computer system by restricting functionality of portions of the computer system affected by the identified vulnerability. The targeted actions performed by the computer system may include altering a way in which a user interacts with the computer system.