Abstract: Disclosed herein are system, method, and computer program product embodiments for enabling access to a firmware-locked function of a secure device. A secure device may be production hardware that has locked certain functions not available for public use. In an embodiment, the secure device may receive a request to access a firmware-locked function. The request may include an authorization token that includes an identifier specific to the particular secure device. Based on the receipt of the authorization token, the secure device may retrieve authorization data from the firmware memory of the secure device to determine whether the provided authorization token matches the firmware authorization data. In an embodiment, the secure device may also utilize channel information for authentication purposes. Using the authorization token and/or channel information, the secure device may determine whether to grant access to the firmware-locked function.

Abstract: Disclosed is an input device, comprising a touch sensor and a processing system. The touch sensor includes a touch sensing region and a plurality of pixels in the touch sensing region. The processing system is coupled to the touch sensor and comprises circuitry configured to: determine that a touch has occurred on a touch sensor; for each pixel included in the touch, receive touch information from the touch sensor; for each pixel included in the touch, determine a pixel response value for the pixel; and, compute a touch-based metric based on one or more pixel response values, wherein a model is used to perform behavioral authentication based on the touch-based metric.

Abstract: An example operation may include one or more of receiving a request to open a storage system, the request comprising an identification of a user that submitted the request, transmitting a notification to one or more stakeholder devices of the storage system indicating the user requests access to the storage system, receiving responses from the one or more stakeholder devices, determining, via a smart contract executing on a blockchain node associated with the storage system, whether to open the storage system based on the received responses and consensus information included in the smart contract, and storing the determination made by the smart contract as a transaction in a blockchain.

Abstract: A GAN includes a first device and a second device. A discriminator model in the first device is trained to discriminate samples from a transmitter in the first device from samples from other transmitters, by collaborating by the first device with the second device to train the discriminator model to discriminate between samples from its transmitter and spoofed samples received from a generator model in the second device and to train the generator model in the second device to produce more accurate spoofed samples received by the first device during the training. The training results in a trained discriminator model, which is distributed to another device for use by the other device to discriminate samples received by the other device in order to perform authentication of the transmitter in the first device. The other device performs authentication of the transmitter of the first device using the distributed model.

Abstract: Methods, non-transitory computer readable media, and access policy manager apparatus that assists with enforcing an access control list based on one or more managed applications includes receiving a request to access a web application from an enrolled mobile device. An access control for the received request is identified based on data associated with the enrolled mobile device and a user using the enrolled mobile device. The identified access control list is enforced on the enrolled mobile device to determine when to provide access to the requested web application. Access to the requested web application is provided to the enrolled mobile device when enforced access control list comprises data to allow the enrolled mobile device access to the requested web application.

Abstract: Extensibility tools are provided to customers for defining custom restriction rules for enhanced access controls. In an example method, a listing of restriction rules available for a business role are presented. The restriction rules include predefined restriction rules and at least one custom restriction rule placeholder, wherein the predefined restriction rules are delivered with the enterprise software system the at least one customer restriction rule placeholders are associated with a link to custom code developed as a customer-specific restriction rule. A selection of a particular custom restriction rule is received and associated with the particular business role. When evaluating the restriction rule, the custom code and a set of master data defined in the custom code is accessed to determine restrictions for each of the end users associated with the business role. A set of access objects are derived for each user based on the information.

Abstract: Methods for securing communication in a network of IoT devices is provided. Methods include selecting a base IoT hub for operating as an intermediary layer for IoT devices. Methods include selecting from the plurality of IoT devices a selected plurality of IoT devices. Each of the selected IoT devices is configured to send and receive electronic communications. Methods include linking each of the selected plurality of IoT devices to the base IoT hub. Methods include storing, in a data repository within the hub, identification data associated with each of the IoT devices. The communication-types typically associated with each of the selected plurality of IoT devices are stored in the data repository. When an IoT device is activated to send a communication, methods include comparing and analyzing the communication and identification data of the activated device to stored identification data and communication-types of the selected IoT devices.

Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.

Abstract: The disclosure relates to, among other things, systems and methods for facilitating the secure recording and use of assertions made by entities regarding other entities. Embodiments of the disclosed systems and methods provide mechanisms to make assertions in an authentic and authoritative manner and enable discovery and reliance on those assertions using trusted distributed ledgers and/or derivatives of the same. Various embodiments may be used in connection with establishing security associations and/or secure communication channels between entities and/or the secure management of governed electronic resources.

Abstract: In general, in one aspect, a method includes receiving software code with an invalid characteristic, repeatedly attempting to execute the software code with the invalid characteristic on a device, and in response to successful execution of the software code with the invalid characteristic, taking an action. The action may include an action to remediate the device.

Abstract: A machine learning model is applied to at least determine whether a computer program includes vulnerable code. The machine learning model is trained to determine whether the computer program includes vulnerable code based at least on a presence and/or absence of a first trait. An indication can be provided, via a user interface, an indication that the computer program includes vulnerable code, when the computer program is determined to include vulnerable code. Related methods and articles of manufacture, including computer program products, are also provided.

Abstract: A system for providing security in a computer system is provided. The system includes a plurality of ring oscillators and one or more logic circuits. The ring oscillators are equipped with a respective plurality of counters to count impulses of oscillating outputs of the ring oscillators. The one or more logic circuits start and stop the respective plurality of counters over repeated counting periods, and select a group of ring oscillators from the plurality of ring oscillators. The one or more logic circuits also determine a correlation between oscillating outputs of the group of ring oscillators. The one or more logic circuits further generate a notification indicating interference in the group of ring oscillators and thereby the plurality of ring oscillators when the correlation is above a predefined threshold correlation.

Abstract: An intelligent transportation system, ITS, station (600) comprising: a host processor (640); and a memory (664) operably coupled to the host processor (640). The host processor (640) is configured to: perform verification per identity that includes precomputation of data for a plurality of neighbouring ITS stations of the ITS station (600); store precomputation data for the verified identity of the plurality of neighbouring ITS stations in the memory (664); and extract from memory (664) and use the stored precomputation data for a respective neighbouring ITS station to perform an accelerated verification of a subsequent message received from that neighbouring ITS station.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: A method includes receiving a request from a host device to authenticate a device. The method further includes transmitting authenticating data to the host device. Responsive to successful authentication of the device, configuration interface and communication interface of the device is exposed to the host device. The method further includes processing commands from the host device after the device is successfully authenticated. Responsive to the processed commands, payload data is sent or received to or from the host device according to the communication interface.

Abstract: Methods and systems for identifying content of interest. Accessed textual information is processed by at least one of character unification, phrase unification, and concept unification. A configured processor executes at least one predefined rule to determine whether the unified content includes certain types of information. Unified content that matches may be subject to further action such as alerts, encryption, logging, etc.

Abstract: A technique for local proxy detection includes monitoring outbound traffic from the endpoint with remote network addresses outside the enterprise network, detecting use of a secure communication protocol with a request from the endpoint to one of the remote network addresses, identifying a plaintext network address within the request, and in response to identifying a plaintext network address in the request, initiating remediation of a potentially malicious local proxy on the endpoint.

Abstract: Systems and methods described herein relate to secure, efficient, confidential, and/or outsourced blockchain networks, which can enable a group of mutually distrusting participants to securely share state and then agree on a linear history of operations on that shared state.

Abstract: A method divides data traffic into multiple optical transport units formatted according to an optical transport network (OTN) standard. The multiple optical transport units include a master optical network unit and one or more slave optical network units. Each optical network unit includes overhead and a payload. The overhead includes used overhead specifically defined in the OTN standard and unused overhead not specifically defined in the OTN standard. The method encrypts each optical network unit with a respective one of multiple encryption keys, defines security control parameters identifying the multiple encryption keys, and inserts the security control parameters into the unused overhead of a first slave optical network unit among the one or more slave optical network units. The method transmits the optical network units in encrypted form.

Abstract: Examples of the present disclosure describe systems and methods for discrete processor feature behavior collection and analysis. In aspects, a monitoring utility may initialize a set of debugging and/or performance monitoring feature sets for a microprocessor. When the microprocessor receives from software content a set of instructions that involves the loading of a set of modules or code segments, the set of modules or code segments may be evaluated by the monitoring utility. The monitoring utility may generate a process trace of the loaded set of modules or code segments. Based on the process trace output, various execution paths may be reconstructed in real-time. The system and/or API calls made by the microprocessor may then be compared to the process trace output to quickly observe the interaction between the software content and the operating system of the microprocessor.