Abstract: Examples relate to distributed detection of malicious cloud actors. In some examples, outgoing cloud packets from the cloud server are intercepted and processed to determine if a preliminary threshold is exceeded, where the outgoing cloud packets are used to identify a customer. At this stage, a potential outgoing intrusion event of a number of potential outgoing intrusion events is generated when the preliminary threshold is exceeded. The potential outgoing intrusions events are used to update an aggregate log, where the aggregate log tracks a customer subset of the cloud servers that is associated with the customer. In response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, a notification of malicious activity by the customer is provided, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold.

Abstract: Provided is a method and system for producing message authentication tags and a method and system for producing hash values using bit-mixers. The methods include producing a message authentication or hash value by obtaining a message; segmenting, padding by an electronic processor, the message into a number of equal sized message blocks comprising a first message block, one or more subsequent message blocks, and a final message block; performing, by the electronic processor, a first bit-mixing operation on the first message block with an initialization value; performing, by the electronic processor, subsequent bit-mixing operations on the one or more subsequent message blocks and the final message block with a previous message block; and producing, by the electronic processor, the message authentication tag based on the first bit-mixing operation and the subsequent bit-mixing operations, employing a secret key material.

Abstract: A system for providing security in a computer system is provided. The system includes a physical unclonable function (PUF) device and one or more logic circuits. At startup of the computer system, the logic circuits call the PUF device a preset plurality of times with an identical input value to generate a plurality of PUF values that are candidate identifiers of an integrated circuit. The logic circuits apply a hash function to the candidate identifiers to produce respective hash values. The logic circuits also access a reference hash value from a non-volatile memory and verify all of the respective hash values using the reference hash value. The logic circuits further enable the computer system to operate in a first mode or a second mode based on the verification results.

Abstract: Apparatus and methods for evaluating an encryption key based on policies for a policy operation, including, but not limited to, aggregating existing policies for evaluating at least one key attribute of the encryption key, executing a policy replacement operation replacing at least one existing policy with at least one ephemeral policy, and evaluating the at least one key attribute based, at least in part, on the at least one ephemeral policy.

Abstract: A one-dimensional modulation continuous-variable quantum key distribution method is provided. The method includes transmitting, at a transmit end, a signal light field that passes through a first amplitude modulator and a first signal adjustment apparatus, and a reference light field, to an optical fiber combiner, and to a receive end through a quantum transmission channel. The method also includes separating, at the receive end, a quantum signal after the quantum signal passes through a second signal adjustment apparatus and an optical fiber splitter; and transmitting a separated reference light field and a separated signal light field to a measurement apparatus after the separated reference light field passes through a third signal adjustment apparatus and a phase modulator. Signal amplitude modulation and phase locking can be implemented by an amplitude modulator and a phase modulator, thereby simplifying the structure of the apparatus and reducing production costs.

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

Abstract: An example operation may include one or more of identifying a query from a requesting entity, where the query requests access to one or more blockchains, converting the query to an expression tree, creating one or more expression tree variations based on the expression tree, the one or more expression tree variations provide one or more different expressions than the expression tree and a same result as the expression tree, determining access conformity between one or more expression tree variations and the expression tree, selecting an expression tree variation with a greatest conformity rating, performing the query using the expression tree variation with the greatest conformity rating, and providing query results to a requesting entity.

Abstract: A computer-implemented method for quantitatively assessing a defense technique. The method includes executing a reasoning engine that receives as an input to the reasoning engine a query that includes an indicia of a defense technique to a computer security threat. The method further includes translating the defense technique into a propositional logic constraint on a queryable representation of a Boolean formula representing a model complied from a set of computer security threats and a set of defense techniques. The method also includes performing an assessment of the defense technique based on the propositional logic constraint on the queryable representation, to quantify the defense technique relative to a member of the set of computer security threats. The method further includes displaying a result of the assessment to indicate a level of security provided by the defense technique to the member.

Abstract: In one embodiment, a device maintains a journal of uncommitted changes to a file system of the device in a layer that is hot-swappable with a writable container layer. The device augments the journal with metadata regarding a particular uncommitted change to the file system of the device. The device applies, within a sandbox environment of the device, a machine learning-based anomaly detector to the particular uncommitted change to the file system and the metadata regarding the change, to determine whether the particular uncommitted change to the file system is indicative of a destruction of service attack on the device. The device causes performance of a mitigation action when the machine learning-based anomaly detector determines that the particular uncommitted change to the file system is indicative of a destruction of service attack on the device.

Abstract: A disclosed method may include (1) receiving a packet at a tunnel driver in kernel space on a routing engine of a network device, (2) identifying, at the tunnel driver, metadata of the packet that indicates whether at least one firewall filter had already been correctly applied to the packet before the packet arrived at the tunnel driver, (3) determining, based at least in part on the metadata of the packet, that the firewall filter had not been correctly applied to the packet before the packet arrived at the tunnel driver, and then in response to determining that the firewall filter had not been correctly applied to the packet, (4) invoking at least one firewall filter hook that applies at least one firewall rule on the packet before the packet is allowed to exit kernel space on the routing engine. Various other apparatuses systems, and methods are also disclosed.

Abstract: Methods, non-transitory computer readable media, and mobile application manager apparatus that assists secured SCEP enrollment of client devices includes receiving a certificate signing request and an encrypted device key from an enrolled mobile device. The received certificate signing request is forwarded to a simple certificate enrollment protocol server upon determining a validity of the received encrypted device key. A signed device certificate is received from the simple certificate enrollment protocol server as a response to the forwarded certificate signing request. The secured simple certificate enrollment protocol enrollment is completed forwarding the signed device certificate to the enrolled mobile device.

Abstract: For an encryption management module of a host that executes one or more data compute nodes (DCNs), some embodiments of the invention provide a method of providing key management and encryption services. The method initially receives an encryption key ticket at an encryption management module to be used to retrieve an encryption key identified by the ticket from a key manager. When the encryption key has been retrieved, the method uses the encryption key to encrypt a message sent by a data compute node executing on the host requiring encryption according to an encryption rule. The encryption key ticket, in some embodiments, is generated for an encryption management module to implement the principle of least privilege. The ticket acts as a security token in retrieving encryption keys from a key manager. Ticket distribution and encryption rule distribution are independent of each other in some embodiments.

Abstract: A user may access resources within a secure network through an agent stored on a first computing device within the secure network which then opens an outbound secure channel through a firewall of the secure network to a request collector stored on a second computing device outside the secure network. The agent waits until the request collector has rendered available on the outbound secure channel a request from the user for access to the resources in the secure network. The agent then reads the request rendered available on the outbound secure channel by the request collector and causes the request to be executed utilizing the resources within the secure network. The agent responds back to the request collector on the outbound secure channel which then responds to the user.

Abstract: A method for generating digital certificates for anonymous users in blockchain transactions includes: storing a blockchain comprised of a plurality of blocks, each block including a block header and transaction values, where each transaction value includes data related to a blockchain transaction including a sending address, recipient address, and transaction amount; receiving a certificate request from a computing device, the request including a user public key of a cryptographic key pair; identifying a subset of transaction values in the blockchain where the sending address or recipient address was generated using the user public key; determining a confidence level based on the data included in each transaction value included in the subset; generating a digital certificate based on the determined confidence level; and transmitting the generated digital certificate to the computing device.

Abstract: A computing device includes a processor, a memory coupled to the processor, and a non-transitory computer readable storage medium coupled to the processor that includes instructions, that when executed by the processor, cause the processor to manage a transition between a first operating system and a second operating system. The instructions cause the processor to instantiate a copy-on-write virtual computing system executing a first operating system, delete a second operating system from the non-transitory computer readable storage medium or the memory, copy the first operating system to the non-transitory computer readable storage medium. The instructions can further cause the processor to instantiate the first operating system on the computing device.

Abstract: In an embodiment, a computer-implemented method comprises, receiving an authentication request from a first computing device; in response to receiving the authentication request from the first computing device, performing one or more authentication services on behalf of a second computing device using identity information that is stored in a first data repository; generating, based on data from an access control list maintained at the second computing device, a list of one or more third computing devices; receiving a request from the first computing device to access a third computing device in the list of one or more third computing devices; generating service identity information for authenticating to the third computing device and storing the service identity information in a second data repository; and performing one or more authentication services on behalf of the first computing device using the service identity information that is stored in the second data repository.

Abstract: Rapid verification of executing processes includes receiving a seed from a verification unit. A checksum is generated at least in part by using a processor. The processor is coupled to a hierarchical memory, the hierarchical memory comprising an instruction cache, a data cache, and a shared memory accessible by both the instruction cache and the data cache. The shared memory is configured to store an executing program. A size of at least one of the instruction cache and the data cache is insufficient to store the entire executing program. The checksum is transmitted to the verification unit.

Abstract: In representative embodiments, architectures to improve security through use of an anomaly score are disclosed. A set of cryptographic key material is used to create a model based on a dimensionality reduction and a density estimation that captures the expected behavior of the set of cryptographic key material. An anomaly score for presented cryptographic key material is calculated based on the model. The anomaly score represents the divergence from expectations for the presented cryptographic key material. The anomaly score can be used by a relying system to determine whether to trust the presented cryptographic key material. In this way, cryptographic key material that is valid can be tested to determine whether the cryptographic key material should be trusted even though it is valid.

Abstract: To analyze cybersecurity threats, an analysis module of a processor may receive log data from at least one network node. The analysis module may identify at least one statistical outlier within the log data. The analysis module may determine that the at least one statistical outlier represents a cybersecurity threat by applying at least one machine learning algorithm to the at least one statistical outlier.

Abstract: A technique includes processing domain name system queries generated by a host to identify a subset of the queries for which domain names were not resolved. The technique includes using a time-based analysis to detect domain generation algorithm-based malware communications by the host, including detecting malicious communications by the host based at least in part on a number of the queries of the identified subset and a time span within which the queries of the subset were generated.