Abstract: Techniques for providing a reflexive access control list (ACL) on a virtual switch are provided. Embodiments receive a first packet corresponding to a first network flow and a second packet corresponding to a second network flow. Upon determining that a SYN flag is set within the first packet, a first entry is created in the reflexive ACL for the first network flow. Upon determining that the first packet was received over a client port of the first physical switch, the first packet is forwarded to a second physical switch within virtual switch. Upon determining that the second packet has a SYN flag enabled, a second entry is created in the reflexive ACL. Finally, upon determining that the second packet was received from the second physical switch, the second packet is forwarded over an uplink port to a destination defined by the second packet.

Abstract: A method communicates between secured computer systems in a computer network infrastructure. Data packets are transmitted between a plurality from a group of processing computer systems, wherein such a transmission is performed by at least one broker computer system. The data packets are advantageously routed via at least one relay system connected upstream or downstream of the broker computer system in a transmission path of the data packets. All from the group of processing computer systems keep predetermined network ports at least temporarily closed so that access to a respective processing computer system via a network by the network ports is prevented. The relay system keeps predetermined network ports closed at least to the broker computer system, which has the relay system connected downstream so that access to the relay system via a network by the network ports is prevented.

Abstract: Network protocols generally implement integrity protection, encryption and authentication as separate validation steps. Since each validation step contributes encoding and processing overhead associated with individual packet transfers over the network, such network protocols can make inefficient use of limited packet space. Systems and methods according to the present disclosure combine integrity protection, encryption and authentication into a single validation step thereby making efficient use of limited packet space.

Abstract: Embodiments of the disclosure are directed to authenticating a user at an electronic computing device. Information is received from a defined zone of an environment surrounding the user. A level of authentication is calculated for the user based on the information from the defined zone of the environment. When the level of authentication is greater than or equal to a predetermined threshold, the user is authenticated at the electronic computing device to perform a requested activity.

Abstract: Methods and devices for improving security of a use case model are described. In accordance with the present disclosure, detection rules are applied to the use case model to detect bad smells. The use case model into an XML representation. The XML representation is refactored using the security bad smells to generate a refactored XML representation of the use case model. A behavior consistency verification processing is performed by processing the refactored use case models. Quality metrics of the refactored XML representation are generated before and after the refactoring. The quality metrics are compared to generate a quality improvement assessment of security for the use case model.

Abstract: Methods and systems for identifying autonomous vehicle users are described herein. An autonomous vehicle may receive a request to pick up a user at a starting location and transport the user to a destination location. Accordingly, the autonomous vehicle may travel to the starting location. Upon arriving at the starting location, the autonomous vehicle may detect whether a person approaching the vehicle is the user by detecting a biometric identifier for the person. The biometric identifier may then be compared to a biometric fingerprint for the user, and if there is a match, the autonomous vehicle may determine that the person is the user. As a result, the user may be allowed to enter the autonomous vehicle and/or the autonomous vehicle may begin travelling to the destination location. Otherwise, the person may be denied entry to the autonomous vehicle.

Abstract: Systems, methods, and apparatuses enable updating security policies in response to detecting attack activity or security threats. In an embodiment, security microservices detect attack activity sent between resources within an internal network. In response, the security microservices correlate the attack activity to externally accessible resources that were the initial entry point for the attack activity to the internal network. Based on this correlation, the security microservices update security policies bi-directionally to prevent the spread of future attack activity in the internal network between resources at a same level in the internal network and between resources at different levels in the internal network.

Abstract: An electronic device having anti-cloning function includes a first critical integrated circuit, which further includes a first security function block configured to authenticate an identity of a second critical integrated circuit in communication with the first critical integrated circuit, wherein the first security function block authenticates the identity of the second critical integrated circuit according to a chip identity of the second critical integrated circuit created using a non-volatile memory (NVM) physically unclonable function (PUF).

Abstract: A method for improving cascade classifier ordering is described. In one embodiment, the method may include determining an efficacy rating of a first current configuration, generating a decreasing sequence of values for a control parameter, and selecting a current value of the control parameter according to the decreasing sequence of values. In some cases, the method may include randomly selecting a first test configuration among the plurality of configurations based at least in part on the current value of the control parameter, analyzing the first test configuration in relation to the first current configuration, and implementing, based at least in part on the analyzing of the first test configuration, the first test configuration in a machine learning classification system of a computing device to improve a data classification accuracy of the computing device.

Abstract: Computer networks, particularly larger networks, may have various issues and vulnerabilities. By collecting network traffic data from a network in multiple different locations, then analyzing correlations in this data, performance issues and security risks can be uncovered. Techniques disclosed herein can help mitigate risks posed by malware, mitigate network performance issues, and also help provide a detailed network map of devices, services, and/or operating systems that are present on a network.

Abstract: This disclosure is directed to a computing system that performs techniques relating to the secure storage, maintenance, and retrieval of data. Techniques described in this disclosure may prevent, limit, or otherwise insulate the data from unauthorized access by hackers, rogue devices, and unauthorized users. In some examples, a computing system may store a file by fracturing the file into multiple data blocks, encrypting the data blocks or the data stored within the data blocks, and storing the data blocks in scattered locations on a network. Further, the computing system may occasionally move at least some of the stored data blocks, and may, upon moving such data blocks, reencrypt the moved data blocks with a different encryption key. Still further, the computing system may inject fake data and/or fake data blocks into the system.

Abstract: A method of unblocking external computer systems includes transmitting an authentication packet from an external computer system, configured outside the computer network infrastructure, to a broker computer system within the computer network infrastructure, wherein the authentication packet contains signed information for authentication of the external computer system, automatically transmitting the authentication packet from the broker computer system to at least one processing computer system within the computer network infrastructure, wherein the processing computer system keeps predetermined network ports at least temporarily closed wherein, however, the processing computer system is capable of accessing the broker computer system to fetch the authentication packet from the broker computer system, unblocking at least one selective network port by the processing computer system for communication with the external computer system, and establishing a connection to the selectively unblocked network port of th

Abstract: Methods and systems for securing data are provided. For example, one method includes receiving at an adapter, data with a first type of error protection code from a host memory of a computing device; adding by the adapter a second type of error protection code to the data before removing the first type of error protection code; generating by the adapter, a frame header for the data with a protocol specific protection code and a third type of error protection code, where the third type of error protection code is generated without using any frame header field; encrypting by the adapter, the data, the protocol specific protection code and the third type of error protection code; and transmitting by the adapter, the encrypted data with encrypted protocol specific protection code and encrypted third type of error protection code to a receiving adapter coupled to the adapter by a network link.

Abstract: A USB device for secure data loading to a system component, such as of an aircraft. The USB device is operable in a mass storage mode and in a non-mass storage mode. The USB device initially operates in the non-mass storage mode upon startup and comprises a storage for storing data to be loaded to the system component, a processor and a memory, wherein the memory contains instructions executable by the processor such that the USB device is operable to perform a security check on the data to be loaded to the system component, and switch, upon the security check, from the non-mass storage mode to the mass storage mode to provide the data for loading to the system component.

Abstract: In a system and methods for secure ledger assurance tokenization, a request circuit is structured to access a first block of a first blockchain. The first block includes a first block identifier of the first blockchain and first block content. The request circuit is structured to audit the first block content so as to generate a first audit result. A secure ledger assurance token (SLAT) generation circuit is structured to generate a first SLAT, the first SLAT comprising the first block identifier of the first blockchain and the first audit result. The cryptographic circuit is structured to cryptographically protect the first SLAT. The SLAT generation circuit stores the cryptographically protected first SLAT in a journal, where the cryptographically protected first SLAT is accessible by an authorized stakeholder to provide integrity and origin authenticity of the first audit result.

Abstract: In an example embodiment, a computer-implemented method comprises obtaining labels from messages associated with an email service provider, wherein the labels indicate for each message IP how many spam and non-spam messages have been received; obtaining network data features from a cloud service provider; providing the labels and network data features to a machine learning application; generating a prediction model representing an algorithm for determining whether a particular set of network data features are spam or not; applying the prediction model to network data features for an unlabeled message; and generating an output of the prediction model indicating a likelihood that the unlabeled message is spam.

Abstract: Systems and methods in accordance with various embodiments of the present disclosure provide secure handling of messages at a hardware-protocol level using a logic device on a server. Various embodiments provide approaches for filtering messages on various buses, such as SSIF, SMBus, PMBus, I2C, and SPI, within a server or a computer. Embodiments may include a policy engine through which message handling logic applied to a given bus or buses may be implemented. A message is compared to one or more policies. The message is allowed to be transmitted to a baseboard management controller based on the one or more policies and a type of message.

Abstract: Cloud-based data is securely retrieved by obfuscating access patterns. A cloud storage system receives a request for data from a remote client that specifies a key. Thereafter, the cloud storage system iterates through an index to identify all locations corresponding to the specified key. Such index is generated by applying a series of j hash functions to each key resulting in a j different tables forming part of the index. Using the index, the cloud storage system returns data from the identified locations to the client. As each write operation works by using non-deterministic encryption, the write operation changes the records stored in this data structure, and when the record is not changed, the algorithm simply rewrites the data which is stored in the data structure by rewriting the same value back again. However since, a nondeterministic encryption is utilized, it makes it indistinguishable as to when new data was written and when existing data is rewritten.

Abstract: A system for identifying anomalies in an information system is typically configured for: collecting information regarding a hierarchy of capabilities, a hierarchy of resources, capability instances, and resource instances of the information system; storing, in a graph database, nodes corresponding to the hierarchy of capabilities, hierarchy of resources, capability instances, and resource instances; collecting information regarding relationships among the hierarchy of capabilities, hierarchy of resources, capability instances, and resource instances; defining, in the graph database, edges corresponding to the relationships among the hierarchy of capabilities, hierarchy of resources, capability instances, and resource instances; collecting event and/or state data for the information system; comparing the event and/or state data to the graph database and determining that an event and/or state is anomalous; and, in response to determining that the event and/or state is anomalous, taking an information security a

Abstract: According to an embodiment, a communication device is connected with another communication device through a quantum communication channel with a shared encryption key. The device includes a communication unit, a sifter, a corrector, a calculator, and an extractor. The communication unit is configured to acquire a sequence of photons through the quantum communication channel and acquire a photon bit string corresponding to the sequence of photons. The sifter is configured to generate a shared bit string from the photon bit string by sifting processing using basis information. The corrector is configured to generate a corrected bit string by correcting an error included in the shared bit string. The calculator is configured to generate a hash-calculated bit string by performing hash calculation on the corrected bit string. The extractor is configured to extract, as the key, from the hash-calculated bit string, a bit string having the length of the key.