Abstract: An issuing authority (IA) may validate the identity of a user and issue a digital license to the user. IA may generate IA public-private key pair, and provide IA public key to the certification authority (CA). IA may sign the digital license with IA private key, and provision the signed digital license on the user device. IA may request CA to certify the digital license. CA may use IA public key to validate the digital license, and sign IA public key with CA private key, thereby generating a digital certificate associated with the issuing authority that is linked to the digital license. A relying party may use CA public key to validate the digital license. The relying party can retrieve the information from the digital license and trust that the retrieved information is legitimate.

Abstract: An abnormal traffic analysis apparatus includes receiving means for receiving traffic from a device via any of a plurality of communication paths in which different communication methods are used, multiple communication management means for identifying a communication path through which the traffic is transmitted, analysis method determination means for determining an analysis algorithm for detecting abnormality of the traffic according to the communication path identified by the multiple communication management means, analysis means for analyzing whether or not the traffic is abnormal traffic by using the analysis algorithm determined by the analysis method determination means, and analysis result recording means for recording a result of analysis performed by the analysis means.

Abstract: Methods and apparatus for detecting and handling evil twin access points (APs). The method and apparatus employ trusted beacons including security tokens that are broadcast by trusted APs. An Evil twin AP masquerades as a trusted AP by broadcasting beacons having the same SSID as the trusted AP, as well as other header field and information elements IE in the beacon frame body containing identical information. A sniffer on the trusted AP or in another AP that is part of a Trusted Wireless Environment (TWE) receives the beacons broadcasts by other APs in the TWE including potential evil twin APs. The content in the header and one or more IEs in received beacons are examined to determine whether a beacon is being broadcast by an evil twin.

Abstract: Methods and apparatus for detecting and handling evil twin access points (APs). The method and apparatus employ trusted beacons including security tokens that are broadcast by trusted APs. An Evil twin AP masquerades as a trusted AP by broadcasting beacons having the same SSID as the trusted AP, as well as other header field and information elements IE in the beacon frame body containing identical information. A sniffer on the trusted AP or in another AP that is part of a Trusted Wireless Environment (TWE) receives the beacons broadcasts by other APs in the TWE including potential evil twin APs. The content in the header and one or more IEs in received beacons are examined to determine whether a beacon is being broadcast by an evil twin.

Abstract: Systems as described herein may label data to preserve privacy. An annotation server may receive a document comprising a collection of text representing a plurality of confidential data from a first computing device. The annotation server may convert the document to a plurality of text embeddings. The annotation server may input the text embeddings into a machine learning model to generate a plurality of synthetic images, and receive a label for each of the plurality of synthetic images from a third-party labeler. Accordingly, the annotation server may send the confidential data and the corresponding labels to a second computing device.

Abstract: A system and a method of providing security to an in-vehicle network are provided. The method efficiently operates multiple detection techniques to maintain robustness against malicious message detection while increasing overall detection efficiency.

Abstract: The technology disclosed relates to a method, system, and non-transitory computer-readable media that classifies cloud traffic between a client and cloud application as malicious command and control (C2) cloud traffic or benign cloud traffic. A cloud traffic classifier, in communication with a network security system, is provided intercepted cloud traffic as an input, and generate an output that classifies the cloud traffic as malicious command and control (C2) cloud traffic or benign cloud traffic. The classifier may use signals such as beaconing behavior, anomalous entity, anomalous agent, anomalous username, anomalous username, anomalous agent, cat's paw behavior of the client, anomalous hostname access patterns, and/or malicious task sequence execution.

Abstract: Implementations include evaluating a first sub-set of rules based on a first sub-set of facts to provide a first set of impacts, evaluating including applying the first sub-set of facts to each rule using a hash join operation to determine whether a rule results in an impact, indexes of arguments of facts being used in a probe phase of the hash join operation, evaluating a second sub-set of rules using impacts of the first set of impacts to provide a second set of impacts, determining whether each goal in a set of goals has been achieved using the first set of impacts and the second set of impacts, each goal being provided as an impact, in response to determining that each goal in the set of goals has been achieved, removing paths of the AAG, each of the paths resulting in an impact that is not a goal.

Abstract: A method for detecting a trusted execution environment (TEE) clone application operating on a computing device includes measuring a plurality of read time periods associated with a plurality of monitored cache sets within a memory cache based on executing a first auxiliary thread of a TEE application on the computing device. Each of the read time periods indicating a time period that is used to read data within one of the monitored cache sets. The read time periods are compared with a time threshold to determine one or more cache misses. The TEE clone application is detected as operating on the computing device based on the determined cache misses.

Abstract: In some embodiments, an exemplary access controlling network architecture may include: a computer platform configured to: receive, from an online entity, an action performance request; request, from an access controlling platform, an expected access control digital key to be presented to the online entity; receive the expected access control digital key; instruct to display the expected access control digital key at a computing device; cause a mobile originating communication, having the expected access control digital key and an identity linked to the computing device; determine a lack of a receipt of the access authentication indicator associated with the online entity from the access controlling platform; and perform, due to, for example, the online entity being a BOT, one of: modifying a visual schema of the online entity, disabling the online entity, or suspending one of: a performance of the online entity or the performance of the action by the online entity.

Abstract: Extensive deployment of interoperable distributed energy resources (DER) on power systems is increasing the power system cybersecurity attack surface. National and jurisdictional interconnection standards require DER to include a range of autonomous and commanded grid-support functions which can drastically influence power quality, voltage, and the generation-load balance. Investigations of the impact to the power system in scenarios where communications and operations of DER are controlled by an adversary show that each grid-support function exposes the power system to distinct types and magnitudes of risk. The invention provides methods for minimizing the risks to distribution and transmission systems using an engineered control system which detects and mitigates unsafe control commands.

Abstract: A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc.

Abstract: Embodiments described herein disclose technology for authenticating a user. In some embodiments, a smart card or other similar authentication device can be associated with a user profile. When a request to interact is received via an application associated with a device, the system prompts the user to waive the smart card within a threshold proximity of the device. In response to the smart card being placed within the proximity, the system collects information from the smart card and verifies that the smart card is associated with the user profile of the user. In response to verifying the information from the smart card, the system authenticates the user and allows the user to interact.

Abstract: Cryptographic methods and systems are described. Certain examples relate to performing cryptographic operations by updating a cryptographic state. The methods and systems may be used to provide cryptographic functions such as hashing, encryption, decryption and random number generation. In one example, a non-linear feedback shift register or expander sequence is defined. The non-linear feedback shift register or expander sequence has a plurality of stages to receive the cryptographic state, wherein at least one of the plurality of stages is updated as a non-linear function of one or more other stages. In certain examples, a cryptographic state is updated over a plurality of rounds. Examples adapted for authenticated encryption and decryption, hashing, and number generation are described.

Abstract: The technology disclosed relates to configuring IoT devices for policy enforcement. In particular, the technology disclosed relates to configuring a plurality of special-purpose devices on a network segment of a network to steer outbound network traffic to an inline secure forwarder on the network segment instead of a default gateway on the network segment. The inline secure forwarder is configured to route the outbound network traffic to a policy enforcement point for a policy enforcement.

Abstract: Various embodiments of the present invention set forth techniques for monitoring risk in a computing system. The technique includes creating one or more risk objects, where each risk object of the one or more risk objects has a corresponding stored risk definition, the stored risk definition associating the risk object with raw machine data pertaining to the risk object, the raw machine data reflecting activity in an information technology (IT) environment. The technique further includes receiving a selection of a first risk object included in the one or more risk objects and receiving a first risk definition that corresponds to the first risk object. The technique further includes performing a search of the raw machine data according to the first risk definition, wherein a risk is identified based on the search of the raw machine data and performing an action based on identifying the risk.

Abstract: Methods, non-transitory computer readable media, and database activity monitor devices that deploy a monitoring proxy into a virtual private cloud (VPC) network hosted by a first public cloud network following detection in the VPC network of a new database associated with an entity. The monitoring proxy is configured to obtain and report the activity data based on a first database type of the cloud database. A determination is made when at least one security check defined in at least one security policy is violated based on an analysis of the activity data. An alert is automatically output via a communication network, when the determination indicates the security check is violated. One or more interactive dashboards are generated and output based on the activity data. The interactive dashboards comprise a historical database activity report for the entity.

Abstract: Disclosed are systems and methods for generating security policies for containers. An example method comprises identifying a virtualized execution environment running on a computer system, parsing metadata associated with the virtualized execution environment to identify resources of the computer system to be used by the virtualized execution environment, generating a set of access rules providing access to the resources, and creating a security policy in view of the set of access rules.

Abstract: A first dataset that includes an indication of a plurality of network events associated with a time-period is received. For each time sub-period from a plurality of time sub-periods that together span the time-period and to generate a second dataset, a value for each network event from the plurality of network events that occur within that time sub-period is summed. A discrete Fourier transform is performed based on the second dataset to generate a third dataset that includes an indication of a plurality of frequency ranges and a plurality of magnitude values for the plurality of frequency ranges. Each frequency from the plurality of frequencies ranges is associated with a magnitude value from the plurality of magnitude values. A set of candidate frequencies from the plurality of frequencies determined to potentially cause periodic behavior is identified based on the plurality of frequency ranges and the plurality of magnitude values.

Abstract: Systems described herein may dynamically add one or more proxy data protection agents to a cloud data storage system to process a data protection job. Upon completion of the job or at some other appropriate interval, the system can power down and decommission the proxy data protection agents and/or the virtual machines on which the data protection proxies reside according to a cleanup schedule (e.g., at hourly or minute intervals). In order to improve the allocation of computing resources, the system takes into account currently existing proxies or virtual machines when processing a backup request to determine the need for new proxies to service the backup request. In this manner the system can save costs and computing resources through efficient virtual machine deployment and retirement.