Abstract: An anomaly detector for detecting anomaly in input data comprises an auto-encoder trained to encode the input data and decode the encoded input data to reconstruct the input data. Further, the anomaly detector comprises a classifier trained to determine a reconstruction loss indicative of a difference between the accepted input data and the reconstructed input data, where the reconstruction loss includes a weighted combination of a plurality of loss functions evaluating reconstruction losses of a plurality of parts of the reconstructed input data, different types of loss functions, or both. The classifier is further configured to detect an anomaly in the reconstructed input data when the reconstruction loss is above a threshold.

Abstract: An apparatus and method for encryption key recovery based on memory analysis. The apparatus may include one or more processors and executable memory for storing at least one program executed by the one or more processors. The at least one program may collect memory information pertaining to an encrypted part of a file, in which ransomware is detected, based on dynamic binary instrumentation, analyze memory read operation data corresponding to an encryption key that is used for encryption of the file in the memory information, recover the encryption key based on the result of analysis of the memory read operation data, and output the result of recovery of the encryption key.

Abstract: A mechanism for building decentralized computer applications that execute on a distributed computing system. The present technology works within a web browser, client application, or other software and provides access to decentralized computer applications through the browser. The present technology is non-custodial, wherein a public-private key pair, which represents user identity, is created on a client machine and then directly encrypted by a third-party platform without relying on one centralized computing system.

Abstract: Systems, methods and computer program products for improving security of artificial intelligence systems. The system comprising processors for monitoring one or more transactions received by a machine learning decision model to determine a first score associated with a first transaction. The first transaction may be identified as likely adversarial, in response to the first score being lower than a certain score threshold and the first transaction having a low occurrence likelihood. A second score may be generated in association with the first transaction based on one or more adversarial latent features associated with the first transaction. At least one adversarial latent feature may be detected as being exploited by the first transaction, in response to determining that the second score falls above the certain score threshold. Accordingly, an abnormal volume of activations of adversarial latent features spanning across a plurality of transactions scored may be detected and blocked.

Abstract: An automated technique for security monitoring leverages a labeled semi-directed temporal graph derived from system-generated events. The temporal graph is mined to derive process-centric subgraphs, with each subgraph consisting of events related to a process. The subgraphs are then processed to identify atomic operations shared by the processes, wherein an atomic operation comprises a sequence of system-generated events that provide an objective context of interest. The temporal graph is then reconstructed by substituting the identified atomic operations derived from the subgraphs for the edges in the original temporal graph, thereby generating a reconstructed temporal graph. Using graph embedding, the reconstructed graph is converted into a representation suitable for further machine learning, e.g., using a deep neural network. The network is then trained to learn the intention underlying the temporal graph.

Abstract: Conditionally initiating a security measure in response to an estimated increase in risk imposed related to a particular user of a computing network. The risk is determined using a rolling time window. Accordingly, sudden increases in risk are quickly detected, allowing security measures to be taken quickly within that computing network. Thus, improper infiltration into a computing network is less likely to escalate or move laterally to other users or resources within the computing network. Furthermore, the security measure may be automatically initiated using settings pre-configured by the entity. Thus, the security measures go no further than what the entity instructed, thereby minimizing risk of overreaching with the security measure.

Abstract: Disclosed are various embodiments for validating documents using a blockchain data. Multiple documents can be included in the validation process using a merge and hash process and a summary terms document. Validation can be performed by hashing and merging operations, followed by comparing hash values.

Abstract: A computer-implemented method for executing a user instruction may include obtaining identification data of a user via a device associated with the user, wherein the identification data comprises at least a password, a user name, and biometric data of the user; determining, via the one or more processors, a login status based on the identification data; demonstrating, to the user, historical account data based on the login status, wherein the historical account data comprises at least historical biometric data associated with one or more historical logins; receiving, via the one or more processors, the user instruction based on the historical account data, wherein the user instruction comprises at least one of revoking a historical login, changing password, or signing out a historical device associated with a historical login of the one or more historical logins; and executing, via the one or more processors, the user instruction.

Abstract: A method, system, and computer program product for key in lockbox encrypted data deduplication are provided. The method collects a set of deduplication information by a host in communication with a storage system via a communications network. A fingerprint is generated for a data chunk to be stored on a storage system. The method encrypts the data chunk using a first encryption key to generate an encrypted data chunk. The fingerprint is encrypted with a second encryption key to generate an encrypted fingerprint. The method encrypts the first encryption key with a third encryption key to generate a first encrypted key. The method encrypts the first encryption key with a fourth encryption key to generate a second encryption key. A data package is generated for transmission to the storage system. The method transmits the data package to the storage system.

Abstract: A computer implemented method and system for secure initial secret delivery for collocated containers with shared resources techniques is disclosed. The method comprises providing an application type identifier and a token for accessing a secrets management service; creating asynchronously, a plurality of collocated containers with shared resources; initiating a request for a creation for an initial secret; validating the request, requesting an identity for the collocated containers; validating the identity; starting an application instance; and using the initial secret to retrieve other secrets for the application instance.

Abstract: Physical unclonable functions (PUFs) are described. The PUFs utilize intrinsic information to determine the confidence level of comparison values. The information about confidence levels may be used to simplify the process of recovering the PUF secret. Since the information about confidence levels may be intrinsic, and not know outside the PUF, the PUF may be secure.

Abstract: Systems and methods for dynamically mitigating a DDOS attack. In an aspect, the technology relates to a computer-implemented method for dynamically mitigating a distributed-denial-of-service (DDOS) attack. The computer-implemented method may include detecting a DDOS attack directing malicious traffic to a target, identifying one or more source locations of the malicious traffic, and in response to detecting the DDOS attack, activating one or more scrub clusters in the identified one or more source locations of the malicious traffic. The method may further include directing traffic intended for the target to the to the activated one or more scrub clusters, detecting an end of the DDOS attack, and in response to detecting the end of the DDOS attack, deactivating the one or more scrub clusters to release hardware resources.

Abstract: Inverse imbalance subspace searching techniques are used to detect potential malware among samples of network communication data. A large number of samples of network communication data, such as proxy log data and/or network flows, are received and analyzed by a malware detection system. A number of the samples are associated with known malware, while other unlabeled samples are either benign or may be associated with unknown malware. An inverse imbalance subspace search may be performed, in which the sample sets are divided into subsets based on random feature thresholds, and each subset is evaluated based on the ratio of known malware samples to unlabeled samples. Unlabeled samples within subsets having high malware sample ratios may be identified, aggregated, and processed as potential malware.

Abstract: A method for electing a representative node device is performed at a blockchain system, including: obtaining voting transaction data from the node devices, the voting transaction data being used for voting for one or more node devices of the blockchain system as representative node devices; generating and storing the voting transaction data into a target blockchain of the blockchain system when a plurality of node devices of the blockchain system verify the voting transaction data by consensus; and when a quantity of blocks in the target blockchain generated using the voting transaction data reaches a preset quantity, determining an election result according to quantities of votes of the node devices determined from the voting transaction data, the election result identifying a plurality of representative node devices in the blockchain system being configured to generate new blocks for the target blockchain and perform verification on the new blocks by consensus.

Abstract: A policy-based browser system for managing browser extensions used to access functionalities on a web browser in a cloud-based multi-tenant system. The policy-based browser system includes a client device, a web server configured to provide the functionality of the browser extension on a web browser of the client device, and a mid-link server. The network traffic from the client device is monitored to identify traffic patterns, risk is determined associated with the browser extension based on the traffic patterns, and a correlation of the browser extension with a plurality of browser extensions. A policy for the browser extension is identified based on the risk. The policies specify access to the browser extensions based on the risk associated with the browser extensions. The browser extensions are categorized based on the policies and the risk. An authorization corresponding to the browser extension is determined based on the policy.

Abstract: Methods, systems, and computer readable media for network security are described. In some implementations, security tasks and roles can be allocated between an endpoint device and a firewall device based on tag information sent from the endpoint, the tag information including one or more characteristics of a traffic flow, information of resource availability, and/or reputation of a process associated with a traffic flow.

Abstract: In some implementation, a system for identifying malicious attacks on a convolutional neural network (CNN) model includes a target computing system that performs classification of objects using a CNN model, and an attack identification computing system that identifies an injected neural attack. The attack identification computing system can be configured to generate, based on the CNN model and associated parameters, an ecosystem of CNN models by modifying original weights of the parameters associated with the CNN model; update the original weights of the parameters with the modified weights; store, in a secure data store, the updated weights of the parameters; generate, based on the updated weights, an update file for the CNN model; update, using the update file, the CNN model; and transmit the updated CNN model to a targeting computing system configured to detect neural attacks by an attacker computing system based on the updated CNN model.

Abstract: The present disclosure relates to a wireless token capable of representing a user network, the token being used to automatically provision an IoT enabled device to connect to the user network. Functions required to achieve this include: authenticate the token with the user network, and responsive to said authentication, obtain and store configuration information for enabling the token to communicatively couple one or more devices at or within a defined proximity to the token, with the user network; responsive to a wireless signal received from a given device among the one or more devices, establish a temporary secure communication channel between the given device and the token; and provide the configuration information from the token to the given device using the temporary secure communication channel, wherein the configuration information enables the given device to establish a connection with and operate in the user network based on the obtained configuration information.

Abstract: Provided are a computer program product, system, and method for determining key server type and key server redundancy information to enable encryption. A first key server type for a first protocol is indicated in a key server type field in response to determining a current protocol used to communicate with the key server comprises the first protocol. A query information request is submitted to the key server to determine a key server type in response to determining that the current protocol comprises the second protocol. The second key server type indicated in the response to the query information request is indicated in the key server type field in response to the response indicating the second key server type. The first or second type of key server indicated in the key server type field is used to determine information to include in a key retrieval request.

Abstract: A system may include a first processing component arranged in a secure domain of the system. The system may include a second processing component arranged outside of the secure domain of the system. The system may include one or more hardware accelerators to perform operations in association with providing communication security for the system. The one or more hardware accelerators may be accessible by the first processing component via a channel in the secure domain. The one or more hardware accelerators may be accessible by at least the second processing component via a channel outside of the secure domain.