Abstract: A method and system for dynamic testing and diagnostic assessment of security vulnerability of cloud-based enterprise software applications. The method comprises directing, to a software program under execution, a series of attack vectors; diagnosing a set of results associated with the software execution as comprising one of a security vulnerability and not a security vulnerability, the set of results produced based at least in part on the attack vectors; and assessing a dynamic security vulnerability score for the software program based at least in part on the diagnosing.

Abstract: Systems and methods are provided for sending and receiving encrypted submessages. Messages could be partitioned into a plurality of submessages based on the content of a message, and such submessages could be individually encrypted and sent over a network. The partitioning could be based on various standards and/or heuristics. In the sending process, submessages could be designated to travel over different networks and networks of different types. Such submessages could then be received and reassembled in spite containing overlapping content with respect to each other, having to contend with copies of submessages, and having accompanying related content (e.g., advertisements) and non-related content (e.g., random bits). Moreover, the sending process could also be performed in real time or in a batched manner, depending on the implementation.

Abstract: In some variations, first and second rule sets may be received by a network protection device. The first and second rule sets may be preprocessed. The network protection device may be configured to process packets in accordance with the first rule set. Packets may be received by the network protection device. A first portion of the packets may be processed in accordance with the first rule set. The network protection device may be reconfigured to process packets in accordance with the second rule set. A second portion of the packets may be processed in accordance with the second rule set.

Abstract: The group of inventions relates to computing techniques and can be used for computing a hash function. The technical effect relates to increased speed of computations and improved capability of selecting a configuration of an apparatus. The apparatus comprises: a preliminary preparation unit having M inputs with a size of k bits, where M>1; M pipelined computation units running in parallel, each comprising: a memory module, a feedback disable module, an adder, a pipeline multiplier having L stages, a feedback unit, and an accumulation unit; and a combining unit.

Abstract: A device includes a processor and a memory. The processor effectuates operations including receiving signaling messages traversing a first interface or a second interface from the network traffic, translating the signaling messages into one or more events, detecting one or more anomalies by analyzing the one or more events, determining whether the one or more anomalies is indicative of an attack on a telecommunications network and performing a remediation action to the signaling messages resolving the attack when the one or more anomalies is indicative of an attack on the telecommunications network.

Abstract: In some variations, first and second rule sets may be received by a network protection device. The first and second rule sets may be preprocessed. The network protection device may be configured to process packets in accordance with the first rule set. Packets may be received by the network protection device. A first portion of the packets may be processed in accordance with the first rule set. The network protection device may be reconfigured to process packets in accordance with the second rule set. A second portion of the packets may be processed in accordance with the second rule set.

Abstract: This specification discloses devices and methods for a security concept that includes an immobile hardware token (e.g., a “wall token” that is fixed within a wall) which ensures that the more sensitive actions of electronic banking (e.g., money transfers of large sums to foreign bank accounts) can only be done from the account owner's home, but not from a remote place. However, other less sensitive (and lower security risk) actions can still be done from anywhere else. In some embodiments, the hardware token includes sensors to ensure that the token is not moved or tampered with, interfaces to provide distance bounding, and a crypto-processor to provide secure authentication. The distance bounding can be used to determine if the authentication device is in close proximity to the hardware token, which can in turn ensure that the authentication device is within the account owner's home.

Abstract: In example implementations, an apparatus is provided. The apparatus includes an input sensor, a memory, a comparator, and a processor. The processor is communicatively coupled to the input sensor, the memory, and the comparator to control operation of the input sensor, the memory, and the comparator. The input sensor is to measure a bus signal of a computing device. The memory is to store the bus signal that is measured and a reference bus signal. The comparator is to compare the bus signal that is measured to the reference bus signal to detect a hardware security attack.

Abstract: A client computing device may obtain access to protected resources with a proof-of-possession (Pop) token. The client computing device may request an access token from an authorization server via an application server. The request may include key material (e.g., token binding type, key, and key parameters) that the client computing device possesses or has access to, such as a public key of an asymmetric public/private key pair. In some embodiments, the public key may be a confirmation (CNF) key, which may be added to the access token and JWT signed by the authorization server. The private key may be retained by the client, who may then use the PoP token to prove possession of the private key.

Abstract: A system for managing multi-factor authentication of a user includes: one or more source components for obtaining multi-factor authentication data by one or more of: receiving multi-factor authentication data via a network; generating multi-factor authentication data using an algorithm, and a user providing multi-factor authentication data; a routing component for associating the multi-factor authentication codes from the one or more source components with an appropriate user account; a database comprising multi-factor authentication data wherein components of the multi-factor authentication data are stored in association with a particular user account; and one or more delivery components for providing the multi-factor authentication data to a user on a user device.

Abstract: Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

Abstract: Systems and methods are disclosed for secure debug architecture. For example, an integrated circuit (e.g., a processor) for executing instructions includes a processor core configured to execute instructions; a debug interface comprising two or more conductors with input/output drivers configured to, when enabled, transmit and receive signals between the processor core and an external host device via the two or more conductors; and wherein the integrated circuit is configured to: receive a request from a host device for access to the integrated circuit via the debug interface; responsive to the request, generate a random number; transmit the random number from the integrated circuit to the host device via the debug interface; receive, from the host device via the debug interface, input data that has been encrypted using the random number as a key; and decrypt the input data using the random number as a key.

Abstract: This disclosure relates generally to a method and system for biometric verification. Conventional biometric verification method and system performs one or more computations in non-encrypted domain, thereby leading to security threats. The disclosed method includes performing computations such as enrollment and verification feature vector computation, dimensionality reduction of said feature vectors, and comparison of dimensionally reduced encrypted feature vectors to obtain matching scores indicating the extent of match therebetween between in encrypted domain using fully homomorphic encryption, thereby leading to secure biometric verification.

Abstract: A computer-implemented method for advancing speculative execution in microarchitectures is disclosed. A non-limiting example of the computer-implemented method includes receiving, by a processor, a test scenario including a first load instruction from a first memory location flagged with a delay notification and a speculative memory access instruction from a second memory following the first load instruction. The method executes, by the processor, the first load instruction from the first memory location and delays a return of data from the first memory location for a number of processor cycles. The method executes, by the processor, the speculative storage access instruction from the second memory location during the delay in returning the data from the first memory location.

Abstract: An information security system that incorporates time, feedback, and/or varying trust in analyzing and responding to attacks. A solution can defer processing of a request for a period of time, which can be sufficient to allow the request to be approved or disproved. The solution can be configured to automatically approve or disprove the request after the period of time if no affirmative response is received. Trust for an entity can be periodically determined and can automatically decay over time. Feedback can be used as part of the approval/disproval process and/or to reevaluate trust.

Abstract: A secure update is provided from a server to an end-point device. The server registers digital information, such as a name or a software package, and a verifiable key, such as a cryptographic hash, derived from the digital information. A publicly accessible transaction log stores the verifiable key in a block and provides an identifier of the block to the server. An end-point device receives the digital information and the identifier, and computes a separate verifiable key. The end-point device retrieves the verifiable key from the block of the publicly accessible transaction log, and compares the retrieved verifiable key to the separate verifiable key to determine whether the digital information has been compromised.

Abstract: The disclosure is generally directed to a method and apparatus for encrypting and decrypting data on an integrated circuit. In various implementations, the apparatus includes an on-chip high performance bus bridge that transparently encrypts and decrypts data between the embedded microprocessor(s) and off-chip system memory. In some implementations, the apparatus is optimized to the transactions generated by the processor's cache controller (e.g., optimized for cache line size) and optimized to the bus protocol being used. This provides code protection with minimal effect on system performance latency and throughput. The implementation of multiple cryptographic engines allows for encryption of a complete cache line while incurring only a single latency for the first cipher rounds to be completed.

Abstract: Described is a lattice cryptography processor with configurable parameters. The lattice cryptography processor includes a sampling circuit configured to operate in accordance with a Secure Hash Algorithm 3 (SHA-3)-based pseudo-random number generator (PRNG), a single-port random access memory (RAM)-based number theoretic transform (NTT) memory architecture and a modular arithmetic unit. The described lattice cryptography processor is configured to be programmed with custom instructions for polynomial arithmetic and sampling. The configurable lattice cryptography processor may operate with lattice-based CCA-secure key encapsulation and a variety of different lattice-based protocols including, but not limited to: Frodo, NewHope, qTESLA, CRYSTALS-Kyber and CRYSTALS-Dilithium, achieving up to an order of magnitude improvement in performance and energy-efficiency compared to state-of-the-art hardware implementations.

Abstract: The update progress of a basic input/output system (BIOS) is displayed on a display screen. A first chipset lock is applied to a first region of a shared serial peripheral interface (SPI) chip of the BIOS of a computer system containing a first program of instructions. A system management memory mode lock is applied to a second and a third region of the shared SPI chip containing a second and third programs of instructions respectively. The second program of instructions is updated, and control of the BIOS is transferred to the updated second program of instructions. The updated second program of instructions updates the first program of instructions. The BIOS update progress visual is displayed on the display screen of the computer system while updating the first program of instructions.

Abstract: An integrated circuit including: a plurality of physically unclonable function (PUF) cells each configured to generate a cell signal having a unique value; a selector configured to output a first signal obtained by not inverting a cell signal output by a PUF cell selected from the plurality PUF cells and a second signal obtained by inverting the cell signal; and a key generator configured to generate a security key in response to the first signal or the second signal, wherein the selector includes a first conversion circuit configured to generate the first signal and a second conversion circuit having the same structure as the first conversion circuit and configured to generate the second signal.