Abstract: A performance monitoring unit in a processor is programmed to issue an interrupt when a context switch occurs within an operating system if the currently executing thread belongs to a process that is subject to the malware prevention mechanism of the present invention. The interrupt enables a module that identifies mispredictions by the branch prediction unit of the processor and analyzes the address of the branch that was not predicted correctly. If the address of the branch is not contained on an existing whitelist of permissible branch addresses, and alert is generated and/or a protective action is taken. Such protective actions may include thread suspension, thread termination, process suspension, or process termination.

Abstract: Apparatus and method for hashing a message, comprises using an array of individually selectable memristor cells. The memristor cells are subject to write disturb that affects cells neighboring a selected cell so that a write operation into one cell has a knock-on effect on the neighbors. The array is initiated into a known stable state so that these changes to neighboring cells are predictable according to proximity to the currently selected cell. An inserter sequentially mixes bits with the hash so far to insert bits into successively selected cells of the memristor array and forms a succession of memristor array states including the knock on effects on the neighboring cells. A final resulting memristor array state following input of the bits forms the hash of the message.

Abstract: A method for providing a brain computer interface that includes detecting a neural signal of a user in response to a calibration session having a time-locked component and a spontaneous component; generating a user-specific calibration model based on the neural signal; prompting the user to undergo a verification session, the verification session having a time-locked component and a spontaneous component; detecting a neural signal contemporaneously with delivery of the verification session; generating an output of the user-specific calibration model from the neural signal; based upon a comparison operation between processed outputs, determining an authentication status of the user; and performing an authenticated action.

Abstract: Disclosed herein is a method for use in detection of anomalous behavior of a device of a computer system. The method is arranged to be performed by a processing system. The method includes deriving values, m1, . . . , mN, of a metric, M, representative of data associated with the device; modeling a distribution of the values; and determining, in accordance with the distribution of the values, the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

Abstract: A system for managing multi-factor authentication of a user includes: one or more source components for obtaining multi-factor authentication data by one or more of: receiving multi-factor authentication data via a network; generating multi-factor authentication data using an algorithm, and a user providing multi-factor authentication data; a routing component for associating the multi-factor authentication codes from the one or more source components with an appropriate user account; a database comprising multi-factor authentication data wherein components of the multi-factor authentication data are stored in association with a particular user account; and one or more delivery components for providing the multi-factor authentication data to a user on a user device.

Abstract: Using a recurrent neural network (RNN) that has been trained to a satisfactory level of performance, highly discriminative features can be extracted by running a sample through the RNN, and then extracting a final hidden state hh where i is the number of instructions of the sample. This resulting feature vector may then be concatenated with the other hand-engineered features, and a larger classifier may then be trained on hand-engineered as well as automatically determined features. Related apparatus, systems, techniques and articles are also described.

Abstract: A computer-implemented method may comprise collecting and storing a plurality of electronic messages and a corresponding plurality of phishing kits, each of which being associated with one or several malicious Uniform Resource Locator (URL) and extracting a set of features from each of the plurality of electronic messages. For each of the extracted set of features, the method may comprise determining a set of optimal scanning parameters using one or more decision trees, trained with a supervised learning algorithm based on programmatically or manually examining or reverse-engineering the source code of the phishing kits, or trained with a supervised learning algorithm based on a function that iteratively requests data from the websites pointed to by the malicious URLs and examines data and codes returned by such requests.

Abstract: An apparatus for encrypting an input memory address to obtain an encrypted memory address comprises an input interface for receiving the input memory address being an address of a memory. Moreover, the apparatus comprises an encryption module for encrypting the input memory address depending on a cryptographic key to obtain the encrypted memory address. The encryption module is configured to encrypt the input memory address by applying a map mapping the input memory address to the encrypted memory address, wherein the encryption module is configured to apply the map by conducting a multiplication and a modulo operation using the cryptographic key and a divisor of the modulo operation, such that the map is bijective.

Abstract: A device for controlling a communication network having a plurality of terminals for a data communication is provided. The device comprises a control unit configured to decouple a data plane and a control plane of the data communication and to modify at least one characteristic of the communication network which is visible from the outside of the communication network during a communication session using the decoupled control plane.

Abstract: In some variations, first and second rule sets may be received by a network protection device. The first and second rule sets may be preprocessed. The network protection device may be configured to process packets in accordance with the first rule set. Packets may be received by the network protection device. A first portion of the packets may be processed in accordance with the first rule set. The network protection device may be reconfigured to process packets in accordance with the second rule set. A second portion of the packets may be processed in accordance with the second rule set.

Abstract: Aspects of the disclosure relate to processing systems using improved domain pass-through authentication techniques. A computing platform may send, to an external cloud computing platform, one or more registration requests that each may cause an RLS endpoint corresponding to each of a plurality of resource location connectors to be stored at the external cloud computing host platform. The computing platform may receive one or more requests for a resource location identifier. The computing platform may determine an accessible resource location connector and may send, to the user device, a corresponding resource location identifier. After receiving a pass-through authentication request, the computing platform may receive, from the ticketing service stored on the external cloud computing platform, a one-time ticket. The computing platform may send, to the user device, the one-time ticket, which may allow the user device to perform pass-through authentication with the external cloud computing platform.

Abstract: A system for secure communication, including a first security computer communicatively coupled with a client computer via an SSL connection, including a certificate creator, for receiving certificate attributes of a server computer certificate and for creating a signed certificate therefrom, and an SSL connector, for performing an SSL handshake with the client computer using the signed certificate created by said certificate creator, and a second security computer communicatively coupled with a server computer via an SSL connection, and communicatively coupled with the first security computer via a non-SSL connection, including an SSL connector, for performing an SSL handshake with the server computer using a signed certificate provided by the server computer, and a protocol appender, for appending attributes of the signed certificate provided by the server computer within a message communicated to the first security computer. A method is also described and claimed.

Abstract: A non-transitory, computer-readable recording medium having stored therein a program for causing a computer execute a process of transmitting a first random value by proximity radio communication to a device coupled via a server and a network, receiving data in which the first random value is encoded, from the device by the proximity radio communication, determining whether the first random value matches a value obtained by decoding the data with a server key obtained in advance from the server, when the value obtained by decoding the data matches the first random value, authenticating a user, and causing the information processing device to execute processing for transmitting a result of the authenticating the user to the server via the device.

Abstract: A system and method of building a decision or prediction model used for analyzing and scoring behavioral transactions is disclosed. A customer dataset in a model development store is used to build an original model is subject to a data right usage withdrawal, the original model having coverage over the customer dataset extract, using data sampling, a portion of the customer dataset to generate a model surrogate dataset. The system and method discretize vectors present in both the model surrogate dataset and the customer dataset, and receive data representing the data right usage withdrawal from the customer dataset. The system and method determine a depletion of the model surrogate dataset according to the data right usage withdrawal, and compute an estimated mean time to coverage failure of the original model based on the depletion of the model surrogate dataset according to the data right usage withdrawal.

Abstract: A request is received from a deployer associated with an application to create an instance broker service instance. A request is received from the deployer to bind the instance broker service instance to the application. Instance broker credentials associated with the instance broker service instance are received and provided to the application. The application uses the instance broker credentials to access the instance broker service instance and determines whether to create a new service instance using the instance broker service instance.

Abstract: The present disclosure relates a system, method, and computer program for detecting anomalous user network activity based on multiple data sources. The system extracts user event data for n days from multiple data sources to create a baseline behavior model that reflects the user's daily volume and type of IT events. In creating the model, the system addresses data heterogeneity in multi-source logs by categorizing raw events into meta events. Thus, baseline behavior model captures the user's daily meta-event pattern and volume of IT meta events over n days. The model is created using a dimension reduction technique. The system detects any anomalous pattern and volume changes in a user's IT behavior on day n by comparing user meta-event activity on day n to the baseline behavior model. A score normalization scheme allows identification of a global threshold to flag current anomalous activity in the user population.

Abstract: A method for computer system forensics includes receiving an identification of at least one host computer that has exhibited an anomalous behavior, in a computer network comprising multiple host computers. Respective images of the host computers in the network are assembled using image information collected with regard to the host computers. A comparison is made between at least one positive image of the at least one host computer, assembled using the image information collected following occurrence of the anomalous behavior, and one or more negative images assembled using the image information collected with respect to one or more of the host computers not exhibiting the anomalous behavior. Based on the comparison, a forensic indicator of the anomalous behavior is extracted from the positive and negative images.

Abstract: Typically, clients request a service from a computer hosting multiple services by specifying a destination port number associated with the desired service. In embodiments, the functionality of such a host computer is enhanced by having it condition client access to services available at a particular port number based on client authentication and/or authorization. A host computer can change the service(s) available at a given port number on a client by client basis, enabling access to service(s) for trusted clients unavailable to untrusted clients. Preferably, client trust is based on client authentication via a certificate and a valid, signed transport layer security (TLS) handshake (or similar mechanism in other protocol contexts). In some embodiments, an authorization step can be added following authentication. The systems and methods disclosed herein find wide uses in bundling services on ports, as well as protecting access to services from untrusted and/or malicious clients, among others.

Abstract: A system and method for improving the security and reliability of industrial control system (ICS) and supervisory control and data acquisition (SCADA) communication networks utilized within power systems is provided. For power system intelligent electronic devices (IEDs) that comprise these networks, a number of settings are created and stored inside the device settings files that define the IED's communication parameters. Inspection of a settings and configuration file (SCF) allows the identification and extraction of the device's configured and therefore permissible communication characteristics. Using this extracted information, rulesets are generated and subsequently pushed to one or more network security devices, e.g. firewalls, managed switches, and intrusion detection/prevention systems. In such a manner, the described innovation is able to derive a perspective of the allowable system communication and issue rulesets and settings to network security devices (NSDs).

Abstract: Disclosed are systems, apparatuses and techniques for replicating data between different cloud computing platforms. Examples include storage replicator components operable in different cloud computing platforms. The first storage replicator component may identify the second cloud computing platform as a location to copy a data file in response to an event related to the data file stored in a first cloud computing platform. The first storage replicator component may request a copy of the data file via an application programming interface of the first cloud computing platform. The attributes of the copy of the data file which involve modification to conform to data management conventions of the second cloud computing platform may be determined and modified to comply with conventions of the second cloud computing platform. The modified copy of the data file may be forwarded to the second cloud computing platform for storage.