Abstract: A new approach is proposed that supports IP address lookup. An IP address updater creates a bitmap of an IP address space, wherein each bit in the bitmap corresponds to an IP address in the IP address space. The compressed bitmap is then populated and stored permanently on a shared memory storage that is accessible by multiple client applications at the same time. The client applications may each establish and maintain a connection to the shared memory storage through an IP address lookup agent. When a lookup request for an IP address is received, the IP address lookup agent checks the bitmap and associated information of the IP address space on the shared memory storage to determine if the IP address is malicious or not and to inform the client application making the request accordingly, while the bitmap on the shared memory storage is updated with new IP address update.

Abstract: There is disclosed in one example a ransomware mitigation engine, including: a processor; a convolutional neural network configured to provide file type identification (FTI) services including: identifying an access operation of a file as a write to the file or newly creating the file; computing a byte correlation factor for the file; classifying the file as belonging to a file type; determining with a screening confidence that the file type is correct for the file; determining that the screening confidence is below a screening confidence threshold; and circuitry and logic to provide heuristic analysis including: receiving notification that the confidence is below the confidence threshold; performing a statistical analysis of the file to determine a difference between an expected value and a computed value; determining from the difference, with a detection confidence, that the file has been compromised; and identifying the file as having been compromised by a ransomware attack.

Abstract: Examples of techniques for threat detection in an industrial process system are described herein. An aspect includes determining a plurality of subsystems of an industrial process system. Another aspect includes, for each of the plurality of subsystems, constructing and training a respective deep autoencoder (DAE) model of the subsystem based on data corresponding to the industrial process system. Another aspect includes monitoring the industrial process system using the plurality of DAE models corresponding to the plurality of subsystems. Another aspect includes, based on the plurality of DAE models, determining a cyberattack in a subsystem of the plurality of subsystems.

Abstract: An embodiment discloses a method for controlling a vehicle virtualization structure-based device including the steps of receiving a request for use of a device from at least one container among a plurality of containers; and determining the use of the device according to a type of the device and a type of the container that transmits the request for use.

Abstract: In accordance with an embodiment, described herein is system and method for use with software application development environments, for determining attribution associated with licensed software code. The system can receive as input an indication of a source application codebase for a software application, determine dependencies on third-party modules, libraries, or other software code, and output associated license attributions for that codebase. Optionally, the system can combine and/or de-duplicate multiple sets of attributions associated with a source application codebase, or generate a set of differences between two versions of attributions, to illustrate changes between the versions. In accordance with an embodiment, if the system detects potential licensing issues associated with the use of third-party modules, libraries, or other software code, then an appropriate notification can be generated.

Abstract: A proposed technique allows for the security of the logic cone through logic locking and secures the outputs of the circuit from the scan chain without modifications to the structure of the scan chain. Since the oracle responses in test mode do not correspond to the functional key, satisfiability (SAT) attacks are not able to leverage the responses from the scan chain. In addition, a charge accumulation circuit is developed to prevent and detect any attempt to enter the partitioned test mode while the correct circuit responses are still stored within the registers.

Abstract: Disclosed herein are systems and method for isolating private information in streamed data. In an exemplary aspect, a method may comprise receiving a stream of data, for storage in a first storage device, and an indication of how the stream will be utilized by an end user. The method may comprise comparing the indication against a plurality of rules, wherein each rule indicates a type of private information that should be isolated from a given input stream based on a respective indication of usage for the given input stream. The method may comprise identifying and extracting a first type of private information that should be isolated from the stream, modifying the stream by removing the first type of private information from the stream, storing the modified stream in the first storage device, and storing the extracted first type of private information in a different location from the modified stream.

Abstract: Computer system for performing biometric matching in a way that balances accuracy level required in the biometric matching against computing resources (for example, processor cycles) that will be needed to match authentication requesters with profiles of authorized users. In some embodiments, this is achieved by controlling the number of clusters and/or the number of clusters to be searched pursuant to an authentication request.

Abstract: Disclosed herein are systems and methods for storing patient medical information on a local processing device, anonymizing a portion of that medical information and storing it on a second processing device, exposing that anonymized medical information to a third processing device coupled to the second processing device through a network, and restricting users of the third processing device to only accessing HIPAA compliant medical information. Alarms are included for indicating the improper transfer of HIPAA data.

Abstract: Disclosed are embodiments directed to security methods applied to connections between components in a distributed (networked) system including medical and non-medical devices, providing secure authentication, authorization, patient and device data transfer, and patient data association and privacy for components of the system.

Abstract: Techniques for associating manufacturer usage description (MUD) security profiles for Internet-of-Things (IoT) device(s) with secure access service edge (SASE) solutions, providing for automated and scalable integration of IoT devices with SASE frameworks. A MUD controller may utilize a MUD uniform resource identifier (URI) emitted by an IoT device to fetch an associated MUD file from a MUD file server associated with a manufacturer of the IoT device. The MUD controller may determine that a security recommendation included in the MUD file is to be implemented by a cloud-based security service provided by the SASE service and cause the IoT device to establish a connection with a secure internet gateway associated with the cloud-based security service. Additionally, or alternatively, the MUD file may include SASE extensions indicating manufacturer recommended cloud-based security services. Further, cloud-based security services may be implemented if local services are unavailable.

Abstract: A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores instructions executed by the processor to record the purchase of a digital asset by a user at a client machine from a data source machine in network communication with the client machine. The location of the digital asset on one or more machines of the networked machines is archived. The location is separate from the data source machine. The digital asset is associated with a data access policy. A request for the digital asset is received. The data access policy is enforced through programmatic control utilized by one or more of the networked machines to form a consent state. Distribution of the digital asset to a networked machine is authorized in response to the consent state.

Abstract: A global partitioning-based method for anonymizing a dataset of biometric data may include an anonymization computer program: (1) receiving a value k representing a number of records to hide a biometric datum among, a value t that represents a t-closeness parameter for a t-close distribution, a weight parameter, and a first number of features to retain for determining an attribute of interest; (2) receiving the attribute of interest; (3) calculating a distribution of the attribute of interest in a biometric dataset; (4) splitting the biometric dataset into a plurality of k-sized clusters that satisfy the t-close distribution; (5) anonymizing each biometric datum in the plurality of k-sized clusters using a weighted average of landmarks for the biometric datums in k-sized clusters using the weight parameter; (6) adding each anonymized biometric datum into an anonymized biometric dataset; and (7) persisting the anonymized biometric dataset.

Abstract: A system receives a request associated with a first account to delegate, to a second account, authority to send documents on behalf of the first account. The request identifies requirements that must be satisfied before the second account can send documents on behalf of the first account. Responsive to receiving a request to send a first document to a first entity from the second account and on behalf of the second account, the system sends the first document to the first entity. Responsive to receiving a request to send a second document to a second entity from the second account and on behalf of the first account, the system determines whether the request to send the second document satisfies the requirements. Responsive to the request satisfying the requirements, the system sends the second document to the second entity on behalf of the first account.

Abstract: Disclosed are some implementations of systems, apparatus, methods and computer program products for providing contextually relevant recommendations based on a context of the user. The context of the user may be determined according to a set of privacy settings of the user, where the set of privacy settings indicates contextual features for which values are permitted to be accessed by a recommendation system. The contextual features may include user-related features and/or tenant features pertaining to a tenant of a multi-tenant database.

Abstract: The system comprises of a meeting organizer, host data processing system, at least one participant and participant data processing system and a server. The host data processing system is configured to create the meeting, list of participants, generate key for the participants and then communicate the key to the participants. The participant data processing system is configured to receive the credentials, communicate credential and key to the server and communicate the location information of the participant data processing system to the server. The server is configured to authenticate the participant, verify the identity of the participant, and determine whether the participant data processing system is located in a secured or unsecured location.

Abstract: The present disclosure relates to software tampering resistance. In one aspect, a method for generating protected code is provided, comprising identifying a primary function in code to be obscured, the primary function being a function used to verify the integrity of the code run-time. The method then comprises generating a finite state machine from the primary function, wherein a state of the finite state machine at a given instance defines an element of the primary function to be executed. The method then comprises distributing the finite state machine throughout the code to obscure one or more areas of the code.

Abstract: A computer-implement method comprises: selecting a trusted computing node via smart contract on a blockchain; completing remote attestation of the selected trusted computing node; writing secret information to an enclave of the selected node; causing a thin device to establish a private connection with the selected node without revealing the secret information; and causing the selected node to act as a proxy on the blockchain for the device. Another method comprises: receiving a signed device access request from a device owner; validating, by the verification node, the received request; executing, by a verification node, a smart contract on a blockchain based on the received request; and producing, based on the executed smart contract, an output command to access the device for the device to validate, decrypt and execute.

Abstract: A system and method for pairing two devices for secure communications. A user selects a first device to pair with a second device. The first and second devices have the ability to securely communicate with each other through the use of encrypted communications. An encryption key is written to the first device and then burned into the encryption module on the first device. A corresponding decryption key is written to the second device and then is burned into the decryption module of the second device.

Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.