Abstract: Examples of the present disclosure describe systems and methods for selective export address table filtering. In aspects, the relative virtual address (RVA) of exported function names may be modified to point to a protected memory location. An exception handler may be registered to process exceptions relating to access violations of the protected memory location. If an exception is detected that indicates an attempt to access the protected memory location, the instruction pointer of the exception may be compared to an allowed range of memory addresses. If the instruction pointer address is outside the boundaries, remedial action may occur.

Abstract: A computer-implemented method is disclosed. The method includes: receiving, from a web server associated with a protected resource, a first signal including a request to validate a bearer token submitted by a client device to the web server, the bearer token including a digital signature; validating the bearer token, the validating including verifying the digital signature using a public key associated with an end user of the client device; and in response to validating the bearer token, sending to the web server a second signal including a notification that the bearer token is valid.

Abstract: A threat level analyzer probes for one or more threats within an application container in a container system. Each threat is a vulnerability or a non-conformance with a benchmark setting. The threat level analyzer further probes for one or more threats within a host of the container service. The threat level analyzer generates a threat level assessment score based on results from the probing of the one or more threats of the application container and the one or more threats of the host, and generates a report for presentation in a user interface including the threat level assessment score and a list of threats discovered from the probe of the application container and the host. A report is transmitted by the threat level analyzer to a client device of a user for presentation in the user interface.

Abstract: A method may include storing access rights with respect to a plurality of shared data ledgers, wherein each respective shared data ledger of the plurality of shared data ledgers comprises: a plurality of data portions; and at least one data record stored within a data portion of the plurality of data portions; receiving a request, from a requesting computing device, the request including: a requesting identifier stored in a data record of a first shared data ledger; and a request for information, associated with the requesting identifier, stored in a second shared data ledger; determining that the requesting computing device is authorized to access the information stored in the second shared data ledger based on the stored access rights; and based on the determining: accessing the information associated with the requesting identifier from the second shared data ledger; and transmitting at least a portion of the accessed information.

Abstract: Systems, devices, and methods are discussed that provide for discovering protected data from a code. Such detection provides an ability to discover potentially malicious code and/or datasets obfuscated within a code prior to full execution of the code.

Abstract: Disclosed is a physical unclonable function generator circuit and testing method. In one embodiment, a physical unclonable function (PUF) generator includes: a PUF cell array comprising a plurality of bit cells configured in a plurality of columns and at least one row, wherein each of the plurality of columns is coupled to at least two pre-discharge transistors, and each of the plurality of bit cells comprises at least one enable transistor, at least two access transistors, and at least two storage nodes, and a PUF control circuit coupled to the PUF cell array, wherein the PUF control circuit is configured to access the plurality of bit cells to pre-charge the at least two storage nodes with substantially the same voltages allowing each of the plurality of bit cell having a first metastable logical state; to determine a second logical state; and based on the determined second logical states of the plurality of bit cells, to generate a PUF signature.

Abstract: A collection unit (15a) collects information on IoT devices connected to IoT gateways and white lists of the IoT devices, retained by the IoT gateways. An extraction unit (15b) extracts white lists of IoT devices that satisfies a prescribed condition related to the number of the IoT devices of each model or the number of installed locations of the IoT devices of each model from the collected white lists of the IoT devices using the collected information on the IoT devices so as to create a tentative white list. A coupling unit (15c) couples the created tentative white list and the white lists retained by the respective IoT gateways together so as to create a white list applied to the respective IoT gateways.

Abstract: This invention relates to systems and methods for verifying reliability and validity of crowd sourcing users and/or reliability and validity of tasks, executed by crowd sourcing users. Key task implementing procedures are computerized and mapped as system events and/or user actions, which can trigger data obtaining when users navigate in the platforms and/or systems. The obtained data from the triggered data obtaining is authenticated. Stamped data chain is constructed from the obtained data. A reference data chain is used to set the expected geographic location and/or time for task implementing. The reference data chain is generated from the reference information supplied by users. Matching process is implemented by checking if the stamped data chain can match with the preset geographic and/or temporal conditions by the reference data chain. The degree of reliability and validity is determined based on the matching results.

Abstract: Systems and methods are described for detecting and preventing execution of malware on an on-demand code execution system. An on-demand code execution system may execute user-submitted code on virtual machine instances, which may be provisioned with various computing resources (memory, storage, processors, network bandwidth, etc.). These resources may be utilized in varying amounts or at varying rates during execution of the user-submitted code. The user-submitted code may also be unavailable for inspection for security or other reasons. A malware detection system may thus identify user-submitted code that corresponds to malware by monitoring resource utilization during execution of the code and generating a resource utilization signature, which enables comparison between the signature of the user-submitted code and resource utilization signatures of codes previously identified as malware.

Abstract: A stackable filesystem that transparently tracks process file writes for forensic analysis. The filesystem comprises a base filesystem, and an overlay filesystem. Processes see the union of the upper and lower filesystems, but process writes are only reflected in the overlay. By providing per-process views of the filesystem using this stackable approach, a forensic analyzer can record a process's file-based activity—i.e., file creation, deletion, modification. These activities are then analyzed to identify indicators of compromise (IoCs). These indicators are then fed into a forensics analysis engine, which then quickly decides whether a subject (e.g., process, user) is malicious. If so, the system takes some proactive action to alert a proper authority, to quarantine the potential attack, or to provide other remediation. The approach enables forensic analysis without requiring file access mediation, or conducting system event-level collection and analysis, making it a lightweight, and non-intrusive solution.

Abstract: An automated system attempts to characterize code as safe or unsafe. For intermediate code samples not placed with sufficient confidence in either category, human-readable analysis is automatically generated to assist a human reviewer in reaching a final disposition. For example, a random forest over human-interpretable features may be created and used to identify suspicious features in a manner that is understandable to, and actionable by, a human reviewer. Similarly, a k-nearest neighbor algorithm may be used to identify similar samples of known safe and unsafe code based on a model for, e.g., a file path, a URL, an executable, and so forth. Similar code may then be displayed (with other information) to a user for evaluation in a user interface. This comparative information can improve the speed and accuracy of human interventions by providing richer context for human review of potential threats.

Abstract: Techniques for using contextual information to manage data that is subject to one or more data-handling requirements are described herein. In many instances, the techniques capture or depend upon the contextual information surrounding the creation and/or subsequent actions associated with the data. The contextual information may be updated as the data is handled in various manners. The contextual information may be used to identify data-handling requirements that are applicable to the data, such as regulations, standards, internal policies, business decisions, privacy obligations, security requirements, and so on. The techniques may analyze the contextual information at any time to provide responses regarding handling of the data to requests from requestors, such as administrators, applications, and others.

Abstract: Systems and methods detect and neutralize malware infected electronic communications. Interface information is received at a client machine over a network from a server. The interface information includes a first input mechanism authorized for causing a first prompt to be presented in a user interface to receive user information and countermeasure information enabling the client machine to inspect the interface information on the client machine to detect modification of the interface information. The client device uses the countermeasure information to detect whether the interface information has been modified to include a second input mechanism not authorized for causing a second prompt to be presented in the user interface to receive user information.

Abstract: A secure access kiosk includes a plurality of walls interconnected to form an interior area within the secure access kiosk, a soundproofing element fixed at each wall of the plurality of walls, an electromagnetic shielding element fixed at each wall of the plurality of walls, and an information processing system security container within the interior area of the secure access kiosk. The information processing system security container houses at least one of a thin client or an ultra-thin client, and the thin client or the ultra-thin client is configured to provide a software interface and to prevent data storage or encryption to be stored at the thin client or ultra-thin client. The thin client or the ultra-thin client can include an integrated classified network interface within the interior area of the secure access kiosk.

Abstract: Aspects of the invention include receiving, by a processor, source code for a software program written in a first programming language. The received source code is converted into abstracted source code that is in a generic format that is different than a format of the first programming language. The abstracted source code is compared to known source code patterns. Based on determining that at least a subset of the abstracted source code matches a pattern in the known source code patterns, sending an alert to the user indicating that the received source code matches the pattern.

Abstract: A network device is configured to receive an inbound packet from a first server device via a network tunnel, the first inbound packet including an outer header, a virtual private network (VPN) label, an inner header, and a data payload, the inner header including an inner source IP address of a source virtual machine. The processors are also configured to determine a first tunnel identifier, determine, based on the inner source IP address, a second tunnel identifier associated with a second server device hosting the source virtual machine, compare the second tunnel identifier with the first tunnel identifier to determine whether the tunnel on which the first inbound packet was received is the same as a tunnel used for forwarding traffic to the source virtual machine, and drop the inbound packet when the second tunnel identifier does not match the first tunnel identifier.

Abstract: The present disclosure relates generally to improved systems and methods for ensuring continued network security in a data network. More specifically, present embodiments are directed to detecting and responding to the failure of a security detection module employed for network security in the data network. A detection failure monitoring system may detect that a security detection module has failed by executing a number of test cases simulating conditions that should be flagged by the security detection module. To that end, when the detection failure monitoring system determines that a security detection module did not flag a condition produced by an executed test case, the detection failure monitoring system may implement a response to address the failed security detection module. Accordingly, the systems and techniques provided herein may maintain network security with improved granularity and robustness.

Abstract: Concepts for acquiring information for identifying a security configuration for an application are proposed. In particular, the information is obtained by running the application in a development environment, detecting security requests made on behalf of the application, and then storing security information associated with the security requests in a security log. Using this concept, a security log may be obtained from which an appropriate security configuration may be determined.

Abstract: An electronic device is disclosed. An electronic device according to various embodiments comprises: a processor; and a memory electrically connected to the processor, wherein the processor may be configured to: obtain a plurality of first parameters associated with attributes of at least one malicious code and a plurality of second parameters associated with a system in which the at least one malicious code is executed; obtain a similarity on the basis of a first comparison result according to a first comparison method between the plurality of first parameters and a second comparison result according to a second comparison method between the plurality of second parameters; and classify the at least one malicious code into at least one cluster on the basis of the similarity between the at least one malicious code. Other various embodiments may be provided.

Abstract: Protecting from automatic reconnection with Wi-Fi access points having bad reputations. In some embodiments, a method may include determining that the mobile device is within range of a Wi-Fi access point, determining that the mobile device is configured to automatically reconnect to the Wi-Fi access point, receiving a request to indicate whether the Wi-Fi access point has a bad reputation, accessing an access point reputation database to determine whether the Wi-Fi access point has a bad reputation, sending an indication that the Wi-Fi access point has a bad reputation, and, in response to the indication that the Wi-Fi access point has a bad reputation, protecting the mobile device from the Wi-Fi access point by performing a remedial action at the mobile device.