Abstract: A method, an apparatus, a system, and a computer program product for handling security threats in a network data processing system. A computer system determines a connection type for a connection in response to detecting the connection between a target resource in the network data processing system and a requestor. The computer system redirects the connection to a virtual resource in place of the target resource when the connection type is a threat connection, wherein the requestor originating the connection to the target resource is unable to perceive a redirection of the connection to the virtual resource. The computer system records information in the connection redirected to the virtual resource to form recorded information. The computer system adjusts a security policy for handling connections in the network data processing system using the recorded information, wherein the security threats in the network data processing system are decreased using the security policy.

Abstract: A security device includes a secure processor, a mail box, a cryptographic intellectual property (IP), a secure direct memory access (DMA) circuit, and an internal memory. The secure processor provides an isolated execution environment. The mail box transfers a request from a CPU to the secure processor. The cryptographic IP performs one or more secure operations, including a signature certification operation, an encryption/decryption operation, and an integrity verification operation, on secure data within the isolated execution environment and without intervention of the CPU. The secure DMA circuit controls the one or more secure operations within the isolated execution environment, wherein only the secure processor is configured to control the secure DMA circuit. The internal memory stores the secure data on which the one or more secure operations are performed. The cryptographic IP includes a DMA circuit configured to control data access to an external storage.

Abstract: A key based technique that targets obfuscation of critical circuit parameters of an analog circuit block by masking physical characteristics of a transistor (width and length) and the circuit parameters reliant upon these physical characteristics (i.e. circuit biasing conditions, phase noise profile, bandwidth, gain, noise figure, operating frequency, etc.). The proposed key based obfuscation technique targets the physical dimensions of the transistors used to set the optimal biasing conditions. The widths and/or lengths of a transistor are obfuscated and, based on an applied key sequence, provides a range of potential biasing points. Only when the correct key sequence is applied and certain transistor(s) are active, are the correct biasing conditions at the target node set.

Abstract: The present disclosure provides trusted kernel-based anti-attack data processors. One exemplary processor comprises: a trusted kernel exception vector table configured to provide a handling entry for kernel switching; a trusted kernel stack pointer register storing a trusted kernel stack pointer that points to a trusted kernel stack space; and a trusted zone in the trusted kernel stack space, the trusted zone including a program status register storing a flag bit of a starting kernel for the kernel switching, a program pointer, and a general register. When the data processor performs kernel switching from a non-trusted kernel to a trusted kernel, the trusted kernel locates the handling entry for the kernel switching and performs the switching. An underlying software protection mechanism can be provided for switching entries of a trusted kernel. Therefore, security during switching processes between a trusted kernel and a non-trusted kernel can be improved.

Abstract: This disclosure provides a method and system for protecting phone numbers from being exposed to third parties. The method comprises receiving a request, from a caller smart phone, for establishing telephone communication with a callee smart phone, wherein the request contains a code to designate the smart phone of the callee. The method further comprises checking whether the code is formally provided to the callee. The method further comprises: in response to determining that the code is formally provided to the caller, retrieving the phone number of the caller and the phone number of the callee based on the request and establishing a phone call connection via a cellular network with the phone number of the caller and the phone number of the callee.

Abstract: This disclosure provides a method and system for protecting phone numbers from being exposed to third parties. The method comprises receiving a request, from a caller smart phone, for establishing telephone communication with a callee smart phone, wherein the request contains a code to designate the smart phone of the callee. The method further comprises checking whether the code is formally provided to the callee. The method further comprises: in response to determining that the code is formally provided to the caller, retrieving the phone number of the caller and the phone number of the callee based on the request and establishing a phone call connection via a cellular network with the phone number of the caller and the phone number of the callee.

Abstract: Methods and systems for configuring security management settings within an enterprise network are disclosed. One method includes receiving network concordance data at an enterprise security management configuration tool from a plurality of nodes within an enterprise network, and, based on the network concordance data, classifying each of the plurality of nodes based on an affinitization between the two or more nodes. The method also includes defining a profile for one or more nodes or grouped nodes, and defining one or more solutions within the enterprise security management configuration tool, the one or more solutions each including one or more nodes of the plurality of nodes. The method also includes receiving a deployment selection identifying at least one of the one or more solutions, and, in response to the deployment selection, generating a security settings file describing security settings for each of the one or more nodes.

Abstract: An authentication method includes that an authentication apparatus of an unmanned aerial vehicle (UAV) generates a session key, the authentication apparatus receives a device identification (ID) of a device and a randomly generated random number from the device of the UAV, the authentication apparatus obtains a device key of the device according to the device ID of the device, the authentication apparatus encrypts the session key and the random number according to the device key of the device, and the authentication apparatus sends the encrypted session key and the encrypted random number to the device.

Abstract: The present disclosure discloses a security system for robots. The security system comprises a lock located on a platform, configured to restrict power supply to a plurality of actuators of a robotic arm, a key configured to release the lock for providing power supply to the plurality of actuators and a processing unit. The processing unit is configured to restrict power supply to the robotic arm by initiating the lock, relocate the lock to a random location on the platform, generate an encrypted code based on the random location of the lock and a time-stamp and provide the encrypted code to the control unit for decryption. Upon decryption, the control unit configures the lock to supply power to the plurality of actuators. The plurality of actuators operates the robotic arm to pick the key and release the lock for supplying power to the plurality of actuators.

Abstract: Techniques for identifying permitted illegal access operations in a module system are disclosed. An operation, expressed in a first module, that attempts to access a module element of a second module is identified. Based on a module declaration associated with the second module, the module element is determined inaccessible to the first module. Additionally or alternatively, based on an access modifier associated with the module element, the module element is determined inaccessible to the operation. The operation is determined as an illegal access operation. The illegal access operation is permitted to access the module element. A warning corresponding to the illegal access operation is generated.

Abstract: A method of operating at least one node in a communication network that uses a shared communication medium has been developed to reduce or eliminate timing side-channel attacks performed by an adversary that is connected to the shared communication medium. The method includes generating, with a controller in a first node, a first jitter time offset randomly generated from within a predetermined time range, and transmitting, with a transceiver in the first node, a first data bit through an output of the transceiver that is connected to a shared communication medium, the first data bit being transmitted at a first time corresponding to the first jitter time offset added to a first predetermined transmission time.

Abstract: A virus detection method, a terminal, and a server are provided. The method includes performing preprocessing on an obtained to-be-processed file according to a preset policy, to obtain a part that is in the to-be-processed file and whose stability is greater than a first threshold as effective information. The effective information is calculated to obtain a first characteristic parameter value. The first characteristic parameter value is transmitted to a server for performing detection by means of virus comparison, and a detection result of the virus comparison is received. Virus scanning is performed on a local file according to the detection result.

Abstract: There are disclosed devices, system and methods for feeding identification data of malicious creatives existing in internet advertisements to a supply side platform (SSP) by receiving reports of unwanted actions without user action by malicious creatives of internet advertisements (ads) requested from the SSP by webpages being displayed to users. The reports include a creative identification (ID), a malicious code chain of events, and a demand side platform (DSP) ID or a seat ID. The reports are pre-processed by classifying the unwanted action attempts based on the chain of events. The pre-processed reports are parsed to extract the creative IDs, the SSP IDs and the DSP IDs; and then stored in a searchable database. The stored parsed pre-processed reports are feed to SSPs based on the SSP identifications. The feed includes the creative IDs, the SSP IDs, the DSP IDs, timestamps of the unwanted action attempt and the classifications.

Abstract: A method of automatically generating secure code includes: receiving source code and security constraints for the source code, the security constraints encoding, to what extend a variable in the source code is considered secure; and generating secure code from the source code and the security constraints by replacing non-secure operations in the source code, which operate on the variables considered as secure, with secure operations; wherein a secure operation is an operation, which, when applied to at least one encrypted variable, generates an encrypted result, which, when decrypted, is the result of the non-secure operation applied to the not encrypted variable.

Abstract: The disclosed technology relates to broadcasting encrypted data to multiple receiver devices, where some receiver devices have long-term access to the encrypted data and some receiver devices have a temporary access to the encrypted data. Receivers having long-term access are part of a “member group” because these member group devices have a master key and the master key enables the member group devices to derive the necessary information to decrypt the encrypted broadcast. In contrast, devices with temporary access possess only a guest key and not master key, without a master key the devices need to receive the guest key from another device to decrypt the broadcast. Access to the encrypted stream can also be based on broadcasting multiple or single diversifiers, where a diversifier can include group identification information to assist in restricting access to the encrypted stream.

Abstract: In an information processing system comprising a set of computing devices wherein each computing device comprises a set of persistent memory modules resident in the computing device, and wherein one or more data structures associate one or more application programs executing on the set of computing devices with one or more memory regions of the set of persistent memory modules such that the one or more data structures are utilized to route data between a given one of the application programs and at least one memory region, maintaining a distributed ledger system with a plurality of nodes, wherein the set of computing devices is operatively coupled to the plurality of nodes of the distributed ledger system, and managing one or more data access requests by a given application program to a memory region of a persistent memory module in consultation with the distributed ledger system.

Abstract: Embodiments for device pairing using optical codes are described. One embodiment is a wearable device with an image sensor configured to capture an image including a first optical code from a first host device. The wearable device decodes the first optical code, and in response to the first optical code, initiates broadcast of a pairing advertisement. The host device displays a second optical code in response to the pairing advertisement, and the wearable device captures and processes the second optical code to determine a host pairing advertisement code. The wearable device then, in response to the second optical code, initiate broadcast of a second pairing advertisement including the host pairing advertisement code. In various embodiments, a secure wireless channel is then established and used for further secure communications.

Abstract: Provided is a fraudulent message detection device that detects a fraudulent message in a bus network and includes: a resynchronization detector that detects an edge of a signal on a bus in the bus network and determines whether to perform resynchronization, so as to adjust a sampling point in a one-bit period; a transmission and receiving control unit that obtains a first logical value and a second logical value in a one-bit period after the resynchronization detector determines to perform the resynchronization, the first logical value being a logical value at a sampling point used before the edge is detected, the second logical value being a logical value at a sampling point after the resynchronization is performed; a comparator that compares the first and second logical values; and a fraud detection processing unit that executes post-fraud-detection processing, when the first and second logical values do not coincide.

Abstract: An example embodiment may involve a remote network management platform including a computational instance hosting a particular application. The particular application may be based on a unit of program code, use one or more database tables, and define one or more user roles with respect to accessing the program code and the database tables. A scanner application may be configured to: receive, from a client device, a request to scan the particular application; retrieve the particular application; conduct a static security scan by applying a set of rules that define security vulnerabilities, where the rules take into account (i) relationships between the user roles and the unit of program code, and (ii) relationships between the user roles and the database table; and transmit, to the client device, a representation of a web page that contains observed security vulnerabilities of the particular application.

Abstract: A data scrambling method and a scrambling apparatus, where the method includes a scrambling apparatus scrambling a data stream including a first data block and a second data block. The first data block and the second data block may belong to a same sub-data stream, or may belong to different sub-data streams. A specification of the data stream when the first data block and the second data block belong to a same sub-data stream is different from a specification of the data stream when the first data block and the second data block belong to different sub-data streams, and the scrambling apparatus can scramble data streams of different specifications.