Abstract: Methods for counting synchronization (SYN) packets to identify a SYN attack, applicable to network device, are provided. The network device includes a field programmable gate array (FPGA) for counting the total number of received SYN packets and a high-speed hardware memory connected to the FPGA. One of the methods includes: periodically traversing the count entries stored in the high-speed hardware memory, and aging any count entry for which a time difference between a current time and a creation time reaches a preset aging time interval; obtaining a first number of SYN packets and a second number of SYN packets; and updating the total number of the received SYN packets with a sum of the first number of SYN packets and the second number of SYN packets.

Abstract: Described is a system for producing indicators and warnings of adversarial activities. The system receives multiple networks of transactional data from different sources. Each node of a network of transactional data represents an entity, and each edge represents a relation between entities. A worldview graph is generated by merging the multiple networks of transactional data. Suspicious subgraph regions related to an adversarial activity are identified in the worldview graph through activity detection. The suspicious subgraph regions are used to generate and transmit an alert of the adversarial activity.

Abstract: Systems and methods for controlling measurement units for a medical scale. One system includes a removable head unit configured to couple to a medical scale platform. The removable head unit includes a human machine interface (HMI) and an electronic processor coupled to the human machine interface. The electronic processor is configured to receive, via the HMI, a first user input selecting a permanent lock mode. The electronic processor is configured to, in response to receiving the user input, present a first authentication request and receive a second user input including a first authentication token. The electronic processor is configured to, when the first authentication token is valid, present a measurement unit selection prompt. The electronic processor is configured to receive a second user input selecting a measurement unit and, in response to receiving the second user input, activate the permanent lock mode based on the selected measurement unit.

Abstract: A system continuously monitors, by at least one inspector, an inspection work queue for a class of inspection operation request, detects, by the at least one inspector, the class of inspection operation request in the inspection work queue, removes, by the at least one inspector, the class of inspection operation request from the inspection work queue, determines, by the at least one inspector, one of a class of inspection tool and a specific level of inspection to perform for the class of inspection operation request that references a data object, and executes, by the at least one inspector, the one of the class of inspection tool and the specific level of inspection for the class of inspection operation request that references the data object at one of a certain time and a certain event during a data lifecycle of the data object.

Abstract: Systems and methods are provided for interacting with an Application Programming Interface (API) using a digital signature. In one embodiment, a system includes one or more processors that execute the instructions to perform operations. The operations may include receiving a first digital signature from a requesting device, the first digital signature being associated with a first set of fields in the database; identifying one or more requested fields; accessing the database to retrieve the information associated with the one or more requested fields, the information being associated with at least one API; and providing a response to the requesting device to cause a requesting application to consume the response from the API.

Abstract: A system for detecting anomalies is provided. The system includes a computer system including at least one processor in communication with at least one memory device. The computer system receives communications from a remote computer platform. The at least one processor is programmed to execute real-time a simulation model of the remote computer platform. The simulation model simulates inputs and outputs of the remote computer platform based on real-time data. The at least one processor is also programmed to receive one or more outbound communications transmitted from the remote computer platform, generate one or more outputs of the simulation model, compare the one or more outbound communications transmitted from the remote computer platform to the one or more outputs of the simulation model, detect one or more differences based on the comparison, and generate an output based on the one or more differences.

Abstract: Techniques in electronic systems, such as in systems including a processor complex having one or more system processors and one or more memories, provide improvements in one or more of system security, performance, cost, and efficiency. In some embodiments, the system includes secure boot logic (SBL) having immutable hardware enabled, in response to a reset of the system, to securely boot one or more boot processors of the SBL to execute known-good executable code. The SBL is then enabled to securely boot the one or more system processors to execute system code stored in a non-volatile one of the memories by copying the system code to another one of the memories from which at least one of the system processors is able to access the system code for a respective initial instruction fetch. The non-volatile memory is not accessible to the system processors.

Abstract: Enriched access data supports anomaly detection to enhance network cybersecurity. Network access data is enriched using service nodes representing resource provision and other services, with geolocation nodes representing grouped access origins, and access values representing access legitimacy confidence. Data enrichment provides a trained model by mapping IP addresses to geolocations, building a bipartite access graph whose inter-node links indicate aspects of accesses from geolocations to services, and generating semantic vectors from the graph. Vector generation may include collaborative filtering, autoencoding, neural net embedding, and other machine learning tools and techniques. Anomaly detection systems then calculate service-geolocation or geolocation-geolocation vector distances with anomaly candidate vectors and the model's graph-based vectors, and treat distances past a threshold as anomaly indicators.

Abstract: Presented herein are systems and methods to determine whether a dynamic host configuration protocol (DHCP) server in DHCP snooping environment is a trusted device without requiring trusted port configuration. In one or more embodiments, a DHCP snooping-enable switch/router adds an indicator to a message intended for a DHCP server, thereby notifying the DHCP server that the DHCP switch/router is enabled for or capable of “detection of trusted DHCP server.” The DHCP server includes a unique trusted identifier in its reply that the DHCP switch/router uses to verify whether the DHCP server can be considered a trusted device.

Abstract: A system may use memory tagging for side-channel defense, memory safety, and sandboxing to reduce the likelihood of successful attacks. The system may include memory tagging circuitry to address existing and potential hardware and software architectures security vulnerabilities. The memory tagging circuitry may prevent memory pointers from being overwritten, prevent memory pointer manipulation (e.g., by adding values), and increase the granularity of memory tagging to include byte-level tagging in cache. The memory tagging circuitry may sandbox untrusted code by tagging portions of memory to indicate when the tagged portions of memory include contain a protected pointer. The memory tagging circuitry provides security features while enabling CPUs to continue using and benefiting from speculatively performing operations.

Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: A method for extracting, correlating, consolidating and presenting metadata from transmissions is provided. The method may include receiving a TCP/IP transmission. The transmission may include a header and a body. The method may include extracting an originating IP address from a location of the transmission. The location may be in the header or in the body. The IP address may be extracted in binary form. The method may include determining an accuracy and validity metric of the transmission using an artificial intelligence module. The method may include converting the extracted IP address from binary form into hexadecimal form. The method may include embedding the hexadecimal form of the IP address into one or more unused options of the header. The method may include processing the transmission. The processing may be completed upon determination that the transmission is a valid transmission.

Abstract: An attack situation visualization device includes: a memory that stores instructions; and at least one processer configured to process the instructions to: analyze a log in which information about a cyberattack is recorded and specify at least either of a source of a communication related to the cyberattack and a destination of a communication related to the cyberattack; and generate display information allowing display of an image in which an image representing a map, a source image representing the source, and a destination image representing the destination are arranged on the map, wherein, the at least one processer configured to process the instructions to generate the display information including an attack situation image visualizing at least either of a traffic volume and a communication frequency of a communication related to the cyberattack between the source and the destination.

Abstract: A device to provide fog-enabled multipath VPN (virtual private network) is disclosed. A first endpoint device is configured to form a fog-enabled communication path in a fog network with at least one neighboring device having at least one first IP (internet protocol) address so as to enable at least one VPN tunnel communication path, via said at least one neighboring device, between the first endpoint device and a second endpoint device with a second IP address and to enable multipath VPN tunneling between the first endpoint device and the second endpoint device. In another embodiment, a multipath VPN AP (access point) is disclosed, where the VPN AP uses at least one fog network to provide multipath VPN, and on the other hand, enables sharing of the multiple VPN by a multitude of endpoint devices that connect to the VPN AP through another fog network.

Abstract: Methods, systems, and apparatuses to improve the handling of exceptions during the retrieval and processing of health records from various data sources are provided. During the retrieval and processing of health records, exceptions to typical behavior are recorded with context at the data extraction protocol level, at the health record level and at the level of elements with the document. Accordingly, insights may be developed and configurations, rules, or coding changes, based on the detected exceptions may be proposed. In some instances, an operator may be notified about the exceptions such that the operator may act on the insight. In some instances, the processing of extracted records (documents, messages) may be deferred until the operator has made appropriate changes to configuration, rules, or code. In some instances, the system may supplement and/or replace the operator with machine learning engines that act on the developed insights.

Abstract: Systems and methods are provided for interacting with an Application Programming Interface (API) using a digital signature. In one embodiment, a system includes one or more processors that execute the instructions to perform operations. The operations include receiving a digital signature from a requesting device, the digital signature including an array of one or more bits, where each position in the array is associated with a field in the database and with the data stored in the field of an API; identifying one or more requested fields; accessing the database to retrieve the information associated with the one or more requested fields, the information being associated with at least one API; and providing instructions to the requesting device, based on the retrieved information, causing the requesting application to use the API.

Abstract: Described herein are systems, methods, and software to identify propagation risk of threats in a computing environment. In one implementation, a management service may identify a connection tree for a computing environment based on forwarding rules for virtual nodes in the computing environment. The management service may further, for each connection in the connection tree, determine a threat value based at least on a protocol associated with the connection. The management service may also identify a threat to a virtual node of the virtual nodes and generate a threat propagation summary for the threat based on the one or more minimum or maximum spanning trees.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace and an isolated computing environment. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The internal isolation firewall may be configured to prevent data from being communicated between the isolated computing environment and the workspace, for example, without an explicit user input. The host computer system may be configured to implement one or more mechanisms that prevent malware received by the host computer system from receiving external communications from an external source. The one or more mechanisms may be configured to prevent control of the malware by the external source. The one or more mechanisms may be configured to prevent the malware from establishing a command channel with the external source.

Abstract: A cyber security appliance has modules that utilize probes to interact with entities in a cloud infrastructure environment (CIE). A cloud module can 1) use the information about relevant changes in the CIE fed from the probes, and 2) use machine learning models that are trained on a normal behavior of at least a first entity associated with the CIE; and thus, indicate when a behavior of the first entity falls outside of being a normal pattern of life. A cyber threat module can use machine learning models trained on cyber threats in the CIE and examine at least the behaviors of the first entity falling outside of the normal pattern of life to determine what is a likelihood of ‘a chain of unusual behaviors under analysis that fall outside of being the normal behavior’ is a cyber threat. An autonomous response module can cause actions to contain the cyber threat.

Abstract: Embodiments of the present disclosure relate to a memory system, a memory controller, and a method of operating the memory system. According to the embodiments of the present disclosure, when result data obtained by derandomizing data included in a flag area is different from reference data after a random data unit is derandomized based on a seed, it is possible to detect an error occurring in the seed in a process of derandomizing the data and to prevent malfunction of firmware in advance by searching for a target seed and derandomizing the random data unit based on the target seed.