Abstract: Provided are a computer program product, system, and method for using trap cache segments to detect malicious processes. A trap cache segment to the cache for data in the storage and indicated as a trap cache segment. Cache segments are added to the cache having data from the storage that are not indicated as trap cache segments. A memory function call from a process executing in the computer system reads data from a region of a memory device to output the read data to a buffer of the memory device. A determination is made as to whether the region of the memory device includes the trap cache segment. The memory function call is blocked and the process is treated as a potentially malicious process in response to determining that the region includes the trap cache segment.

Abstract: A network can operate a WiFi access point with credentials. An unconfigured device can support a Device Provisioning Protocol (DPP), and record bootstrap public keys and initiator private keys. The network can record bootstrap public and responder private keys and operate a DPP server. A responder proxy can establish a secure and mutually authenticated connection with the network. The network can (i) derive responder ephemeral public and private keys, (ii) record the initiator bootstrap public key, and (iii) select a responder mode for the responder. The network can derive an encryption key with at least the (i) recorded the initiator bootstrap public key and (ii) derived responder ephemeral private key. The network can encrypt credentials using at least the derived encryption key and send the encrypted credentials through the responder proxy to the initiator, which can forward the encrypted credentials to the device, thereby supporting a device configuration.

Abstract: Various embodiments are provided for securing machine learning models by one or more processors in a computing system. One or more hardened machine learning models that are secured against adversarial attacks are provided by applying one or more of a plurality of combinations of selected preprocessing operations from one or more machine learning models, a data set used for hardening the one or more machine learning models, a list of preprocessors, and a selected number of learners.

Abstract: The technology presented herein improves incident handling in an IT environment. In a particular example, a method provides identifying a first incident in the IT environment. From incident handling information that indicates how a plurality of previous incidents were handled by one or more users, the method provides identifying first information of the incident handling information corresponding to one or more first previous incidents of the plurality of previous incidents that are similar to the first incident. The method further provides determining a suggested course of action from the first information and presenting the suggested course of action to a user of the information technology environment.

Abstract: Embodiments of the invention provide systems and methods for using programmatic means to verify the identity of a person. By scanning the person's documents and/or biometric data and comparing them to available government and private databases, the validity of those documents and identity of the person can be confirmed with a high confidence level. The process can assign a score to each item verified which is then computed into an overall confidence score which is available to other processes to rely on for approval of transactions. The identity is digitally combined with the credentials of the mobile phone to create a reusable identity token. Together with the confidence score, the identity token represents the verified biometric information of the person and is tied to the mobile phone.

Abstract: Systems and methods for reversibly remediating security risks, which monitor a network or system for security risks, and upon detection of one or more of risks, apply a remedial action applicable to at least partially remedy or mitigate the one or more detected risk. The network or system is monitored for a change to the detected risk(s), and upon detection of a change to the detected risk(s), the applied remediation action is automatically reversed.

Abstract: A system for validating software security analysis findings includes a non-transitory computer readable medium and a processor. The non-transitory computer readable medium stores a source truth dataset including criteria for validating characteristics of findings. The processor receives a finding from a software security analysis tool that performs scan on application code. The processor identifies a characteristic from the finding. The processor selects a criterion from the non-transitory computer readable medium for validating the identified characteristic. The processor determines a validity score for the finding based on whether the selected criterion is met. The processor determines whether the finding is false positive by comparing the validity score to a predetermined validity threshold. If the finding is true positive, a graphical user interface displays the finding.

Abstract: Systems, methods, and software described herein provide for identifying recommended feature sets for new security applications. In one example, a method of providing recommended feature sets for a new security application includes identifying a request for the new security application, and determining a classification for the new security application. The method further provides identifying related applications to the new security application based on the classification, and identifying a feature set for the new security application based on features provided in the related applications.

Abstract: An example operation may include one or more of submitting a part replacement request to replace a first part of a device, qualifying a second part and repair resources, issue a part replacement transaction to the blockchain network, endorse the part replacement transaction by the plurality of blockchain peers, and replace the first part with the second part. The first part includes a blockchain peer of a plurality of blockchain peers and the device includes a blockchain network including a plurality of parts each corresponding to one of the plurality of blockchain peers.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: A misuse detection method used in an electronic control unit in a vehicle network system including multiple electronic control units that communicate with one another through networks. The misuse detection method includes receiving a target data frame at one time point, and receiving a reference data frame at another time point different than the one time point. The misuse detection method further includes performing, as misuse detection for the target data frame based on a certain rule specifying a reception interval between the one time point at which the target data frame is received and the other time point at which the reference data frame is received, and determining the target data frame received is for misuse based on a length of the reception interval.

Abstract: A method for facial authentication of a wearer of a watch includes: initiating an authentication process including detecting at least one triggering movement/gesture carried out by the wearer; capturing at least one sequence of images relative to the face of the wearer pivoting from one direction to another in front of the optical sensor; acquiring surface geometric data of the face associated with each image of at least one sequence; generating a three-dimensional model of the face of the wearer from at least one captured sequence of images and from the acquired geometric data; determining an identification index generated based on identification data relative to a plurality of features characteristic of the face of the wearer of the watch detected on the basis of the three-dimensional model, and identifying the wearer if the identification index is greater than a reference identification index.

Abstract: The presently disclosed subject matter includes a system for monitoring a set of command lines or calls to executable scripts configured to be executed by an operating system. Each command line from the set of command lines is associated with an executable script configured to be executed by an operating system. The apparatus classifies, via a machine learning model, a command line from the set of command lines into an obfuscation category and prevents the operating system from executing the command line and generates a notification signal when the obfuscation category indicates that the command line is part of a cybersecurity attack. The apparatus allows the operating system to execute the command line or call to the executable script when the obfuscation category indicates that the command line is not part of a cybersecurity attack.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized.

Abstract: A method is disclosed of secure data transmission comprising sending a data request from a client device to a server device, the data request comprising a first share of a first encryption key, and a first location in the database at which is located desired double-encrypted data; receiving the sent data request at the server device; extracting, at the server device, the first share and the first location from the received data request; obtaining, at the server device, the desired double-encrypted data from the database using the extracted first location; generating, at the server device, the first encryption key using the extracted first share and one or more additional shares of the first encryption key held by the server device; and decrypting, at the server device, the obtained desired double-encrypted data using the generated first encryption key to form single-encrypted data.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises: selecting a file from a database of files used to perform training of a model for detecting a malicious file, forming one or more behavior patterns from intercepted one or more commands and parameters during execution of the file, forming a detection model, wherein the detection model selects a method of machine learning and is initialized with one or more hyper-parameters, training the detection model by calculating the one or more hyper-parameters based on the one or more behavior patterns to form a group of rules for calculating a degree of maliciousness of a resource and calculating a degree of maliciousness of another file based on the trained detection model.

Abstract: Aspects of the technology described herein provide for controlled access to a secure computing resource. A first device may receive a child token from a second device having a parent token. The child token may grant the first device access to a subset of data accessible to the second device. Based on a degree of physical proximity between the first device and a third device associated with a user satisfying a threshold proximity, an indication of a user identifier for the user may be received from the third device. A request for access to a secure computing resource associated with the user may be sent to the second device. The request may include the indication of the user identifier and an indication of the secure computing resource. Access to the secure computing resource may be granted based on the child token and the indication of the identifier.

Abstract: Techniques are disclosed relating to securely communicating traffic. In some embodiments, an apparatus includes a secure circuit storing keys usable to encrypt data communications between devices over a network. The secure circuit is configured to store information that defines a set of usage criteria for the keys. The set of usage criteria specifies that a first key is dedicated to encrypting data being communicated from a first device to a second device. The secure circuit is configured to receive a request to encrypt a portion of a message with the first key, the request indicating that the message is being sent from the first device to the second device, and to encrypt the portion of the message with the first key in response to determining that the set of usage criteria permits encryption with the first key for a message being sent from the first device to the second device.

Abstract: Methods for protecting software licensing information via a trusted platform module (TPM) are performed by systems and devices. When a licensing server is unreachable, a license is generated for a software application by a licensing manager. The license is generated via a secure register of the TPM using an asymmetric key, specific to the software application and policy-tied to the secure register, to generate a signature of a hashed license file for the software application. The asymmetric key is stored, mapped to the license file, and used for subsequent license validation. A licensing manager validation command is provided to validate the license using the key, as applied to the hash, to verify the signature and checking validity of the time stamp. Time stamp expiration or alteration of the license are determined to provoke invalidation indications for the validating application.

Abstract: Embodiments of a method, an IC device, and a circuit board are disclosed. In an embodiment, the method involves at an IC device of the system, monitoring activity on a bus interface of the IC device, wherein the bus interface is connected to a bus on the system that communicatively couples the IC device to at least one other IC device on the system, applying machine learning to data corresponding to the monitored activity to generate an activity profile, monitoring subsequent activity on the bus interface of the IC device, comparing data corresponding to the to subsequently monitored activity to the machine learning generated activity profile to determine if a system-level Trojan is detected, and generating a notification when it is determined from the comparison that a system-level Trojan has been detected.