Abstract: A computer system includes an ensemble moving target defense architecture that protects the computer system against attack using a plurality of composable protection layers that change each churn cycle, thereby requiring an attacker to acquire information needed for an attack (e.g., code and pointers) and successfully deploy the attack, before the layers have changed state. Each layer may deploy a different attack information asset protection providing multiple different attack protections each churn cycle.

Abstract: Systems and methods for securely sharing and authenticating a last secret include requesting, by a computing system on a first network node, a seed configured for deriving or recovering the last secret from a cryptographic module on a second network node different than the first network node. The last secret provides access to a secure entity and is the last cryptographic element controlling access to the secure entity. The systems and methods include generating the seed configured for deriving or recovering the last secret, creating an envelope for the seed, and transmitting the seed to the computing system as enveloped data by the cryptographic module. The systems and methods include decrypting the EnvelopedData to recover the seed and deriving or recovering the last secret based on the seed by the computing system. The cryptographic module cannot derive the last secret and excludes the last secret.

Abstract: Secure memory repartitioning technologies are described. Embodiments of the disclosure may include a processing device including a processor core and a memory controller coupled between the processor core and a memory device. The memory device includes a memory range including a section of convertible pages that are convertible to secure pages or non-secure pages. The processor core is to receive a non-secure access request to a page in the memory device, responsive to a determination, based on one or more secure state bits in one or more secure state bit arrays, that the page is a secure page, insert an abort page address into a translation lookaside buffer, and responsive to a determination, based on the one or more secure state bits in the one or more secure state bit arrays, that the page is a non-secure page, insert the page into the translation lookaside buffer.

Abstract: Disclosed herein are methods, systems, and processes for validating vulnerabilities using lightweight offensive payloads. An attack payload limited by an execution scope that includes pre-defined exploit features for validating code execution associated with a vulnerability is generated. The attack payload is transmitted to a target computing system and a confirmation of the code execution based on at least one pre-defined exploit feature is received, permitting a determination that the vulnerability has been validated.

Abstract: A system for assessing potential cybersecurity threats to a subject system is provided. The system includes a computer system including at least one processor in communication with at least one memory device. The at least one processor is programmed to: receive a subject system to analyze, determine a potential hazard event associated with the subject system, generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions, determine an exploitability score for each of the plurality of actions, determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score, aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system, and generate a response to the one or more vulnerabilities of the subject system.

Abstract: An attestation component to make attestations about itself to a relying party. The attestation component offers identity attestations of a particular decentralized identity, and manages use of a private key of that decentralized identity. However, the attestation component also has its own private key that is different than the private key of the decentralized identity for which it offers attestations. As an example, the attestation component might, using its own private key, provide an integrity attestation from which an integrity with which the attestation component has managed the private key of the decentralized identity may be determined. Based on this integrity attestation, a relying party can determine whether to trust other attestations provided by the attestation component on behalf of the decentralized identity.

Abstract: A method and system for detecting and mitigating a denial of service attack against a destination server (12) and/or connected devices (14). Incoming traffic packets (26) are monitored and a first distribution of the incoming traffic packets (26) is built in accordance with Benford's Law for normal traffic behaviour. A denial of service attack is detected when it occurs. Once an attack is detected, the incoming traffic packets (26/28) are sorted in accordance with Zipf's Law and a sorted distribution is created. The sorted distribution is compared with the first distribution. The incoming traffic packets (28) in the sorted distribution that are not consistent with the first distribution are discarded. A second distribution is then built in accordance with Benford's Law using the incoming traffic packets (28) in the sorted distribution excluding the discarded incoming traffic packets.

Abstract: A login method includes: after a login process of a service apparatus is triggered, acquiring verification information of a target primary account, and sending the verification information to an identity management apparatus; after receiving the verification information by the identity management apparatus, performing identity verification on the target primary account by using an identification information set of a registered primary account, and after the identity verification is passed, acquiring login information of at least one sub-account associated for the service apparatus in advance with the target primary account and sending the login information to the service apparatus; and determining, by the service apparatus, a target sub-account based on the login information and logging in to a server side.

Abstract: De-identification of source entity data is provided, in which a process obtains source entity data having an entity identifier and entity attribute data in respective formats for entity attributes of that entity, obtains a predefined library of fictitious entities with corresponding fictitious entity attribute data, for the entity attributes, that is in the respective formats, and generates a de-identified entity lookup list by applying a transformation to the entity identifier to produce a transformed entity identifier, selecting a fictitious entity from the predefined library of fictitious entities, and writing to the de-identified entity lookup list the entity identifier, the transformed entity identifier, and the fictitious entity attribute data, for the entity attributes, that corresponds to the selected fictitious entity. The process also processes entity file(s) using the de-identified entity lookup list to de-identify the entity and produces de-identified entity file(s).

Abstract: An information handling system with improved data security has a signal detector circuit to receive a signal interrupt from a plurality of signal interrupt sources, and an authentication timer circuit that starts measuring a configured time duration based upon the received signal interrupt. A scrambler module initiates data scrambling upon completion of the configured time duration.

Abstract: A process of hiding a key or data inside of random noise is introduced, whose purpose is to protect the privacy of the key or data. In some embodiments, the random noise is produced by quantum randomness, using photonic emission with a light emitting diode. When the data or key generation and random noise have the same probability distributions, and the key size is fixed, the security of the hiding can be made arbitrarily close to perfect secrecy, by increasing the noise size. The hiding process is practical in terms of infrastructure and cost, utilizing the existing TCP/IP infrastructure as a transmission medium, and using light emitting diode(s) and a photodetector in the random noise generator. In some embodiments, symmetric cryptography encrypts the data before the encrypted data is hidden in random noise, which substantially amplifies the computational complexity.

Abstract: Concepts and technologies are disclosed herein for tag-based security policy creation in a distributed computing environment. A security management module can receive an inventory event that relates to instantiation of a service. The security management module can identify the service that was instantiated and obtain a tag set that relates to the service. The tag set can include security tags that include a string that identifies a communications link associated with the entities included in the service that was instantiated. The security management module can identify policy rules associated with the security tags. The policy rules can define security for the service that was instantiated. The security management module can compute a security policy for the service and can provide the security policy to the computing environment for implementation.

Abstract: A method for defending an HTTP flood attack includes: determining the number of HTTP requests, transmitted by a protection device, received within each monitored time interval, where the HTTP requests include HTTP requests carried by a single data packet and HTTP requests carried by a plurality of data packets; verifying a target HTTP request after the number of HTTP requests received within any monitored time interval reaches a first threshold, where the target HTTP request includes an HTTP request received after the number of HTTP requests received within any monitored time interval reaches the first threshold; and responding to a verified target HTTP request.

Abstract: Disclosed are systems and methods for registering and localizing a building server. A system comprises a building server communicatively coupled with a computing cloud, and configured to initiate a registration process that comprises transmitting data identifying the building server. The computing cloud comprises at least a device registration module that receives the data transmitted from the building server, authenticates the building server, and generates and transmits data such as a building server password and a digital certificate. The computing cloud also comprises an identity management module that receives a request to create a unique ID associated with the building server, and updates a memory to indicate an association between the building server and the computing cloud.

Abstract: Method and system for cryptographic transformation of a structured data set. The structured data set is partitioned into a first subset and a plurality of further subsets for encryption in parallel. The subsets are divided into a plurality of blocks of predetermined size. A first block for each subset is identified as well as a location of each further block in said subset relative to said first block of its subset. Cryptographic transformation of the data subsets is performed using a key according to a block chain process and an offset value for the first block of each subset from the first block of the first subset is logged. The process allows a block chain to be broken into part way in the chain. The process may allow different partitioning to be used for decryption than was used for encryption, thereby allowing parallel processing on varying numbers of computational cores.

Abstract: Computer-implemented methods and systems are provided for generating a distributed representation of electronic transaction data. Consistent with disclosed embodiments, generation may include receiving electronic transaction data including first and second entity identifiers. Generation may also include generating an output distributed representation by iteratively updating a distributed representation using the electronic transaction data. The distributed representation may include rows corresponding to first entity identifiers and rows corresponding to second entity identifiers. An iterative update may include generating a training sample and an embedding vector using the components and the distributed representation; determining, by a neural network, a predicted category from the embedding vector; and updating the distributed representation using the predicted category and the training sample.

Abstract: Embodiments can provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a system for network protection, the method comprising determining, by the processor, if an incoming connection comprising one or more packets has a false latency larger than a trigger latency; determining, by the processor, if an attack is currently in progress; and if the attack is in progress, injecting, by the processor, at least one of the one or more packets of the incoming connection or one or more packets of an outgoing connection with a false latency.

Abstract: A method of efficient rekey in a transparent decrypting storage array includes receiving an instruction to rekey data on a storage array, wherein the instruction identifies first encryption information and second encryption information. The method further includes decrypting, by a processing device of a storage array controller, the data using the first encryption information to generate decrypted data. The method further includes encrypting the decrypted data using the second encryption information to generate encrypted data.

Abstract: Systems, methods, and related technologies for analyzing traffic based on naming information are described. In certain aspects, name information and address information from a name translation response are stored. The name information is associated with a device based on the device sending a communication to an address associated with the name information.

Abstract: The disclosed embodiments provide a system for mitigating a distributed denial-of-service (DDoS) attack. During operation, the system analyzes application layer data in historical traffic to an online system to determine a historical volume of member traffic from an Internet Protocol (IP) address to the online system, wherein the member traffic is generated by members of the online system. Next, the system calculates a rate limit for a set of requests from the IP address to the online system based on the historical volume of member traffic from the IP address. During a DDoS attack, the system outputs the rate limit for use in blocking a subset of the requests from the IP address to the online system.