Abstract: This disclosure describes systems on a chip (SOCs) that prevent trim attempts. The SOCs include one-time programmable (OTP) memory and an engine configured to determine if the one-time programmable (OTP) memory has been trimmed; and if the one-time programmable (OTP) memory has been trimmed, to prevent trimming of the OTP memory.

Abstract: A network device may determine that network traffic for a communication session between a first peer device and a second peer device is to be protected using a security protocol suite. The network device may establish, using one or more tunnels, multiple security associations that are to be used to securely provide the network traffic of the communication session over an unsecured medium. The network device may determine a rekey scheduling time for each security association, of the multiple security associations, based on a combination of configuration information and dynamic network device information. The network device may perform, at each rekey scheduling time, a rekeying procedure to rekey each security association of the multiple security associations.

Abstract: An apparatus in one embodiment comprises a processing platform configured to communicate over a network with a plurality of Internet of Things (IoT) devices. The processing platform receives at least a first intermediate message from a first gateway of the network, receives one or more additional intermediate messages from each of one or more additional gateways of the network, associates the first and additional intermediate messages with one another based at least in part on a common message identifier detected in each such intermediate message, and processes the associated first and additional intermediate messages to recover a device message from a given one of the IoT devices. The first intermediate message is based at least in part on at least one application of a designated cryptographic function to the device message utilizing a corresponding key. At least one of the one or more additional intermediate messages provides at least a portion of the key.

Abstract: The present disclosure is directed to managing device authorization through the use of digital signature thresholds. Individual components of a device, or individual devices in a network environment, are associated with separate secret shares from which a digital signature can be derived. The digital signature may be used to authorize performance of a function. A threshold number of such secret shares are used in order to derive the digital signature. Therefore, an authorization process that relies on digital signature verification to determine that a function is authorized will do so if a threshold number of secret shares are available at authorization time.

Abstract: A system is configured for associating a CVE with a particular device profile is disclosed. The system receives a request from a user to associate a CVE with a particular device profile. For each device profile from a plurality of device profiles stored in a memory, the system determines feature importance values for features of each device profile. The features of each device profile include at least an operating system and a CPU architecture. The feature importance value of a corresponding feature of a device profile associated with a CVE indicates a probability of the CVE to affect the device profile with respect to that feature. The system identifies a device profile that has features with a total feature importance value above a feature importance threshold value. The system identifies a particular CVE associated with the identified device profile. The system associates the particular CVE with the particular device profile.

Abstract: A method may include determining that a non-constant value of a variable corresponding to a variable node of the abstract syntax tree flows into an operator node in the abstract syntax tree. The method may further include adding, to the abstract syntax tree, a check taint node including functionality to: make a taint status determination that the non-constant value is tainted, and return the non-constant value to the operator node. The operator node generates a result value by executing an operator using the non-constant value. The method may further include adding, to the abstract syntax tree, a set taint node that stores, based on the taint status determination, the result value in a second tainted object, and performing, using the abstract syntax tree, a taint analysis of the source code to identify a vulnerability in the source code.

Abstract: Technologies for detecting cyber-attacks against electrical distribution devices include a controller. The controller includes circuitry to determine a first measured value of a first operational parameter of a transformer based upon one or more signals received from one or more sensors of the transformer. The circuitry is also to determine a second measured value of a second operational parameter of the transformer based upon one or more signals received from the one or more sensors of the transformer, calculate a first expected value of the first operational parameter based on the second measured value of the second operational parameter and a model of the transformer that relates the first and second operational parameters, compare the first measured value of the first operational parameter to the first expected value of the first operational parameter, and identify when a difference between the first measured value and the first expected value exceeds a first threshold.

Abstract: An apparatus for Internet of Things (IoT) registration includes a beacon frame transmitting unit for transmitting a beacon frame to a plurality of stations, an authentication unit that receives an authentication request frame from the plurality of stations in a first method, and an association unit that transmits an authentication response frame or an association response frame to the plurality of stations in a second method.

Abstract: An example client device includes a processor configured construct a key to be used to encrypt or decrypt data of a communication session between the client device and a server device, partition the key into a plurality of key partitions, send data representative of the key and a location of the client device to the server device, send data representative of each of the plurality of key partitions to a respective key verification server device of a plurality of key verification server devices, and after receiving an indication from the server device that the key has been verified using data representative of the key, the location of the client device, and the plurality of key partitions, encrypt or decrypt data exchanged with the server device using the key.

Abstract: A method of managing a node in a cluster of nodes in an SDN network. The method comprising receiving from the node a request to join the cluster and a list of references authenticating the node. The references are verified and if the referenced passed the verification the node is allowed to join the cluster. Then a trust level of the node is calculated based on the number of verified references, wherein a role of the node in the cluster depends on the trust level of said node.

Abstract: The method for implementing mechanisms for Layer 7 context accumulation for enforcing Layers 4, 7, and verb-based rules is presented. The method comprises: receiving stream data, and identifying a packet in the stream. If the packet includes Layer 7 headers: for each Layer 7 header: determining content of the packet identified by a Layer 7 header's identifier; and parsing the content to extract firewall input data. If one or more rules at least partially match the firewall input data, determining that a particular rule also includes additional information that cannot be found in the firewall input data; performing a DPI on the content to determine whether at least a portion of the additional information is found in the content; extracting additional input data from the content and adding it to the firewall input data; and applying the rules to the firewall input data to process the packet.

Abstract: A method may include running virtual sessions on a virtualization server for a plurality of client devices associated with respective users, with the virtual sessions being responsive to traffic from the client devices. The method may further include generating baseline traffic patterns for the users based upon the traffic from respective client devices during the virtual sessions, monitoring traffic during a new virtual session for a given client device and detecting an anomaly therein relative to at least one of the baseline traffic patterns, and generating an anomaly alert based upon detecting the anomaly.

Abstract: Generally described, one or more aspects of the present application correspond to a content validation system. A content validation service receives visual secret request information from user devices. The content validation service provides visual secret information to be rendered with received content. The content validation service then receives a snapshot of content to be rendered including a representation of the visual secret information to validate the content.

Abstract: At an authorization manager, an indication is obtained that a request pre-processing tool has been designated as a validator for a category of requests directed to a network-accessible service. The authorization manager determines, based at least in part on a validation result set indicated in a request of the category, that the request pre-processing tool has verified that the request meets an authorization requirement. The authorization manager approves one or more operations indicated in the request.

Abstract: The present approaches generally relate to the encryption of data within a database in such a way that the encrypted data may still be easily accessed and utilized by an application. The present approach provides the ability to encrypt and decrypt data at an application layer though the data remains in an encrypted state at the database layer and when in transit.

Abstract: A tokenization system tokenizes sensitive data to prevent unauthorized entities from accessing the sensitive data. The tokenization system accesses sensitive data, and retrieves an initialization vector (IV) from an IV table using a first portion of the sensitive data. A second portion of the sensitive data is modified using the accessed initialization vector. A token table is selected from a set of token tables using a third portion of the sensitive data. The modified second portion of data is used to query the selected token table, and a token associated with the value of the modified second portion of data is accessed. The second portion of the sensitive data is replaced with the accessed token to form tokenized data.

Abstract: A vehicle computer includes a watermark memory and a watermark processor programmed to execute instructions stored in the watermark memory. The instructions executed by the watermark processor include receiving an image captured by a camera, selecting a set of random pixel locations, generating a random watermark, and embedding the random watermark into the image at the set of random pixel locations. Another vehicle computer includes a validation memory and a validation processor programmed to execute instructions stored in the validation memory. The instructions executed by the validation processor include receiving a watermarked image, determining a random watermark, detecting an embedded watermark in the received watermarked image by selecting a set of random pixels and analyzing the selected set of random pixels for the random watermark, and authenticating the watermarked image as a result of determining that the watermarked image includes the random watermark at the set of random pixel locations.

Abstract: Disclosed are methods and systems that include receiving updated operating system information, encrypting the updated operating system information, and updating a map file. The updated operating system information is received at an encryption virtual machine. The encrypting the updated operating system information results in the encrypted updated operating system information. The encrypting the updated operating system information is managed by the encryption virtual machine. The updated operating system information is encrypted in response to receipt of the updated operating system information. The updated operating system information is encrypted using an encryption key.

Abstract: The present disclosure discloses an information processing method, including the steps of acquiring at least one executable file of a specified type; extracting a first operation instruction from the at least one executable file of the specified type; determining the first operation instruction as a feature instruction if a preset policy is met; extracting a feature value of the feature instruction; constructing a virus classification model based on the feature value of the feature instruction for obtaining a virus structural feature parameter; extracting a second operation instruction from at least one to-be-analyzed file when the at least one to-be-analyzed file is identified according to the virus classification model; and identifying the to-be-analyzed file as a virus file if the feature value of the second operation instruction corresponds to the virus structural feature parameter.

Abstract: A method and system for providing invitation links with enhanced protection are presented. The method includes sending, to at least one invitee, at least one invitation link for accessing the protected resource, wherein the at least one invitation link includes a secret invitation code encoded therein, wherein the secret invitation code is unique to each invitee, the invitation link is sent to the at least one invitee through a primary communication channel; upon detecting an attempt to access the at least one invitation link, determining whether the encoded secret invitation code matches a known secret invitation code; upon determining that the secret invitation code matches the known secret invitation code, performing a verification process to authenticate the invitee via a secondary channel of communication; and upon determining that the verification process has been passed, granting access to the protected resource.