Abstract: Various implementations described herein are directed to a device having a write circuit that provides data for storage. The device may include a memory circuit that stores the data in leaky bitcells with capacitive elements that gradually discharge over a pre-determined period of time. The device may include a read circuit that enables the leaky bitcells to operate as one or more memory storage elements. The device may include a query circuit that identifies matches between a query data and output data provided by the read circuit.

Abstract: A method is provided that includes receiving a computer program comprising regions of code, each region of code including at least one function, pruning a search space of the received computer program by applying a high-level model recognizing potential software vulnerabilities to the computer program to determine a region of the code of the regions of code that includes a potential software vulnerability, performing a localized static analysis on the region of the code that include the potential software vulnerability to determine a local condition that causes the potential software vulnerability to be expressed in the computer program, and generating a report that includes the region of the code that includes the potential software vulnerability including a location of the region of the code within the computer program and the local condition that causes the potential software vulnerability to be expressed in the computer program.

Abstract: A method is provided that includes receiving a source code block of a source code and a sensor configuration associated with the source code block, performing instrumentation on the source code block at least two times to generate corresponding at least two differently instrumented code blocks from the source code block, creating a corresponding model of the sensor configuration for each differently instrumented code block, and receiving a request for an instrumented variant of the source code block for execution by a processing element and deploying the instrumented variant of the source code block to the processing element. The instrumented variant of the source code block comprises one of the at least two differently instrumented code blocks from the source code block.

Abstract: A computer implemented method is provided. The computer implemented method includes receiving, for execution by a processing element, a relocatable instrumented code block, the relocatable instrumented code block being code that has undergone instrumentation for a monitoring system, duplicating at least one function of the relocatable instrumented code block to produce a plurality of duplicate relocatable code blocks, allocating the instrumented code block and each duplicate relocatable code block of the plurality of duplicate relocatable code blocks to different locations in a memory on a computing device, creating a relocated mapping of the instrumented code block and each duplicate relocatable code block to their corresponding locations in the memory, and transmitting a copy of the mapping of the instrumented code block and each duplicate relocatable code block to their corresponding locations in memory to the monitoring system.

Abstract: A behavioral sensor for creating consumable events can include: a feature extractor coupled to receive an event stream of events performed by a circuit, wherein the feature extractor identifies features of a particular event of the event stream and associates the particular event with a time; and a classifier coupled to receive the features of the particular event from the feature extractor, wherein the classifier classifies the particular event into a classified event associated with the time using predefined categories based on the received features of the particular event; whereby the classified event and subsequent classified events extracted from the event stream within a time frame are appended in a time series forming the consumable events.

Abstract: There is provided an apparatus and method, the apparatus comprising storage circuitry to store event information associated with instructions occurring between instrumentation points. The event information indicates a plurality of different types of events expected to occur during execution of the instructions. The event information comprises, for each event, type information indicating a type of that event and an expected number of occurrences of that event. The apparatus is also provided with monitoring circuitry comprising a plurality of programmable counters. The monitoring circuitry is responsive to a start instrumentation point, to assign at least a subset of the plurality of programmable counters to measure, during execution of the program instructions, occurrences of the plurality of different types of events identified in the event information.

Abstract: A method of malware detection includes performing, by a second device of a plurality of devices on a network, a fuzzy matching between a second sequence of events occurring at the second device and a first sequence of captured events that occurred at a first device of the plurality of devices on the network; determining, by the second device, that a result of the fuzzy matching reaches a first threshold; and in response to determining that the result of the fuzzy matching reaches the first threshold, initiating a detailed instrumentation at the second device. The method can further include determining, by the second device, that a first condition is satisfied; and in response to determining that the first condition is satisfied: generating a second malware behavior package including information from the detailed instrumentation; and communicating the second malware behavior package over the network.

Abstract: A method to mitigate an attack initiated by a malicious actor by migration of the attacked process is provided. The method includes monitoring a process being executed from a first computing location on a computing device for a trigger indicating a potential attack and detecting the trigger indicating the potential attack. Responsive to detecting the trigger indicating the potential attack, initiating an attack countermeasure by migrating the process to execute in a second computing location isolated from the first computing location, thereby breaking access to information at the first computing location. A computing device is also provided that includes a processor, a memory, and instructions stored on the memory that when executed by the processor direct the computing device to monitor a process being executed from a first computing location on the computing device for a trigger indicating a potential attack and detect the trigger indicating the potential attack.

Abstract: A data processing apparatus is provided that includes forecast circuitry for generating a forecast of an aspect of a system for a next future time and for one or more subsequent future times following the next future time. Measurement circuitry generates, at the next future time, a new measurement of the aspect of the system. Aggregation circuitry produces an aggregation of the forecast of the aspect of the system for the next future time and of the new measurement of the aspect of the system. The forecast circuitry revises the forecast of the aspect of the system for the one or more subsequent future times using the aggregation.

Abstract: A method and apparatus to classify processor events is provided. The apparatus includes a reference generator, a warping unit, a correlation unit and a detector. The reference generator provides a self-reference for an event vector stream based on a history of the event vector stream and the warping unit dynamically aligns the event vector stream with the self-reference to generate a warped event vector stream. The correlation unit determines a window-by-window correlation of event vectors of the warped event vector stream, and the detector passes a window of event vectors of the warped event vector stream to a behavioral classifier when the window-by-window correlation achieves a threshold value. The behavioral classifier may use machine learning. A sample reservoir may be used to store dynamically selected event vectors of the event vector stream that are used, at least in part, to generate the self-reference.

Abstract: A method and apparatus to classify processor events is provided. The apparatus includes a reference generator, a warping unit, a correlation unit and a detector. The reference generator provides a self-reference for an event vector stream based on a history of the event vector stream and the warping unit dynamically aligns the event vector stream with the self-reference to generate a warped event vector stream. The correlation unit determines a window-by-window correlation of event vectors of the warped event vector stream, and the detector passes a window of event vectors of the warped event vector stream to a behavioral classifier when the window-by-window correlation achieves a threshold value. The behavioral classifier may use machine learning. A sample reservoir may be used to store dynamically selected event vectors of the event vector stream that are used, at least in part, to generate the self-reference.

Abstract: A data processing apparatus is provided that includes storage circuitry to store a plurality of interconnected instructions. Analysis circuitry analyses the instructions to determine a degree of uniqueness of profile measurements of a control flow path fragments within the instructions.

Abstract: A behavioral sensor for creating consumable events can include: a feature extractor coupled to receive an event stream of events performed by a circuit, wherein the feature extractor identifies features of a particular event of the event stream and associates the particular event with a time; and a classifier coupled to receive the features of the particular event from the feature extractor, wherein the classifier classifies the particular event into a classified event associated with the time using predefined categories based on the received features of the particular event; whereby the classified event and subsequent classified events extracted from the event stream within a time frame are appended in a time series forming the consumable events.

Abstract: Subject matter disclosed herein may relate to time-series mixing for adaptive system training and may relate more particularly to causality-preserving time series mixing for adaptive system training.

Abstract: A method of tracking a history of firmware program updates. The method includes reading current descriptions of current application programming interfaces from a history log. The current application programming interfaces correspond to current software modules. The current software modules form a current firmware program of a target device. The method also includes accessing updated software modules and new descriptions of new application programming interfaces of an updated firmware program. The updated firmware program is created from the current firmware program. The method further includes appending the new descriptions to the current descriptions in the history log, reading the new descriptions of the new application programming interfaces from the history log, generating an updated linkage for the updated firmware program by adding new links for the new application programming interfaces, and storing the updated software modules and the updated linkage in the history log.

Abstract: The present disclosure advantageously provides a computer-based method for partitioning software for an embedded system with a memory protection unit (MPU). Object code within a plurality of object files is converted to intermediate code. A call graph is generated based on the intermediate code. The call graph is transformed into a directed flow graph, which includes updating the call graph's node weights and directed edge weights. The directed flow graph is partitioned into a target number of MPU memory regions, which includes assigning each element of the object code to one of the MPU memory regions. Each element of the object code is relocated to a new object file that corresponds to the assigned MPU memory region. An MPU configuration object file is created that includes one or more configuration parameters for each MPU memory region.

Abstract: Techniques, supported by corresponding apparatuses and methods, are disclosed for monitoring execution of software in a trusted environment and generating path signatures which are characteristic of the behaviour of the software. Multiple approximate nearest neighbour searching hash tables are generated in dependence on such path signatures and on attribute information defining behavioural classifications for the path signatures. Later execution of the software in a non-trusted environment is monitoring and an observed path signature characteristic of the behaviour of the software is generated. This observed path signature is queried against the multiple approximate nearest neighbour searching hash tables and a behavioural classification is determined in dependence on hash collision-based similarity between the observed path signature and the content of the multiple approximate nearest neighbour searching hash tables.

Abstract: The affective state called flow is described as a state of optimal experience, total immersion, and high productivity. As an important metric for various scenarios ranging from (professional) sports to work environments and user experience evaluation, it is widely studied using traditional questionnaires. To make flow measurement accessible for online real-time environments, to automatically determine a user's flow state based on physiological signals measured with a wearable device, a system and method is presented to play the game Tetris® at different difficulty levels, resulting in boredom, stress, and flow. A CNN is used to achieve 70% accuracy in detecting flow-inducing values.

Abstract: Techniques, supported by corresponding apparatuses and methods, are disclosed for monitoring execution of software and generating path signatures which are characteristic of the behaviour of the software. Multiple approximate nearest neighbour searching hash tables are generated in dependence on such path signatures. Observed path signatures are also compared against the previously generated content of these runtime multiple approximate nearest neighbour searching hash tables and a behavioural classification is determined in dependence on hash collision-based similarity between the observed path signature and the content of the multiple approximate nearest neighbour searching hash tables.

Abstract: A method of tracking a history of firmware program updates. The method includes reading current descriptions of current application programming interfaces from a history log. The current application programming interfaces correspond to current software modules. The current software modules form a current firmware program of a target device. The method also includes accessing updated software modules and new descriptions of new application programming interfaces of an updated firmware program. The updated firmware program is created from the current firmware program. The method further includes appending the new descriptions to the current descriptions in the history log, reading the new descriptions of the new application programming interfaces from the history log, generating an updated linkage for the updated firmware program by adding new links for the new application programming interfaces, and storing the updated software modules and the updated linkage in the history log.