Abstract: A system includes calling to a first function, determination, in response to the call, of whether to execute a first version of the first function or a second version of the first function, execution of the first version of the first function if it is determined to execute the first version of the first function, and execution of the second version of the second function if it is determined to execute the second version of the first function, wherein the second version of the first function comprises a security-related features and the first version of the first function does not comprise the security-related feature.

Abstract: The present disclosure describes a system for saving metadata on files and using attribute data files inside a computing system to enhance the ability to provide user interfaces based on actions associated with non-executable attachments like text and document files from untrusted emails, to block execution of potentially harmful executable object downloads and files based on geographic location, and to a create a prompt for users to decide whether to continue execution of potentially harmful executable object downloads and files. The system also records user behavior on reactions to suspicious applications and documents by transmitting a set of attribute data in an attribute data file corresponding to suspicious applications or documents to a server. The system interrupts execution of actions related to untrusted phishing emails in order to give users a choice on whether to proceed with actions.

Abstract: A memory device includes an address generator which generates a first physical address and a second physical address different from the first physical address. A first nonvolatile memory includes the first physical address, and a second nonvolatile memory includes the second physical address. An attack detecting circuit detects whether the first and second nonvolatile memories are attacked. The attack detecting circuit receives first data from the first nonvolatile memory and receives second data from the second nonvolatile memory, compares the first data and the second data with each other, and determines whether the first and second nonvolatile memories are attacked on the basis of a comparison result of the first data and the second data.

Abstract: A detecting device (10) acquires information related to communication by an IoT device. The detecting device (10) inputs data representing a feature of the information related to the communication to a generative model which generates output data on the basis of a latent variable which is a random variable according to a mixed Gaussian distribution and input data, and calculates the output data. The detecting device (10) calculates an anomaly score on the basis of the output data and detects an anomaly in the IoT device when the anomaly score exceeds a threshold value.

Abstract: A platform comprising numerous reconfigurable circuit components arranged to operate as primary and redundant circuits is provided. The platform further comprises security circuitry arranged to monitor the primary circuit for anomalies and reconfigurable circuit arranged to disconnect the primary circuit from a bus responsive to detection of an anomaly. Furthermore, the present disclosure provides for the quarantine, refurbishment and designation as redundant, the anomalous circuit.

Abstract: A management system detects a change at the target device. The management system transmits a request message to authorization devices of the authorization users of the multi-user authorization pool to from the authorization users an indication of whether the detected change is approved. The management system receives a plurality of response messages from authorization devices of the multi-user authorization pool indicating whether the detected change is approved by the corresponding authorization user, and based on at least three of the plurality of response messages indicating a disapproval, that the detected change is disapproved. In response to the determination that the change is disapproved, an instruction message is sent to a target managed device to instruct the target managed device to rollback to an earlier state.

Abstract: Systems, methods, and computer-readable media for cybersecurity are disclosed. The systems and methods may involve receiving, by an application capable of JavaScript execution, code for execution; executing, before execution of the received code, an intercepting code, wherein the intercepting code is configured to intercept at least one application programming interface (API) invocation by the received code; intercepting, by the intercepting code, an API invocation by the received code; determining that the intercepted API invocation results in a manipulation of a backing store object; and modifying an execution of the intercepted API invocation, wherein the modified execution results in a nonpredictable environment state.

Abstract: In some embodiments, a behavior classifier comprises a set of neural networks trained to determine whether a monitored software entity is malicious according to a sequence of computing events caused by the execution of the respective entity. When the behavior classifier indicates that the entity is malicious, some embodiments execute a memory classifier comprising another set of neural networks trained to determine whether the monitored entity is malicious according to a memory snapshot of the monitored entity. Applying the classifiers in sequence may substantially reduce the false positive detection rate, while reducing computational costs.

Abstract: A method for halting malware includes: monitoring plural file system events with a system driver to detect an occurrence of a file system event having a predetermined file type and log event type; triggering a listening engine for file system event stream data of a file associated with the detection of the file system event, the file system event stream data indicating data manipulation associated with the file due to execution of a process; obtaining one or more feature values for each of plural different feature combinations of plural features of the file based on the file system event stream data; inputting one or more feature values into a data analytics model to predict a target label value based on the one or more feature values of the plural different feature combinations and agnostic to the process; and performing a predetermined operation based on the target label value.

Abstract: Provided is an analysis device with which it is possible to find information relating to the intention and purpose of an attacker. The analysis device is provided with a purpose estimating means that estimates the purpose of behavior, based on predetermined behavior in the computer and knowledge information that includes the relation between the behavior and the purpose of executing the behavior.

Abstract: Methods, apparatus, systems, and articles of manufacture to provide and monitor efficacy of artificial intelligence models are disclosed. An example apparatus includes a model trainer to train an artificial intelligence (AI) model to classify malware using first training data; an interface to deploy the AI model to a processing device; a model implementor to locally apply second training data to the AI model to generate output classifications, the second training data generated after generation of the first training data; and a report generator to generate a report including an efficacy of the AI model based on the output classifications.

Abstract: A virus scanning router may manages a local network, including routing network traffic between devices on the network and routing network traffic being sent to and from such devices via an external communication system. The virus scanning router remotely scans for viruses the files stored on one or more such devices on the network. The virus scanning router may be a device trusted by the other devices on local network to facilitate the virus scanning router reading and scanning one or more files stored on such devices for viruses. The virus scanning router also takes corrective actions such as isolating the infected device or isolating an affected network zone to which the remote device belongs.

Abstract: A client computing device has a storage device storing a plurality of files and a system agent. The system agent applies a hash function to binary data read from the plurality of files to generate a set of data signatures. A server computing device has a database interface to access a database representing a state of the network and storage for a set of exemplar data signatures resulting from a scan of one or more exemplar computing devices, each data signature generated by applying a hash function to binary data representing a file. The client computing device is configured to receive and compare the set of exemplar data signatures with the generated set of data signatures, and to transmit data to the server computing device based on the comparison. The server computing device is configured to obtain data received from the client computing device and update records in the database.

Abstract: There is disclosed in one example a hardware computing platform, including: a processor; a memory; a network interface; and a security module, including instructions to cause the processor to: receive a request to download a file via the network interface; download a first portion of the file into a buffer of the memory; analyze the first portion for malware characteristics; assign a security classification to the file according to the analysis of the first portion; and act on the security classification.

Abstract: System and method for executing scan operations on computing systems use a sparse file that represents a storage device of a computing system to scan a file stored in the storage device. The sparse file is created and mounted to a scanner appliance such that the sparse file appears to a scan engine of the scanner appliance as a local storage device. When a read request for the file stored in the storage device is issued from the scan engine that results in an implicit read request to the sparse file, the implicit read request is trapped. While the implicit read request is trapped, data of the file is retrieved from the storage device of the computing system to the scanner appliance using a communication transport. The retrieved data of the file is then scanned using the scan engine at the scanner appliance.

Abstract: Embodiments described herein are capable of preventing the installation of unwanted software bundled with a desired application at runtime, while allowing the installation of the desired application to continue as expected. For example, the embodiments described herein create a decoy in memory that preempts unwanted code. The decoy attracts any illegitimate code and diverts it into a dead end (e.g., the code is isolated, thereby preventing it from properly executing), while installation of the legitimate code (i.e., the desired application) flows as expected. The foregoing detects that a reflective loading process of DLL associated with the unwanted application has occurred, identifies the entity that attempted to perform the reflective loading process, and prevents the entity from completing the reflective loading process without terminating the main installer.

Abstract: A method and a system for identifying indicators of compromise are provided. The method comprises: obtaining a given malware carrier configured for execution a main malware module; generating, based on the given malware carrier, an attack roadmap, the attack roadmap including a plurality of malware carriers; determining a malware class of each one of the plurality of malware carriers; generating a current list of indicators of compromise of each of the plurality of malware carriers; searching a database to locate at least one stored attack roadmap including a plurality of stored malware carriers; retrieving from the database a stored list of indicators of compromise for each of the plurality of stored malware carriers; generating an amalgamated list of indicators of compromise based on the current list of indicators and the stored digital list of indicators of compromise; storing, in the database, the amalgamated list of indicators of compromise.

Abstract: An apparatus for preventing unauthorized software or firmware upgrades between two or more computing devices connected on a data bus includes a cryptographic engine, memory, and at least one processor coupled with the cryptographic engine and memory. The cryptographic engine stores cryptographic metadata for authorized upgrade images for updating at least one target computing device coupled to the data bus. The cryptographic metadata includes a manifest list of upgrade images. The processor is configured to monitor the data bus for transmissions of striped update hashes from a maintenance device, to receive signed striped hashes corresponding to an upgrade image file transmitted by the maintenance device, to validate the striped update hashes using information in the manifest list, to log that an unauthorized upload has been attempted when at least one of the striped update hashes fails validation, and to perform a mitigation action(s) in response to the attempted unauthorized upload.

Abstract: A system on chip includes a memory, a main processor that runs an operating system, and first Intellectual Properties (IPs) that perform respective processing operations. The main processor operates to copy target firmware to the memory using a firmware loader, using a hypervisor, block access of the main processor and the first IPs to the target firmware before verification of the target firmware, and using the hypervisor, grant access to the target firmware by a target IP among the first IPs that corresponds to the target firmware after the verification of the target firmware.

Abstract: Technologies are described herein for providing a Baseboard Management Controller (“BMC”)-based security processor. The disclosed BMC-based security processor can provide a hardware Root of Trust (“RoT”) for a computing platform without the addition of specialized silicon to the platform and while minimizing the number of attack points. The disclosed BMC-based security processor can also provide functionality for securely filtering requests made on certain buses in a computing platform. Through implementations of the features identified briefly above, and others described herein, various technical benefits can be achieved such as, but not limited to, increased security as compared to previous computing systems that utilize a BMC to provide a hardware RoT and reduced complexity and cost as compared to previous computing systems that utilize a separate hardware device, such as a Field Programmable Gate Array (“FPGA”) or a microcontroller, to provide a hardware RoT.

Abstract: A method includes detecting a change in control of a peripheral device from a first security domain to a second security domain of a computer system and in response to detecting the change in control of the peripheral device, reading a current firmware version of the peripheral device and determining whether the current firmware version of the peripheral device is trusted by the computer system. The method further includes in response to determining that the current firmware version is trusted by the computer system, providing control of the peripheral device to the second security domain.

Abstract: An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.

Abstract: A device includes processing circuitry configured to receive node data including attributes from at least one computing device, organize the node data into one or more node groupings, wherein each node grouping includes nodes of the node data having one or more shared attributes, determine a node grouping processing scheme based on one or more transient event detection priorities, and detect, in response to executing the node grouping processing scheme for each of the one or more node groupings, one or more transient event occurrences within the one or more node groupings.

Abstract: A learning device estimating apparatus aims at a learning device as an attack target, and comprises a recording part, an inquiring part, a capturing part and a learning part. A predetermined plurality of pieces of observation data are recorded. The inquiring part inquires of the attack target learning device for each of the pieces of observation data recorded in the recording part to acquire label data and records the acquired label data to the recording part in association with observation data. The capturing part inputs the observation data and the label data associated with the observation data that have been recorded to the recording part, to the learning part. The learning part is characterized by using an activation function that outputs a predetermined ambiguous value in a process for determining a classification prediction result, and the learning part performs learning using the inputted observation data and label data.

Abstract: A method for detecting an injection vulnerability of a client-side templating system includes receiving a web page, determining that the web page implements an interpreted programming language framework with client-side templating, and extracting a version of the interpreted programming language framework and an interpolation sign from the web page. The method also includes generating an attack payload for at least one injection vulnerability context of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.

Abstract: Methods and systems are provided for performing operations comprising: generating, on a publicly accessible server, a secure enclave, the secure enclave having isolated memory and processing resources of the server; installing, on the secure enclave, a virtual machine comprising a guest operating system of a first entity; installing, by the virtual machine, one or more cryptographic processes associated with the first entity; and encrypting and decrypting cryptographic keys associated with the first entity using the one or more cryptographic processes.

Abstract: Techniques for managing an application token may include providing, by a first service provider application on a communication device to a first service provider computer, a first request for a first application token, receiving, by an account management application on the communication device from a token service computer in communication with the first service provider computer, the first application token, and storing the first application token in a token container in the account management application.

Abstract: An example operation may include one or more of receiving, from a plurality of providers by a secure enclave, a plurality of training data sets and a plurality of salts paired with the plurality of training data sets, respectively, hashing, via the secure enclave, pairs of training data sets and salts to generate a plurality of salted hashes, and combining the plurality of salted hashes to generate a digest, training, via the secure enclave, a model based on the plurality of training data sets to generate a trained model, and providing the trained model and the digest to a plurality of data providers of the plurality of training data sets and the plurality of salts.

Abstract: Techniques are disclosed relating to sharing data. A first computer system may receive data shared by a second computer system to permit the first computer system to perform processing of the data according to a set of policies. The first computer system may instantiate a verification environment in which to process the shared data. The first computer system may process a portion of the shared data by executing a set of processing routines to generate a result based on the shared data. The verification environment may verify whether the result is in accordance with the set of policies. The verification environment may determine whether to output the result based on the verifying and may send an indication of an outcome of the determining to the second computer system. The indication may be usable to determine whether to provide the first computer system with continued access to the shared data.

Abstract: The present teaching relates to a method, system, and programming for encrypted searching. In a search session, a uniform resource locator (URL) is received, wherein a portion of the URL is encrypted via a first key. A second key associated with the first key is obtained. A determination is made regarding whether a time-related criterion associated with the second key is satisfied. In response to the time-related criterion being satisfied, the portion of the URL is decrypted based on the second key to obtain a keyword, one or more search results are obtained based on the keyword, and a webpage including the one or more search results to be provided to a user is generated.

Abstract: A system for secure data protection and encryption for computing devices. The present invention includes a fast encryption technique for quickly ensuring that the correct binding parameters are used for an encrypted data file. The encrypted file is used in two ways. Because unsecure data could pass through a peripheral device to gain access to a secure computing environment, a dongle housing encryption and decryption subsystems is placed in between the unsecure sources and the peripheral that can encrypt and decrypt data intended for the secure computing environment. The firmware of the computing device can be updated by dividing the update file into encrypted segments that are verified on the device and placed into non-volatile memory. When all parts have been received, decrypted, and written into memory, the device reboots using the updated firmware.

Abstract: An image reading apparatus includes a scanner, an operation panel, a communication interface, and a processor. The scanner is configured to read an image of a document. The operation panel is configured to designate a transmission destination of scan data, the scan data including image data of the document read by the scanner. The communication interface is configured to transmit the scan data to the transmission destination designated on the operation panel. The processor is configured to transmit the scan data to the transmission destination without a password in response to the transmission destination designated on the operation panel being a transmission destination of an operator who operates the operation panel, and transmit the scan data protected with a password to the transmission destination in response to the transmission destination designated on the operation panel including a transmission destination of any person other than the operator.

Abstract: Methods and systems for a document-level attribute-based access control service are provided. The document-level attribute-based access control service may be positioned between a directory service and a search engine service. The directory service can manage information and permissions for users. The document-level attribute-based access control service can map security attributes to the user based on the information and permissions. Based on the mapping, it can be determined whether to permit the user making a query to the search engine service to access documents based on the query. Information and permissions attributes can be injected into queries dynamically via a template. Attributes may be combined with role query templates to create document-level attribute-based access control on top of role-based access control. The present technology can enable enforcement of security policies requiring all of a combination of attributes to be satisfied before permitting certain access.

Abstract: A method of generating relevant security rules for a user includes the steps of: building a first tree data structure from paths within a pool of security rules; collecting process paths for the user; and compiling the relevant security rules for the user by traversing the first tree data structure according to the process paths of the user.

Abstract: A request to modify a set of permissions (e.g., delete the permissions, replace the set of permissions with a different set of permissions) is received at a computing device. A set of services are prevented from using the set of permissions to access resources. The set of permissions are changed while the set of services are prevented from using the set of permissions to access resources.

Abstract: One example method includes receiving, at a node of a data confidence fabric (DCF), a DCF backbone, installing the DCF backbone at the node, receiving a config file at the node, and the config file includes configuration information concerning the node, and receiving and installing a trust insertion component specified in the configuration information, where operation of the trust insertion component is enabled by the DCF backbone, and the trust insertion component is operable to associate trust metadata with data received by the node.

Abstract: According to one embodiment, a memory system includes a nonvolatile memory and a controller. The controller controls the nonvolatile memory, writes data to a random access memory in a host, and reads data from the random access memory. The random access memory includes regions in first units to which the controller is accessible. The controller uses encryption keys associated with the regions, respectively, for encrypting data to be written into each of the regions and decrypting data read from each of the regions.

Abstract: A private information detector for data loss prevention is described.

Abstract: Systems as described herein may label data to preserve privacy. An annotation server may receive a document comprising a collection of text representing a plurality of confidential data from a first computing device. The annotation server may convert the document to a plurality of text embeddings. The annotation server may input the text embeddings into a machine learning model to generate a plurality of synthetic images, and receive a label for each of the plurality of synthetic images from a third-party labeler. Accordingly, the annotation server may send the confidential data and the corresponding labels to a second computing device.

Abstract: Techniques are described for communicating between two organizations without exchanging sensitive private information. One of the methods includes generating a token representative of private data. The method includes identifying at least one entity associated with the private data. The method includes associating the token with at least one entity. The method also includes providing information identifying at least one entity and the token to a machine learning system.

Abstract: A device implementing a system for anonymizing user data provided for server-side operations includes a processor configured to receive user input including a search term, wherein first and second data structures are stored on the device, the first data structure including user interest data items that correspond to prior user activity, the second data structure including topic data items mapped to the user interest data items, the topic data items being broader than the user interest data items. The processor accesses the second data structure to obtain one or more topic data items. The processor transmits, to a server, the search term and one or more topic data items for obtaining a query suggestion or search result. The processor receives, from the server, the query suggestion or search result, the query suggestion or search result having been obtained based on the search term and one or more topic data items.

Abstract: A smart mirror system includes a screen configured to generate a display for viewing by a user, a mirror positioned in front of the screen, a near-field-communication (NFC) card reader located behind the mirror, a network interface for communicating with a remote health data server, memory configured to store computer-executable instructions, and at least one processor configured to execute the instructions. The instructions include selectively detecting, by the NFC card reader, an NFC chip of a member card placed in proximity to the NFC card reader. The instructions include, in response to detecting the NFC chip, obtaining member information from the detected NFC chip, and authenticating the user to the remote health data server, via the network interface, according, at least in part, to the obtained member information.

Abstract: The present disclosure provides a communication network node for providing data to a distributed ledger, wherein the node has circuitry configured to: provide a user data management part for separating sensitive user data and non-sensitive user data, and provide the non-sensitive user data to the distributed ledger.

Abstract: Technologies are disclosed for a computing system that allows users to control the disclosure of their identities during communication sessions. Users can control the disclosure of their identities with respect to certain types of shared content. In one mode of operation, a user can share content anonymously. In another mode of operation, identity may be revealed when certain conditions are met or revealed to only certain other users. For example, the identity of a user who shared a comment anonymously may be revealed if multiple other users agree with that comment. In another mode of operation, the user's identity is revealed to all other users such as in a live video stream. The computing system can control display of users' identities based on user instructions or based on triggering conditions. A user interface (UI) can show content items that identify a user together with content items that are shared anonymously.

Abstract: A system and method for utilizing permissioned data is disclosed. A user may grant permission to share certain data over a platform. A third party may seek targeted attributes and match the targeted attributes with the shared attributes of a user. A user may agree to accept communications directly from the third party.

Abstract: An online document system manages access to features within the online document system. The online document system may receive and fulfill a request from a first entity to sponsor a feature for a second entity. The online document system may determine an access policy to restrict access to the sponsored feature. For example, the access policy may include a requirement that the second entity only use the sponsored feature with the first entity. The first entity may provide a second access policy to the online document system to enforce. If the second entity satisfies requirements of the access policies, the online document system may then provide access to the second entity to use the sponsored feature.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments. An example method can include: receiving, by a first computing device, a request from a second computing device to establish a set of trusted execution environments (TEEs) in the first computing device; establishing a first TEE of the set of TEEs in the first computing device, wherein the trusted execution environment comprises an encrypted memory area and executable code; receiving, by the first TEE, cryptographic key data from the first computing device; establishing, by the first TEE, a second TEE of the set of TEEs in the first computing device, wherein the second TEE comprises a copy of the executable code; providing, by the first TEE, the cryptographic key data to the second TEE; and causing the executable code of the second TEE to communicate with the first computing device using the cryptographic key data.

Abstract: An apparatus for preventing physical intrusion on a data bus includes a data bus state sensor coupled to the data bus for monitoring a state of the data bus, a power circuit for generating multiple voltages supplied to functional circuitry in the apparatus, and a variable override circuit. The variable override circuit receives one or more voltages from the power circuit and selectively gates the voltages onto the data bus as a function of one or more control signals. A controller coupled to the variable override circuit, the power circuit and the state sensor receives state information from the state sensor and generates the control signals in response to detection of physical intrusion on the data bus. The controller controls a voltage level of at least one of the voltages generated by the power circuit for overriding the data bus when physical intrusion is detected on the data bus.

Abstract: Provided is an anti-tamper protection circuit including a switch trigger port, a tamper signal transmission port, a power supply unit, and a signal output port. The switch trigger port is connected to a switch, the signal output port is connected to a digital movie server, and the tamper signal transmission port is configured to transmit a tamper signal transmitted to the signal output port through the tamper signal transmission port. In the present disclosure, when an LED display screen is powered off, a battery inside the digital cinema server would continue to power the digital cinema server to maintain proper functioning of the digital cinema server, the power supply unit also powers the anti-tamper protection circuit to guarantee anti-tamper operation of the anti-tamper protection circuit, thereby enabling continuous protection of information security and maintenance of digital copyright, and such that the requirements of information handling standards are satisfied.

Abstract: Systems, methods, devices and non-transitory, computer-readable storage mediums are disclosed for a wearable multimedia device and cloud computing platform with an application ecosystem for processing multimedia data captured by the wearable multimedia device. In an embodiment, a wearable multimedia device determines a projection area of a laser projector, the projection area having an inner region and a border region at least partially enclosing the inner region. Further, the device projects, using the laser projector, a virtual interface (VI) on a surface. In particular, the device determines, based on sensor data from a camera and/or a depth sensor, a position of the surface relative to the projection area. Further, the device projects the VI on the surface based on the position of the surface. Further, the device determines that a portion of the VI coincides with the border region, and in response, modifies a visual appearance of that portion.