Abstract: An intrusion detection system, comprising a monitor to receive messages from a target over a low-latency communication link comprising a controlled access memory structure logically positioned between the target and the monitor using point-to-point interconnects, the controlled access memory structure to receive a message from the target indicating that the target has entered a controlled mode of operation.

Abstract: The described technology is generally directed towards secure collaborative processing of private inputs. A secure execution engine can process encrypted data contributed by multiple parties, without revealing the encrypted data to any of the parties. The encrypted data can be processed according to any program written in a high-level programming language, while the secure execution engine handles cryptographic processing.

Abstract: One embodiment provides for a computer-implemented method comprising generating a linked list table including a first component having linking data to be stored in a table data structure for one or more rebase and bind operations and second a component having instructions to implement the table data structure to perform the rebase and bind operations according to a linked list chain and executing the instructions in the second component of the linked list table to perform the one or more rebase and bind operations based on the linked list chain.

Abstract: Various embodiments are provided for managing cryptographic bottlenecks for distributed multi-signature blockchain contracts in a computing environment. One or more cryptographic bottlenecks of cryptographic requests at a cryptographic accelerator may be resolved by switching between a blockchain node cryptographic library and an accelerator cryptographic library upon a number of the cryptographic requests at the accelerator exceeding a defined threshold.

Abstract: Techniques for generating a data representation without access to content are described. A method for generating a data representation without access to content comprises receiving a request to analyze one or more data items in a protected area of the provider network, sending the request to the protected area of the provider network, wherein the cluster model is used to identify a cluster identifier associated with each of the one or more data items, receiving the cluster identifier associated with each of the one or more data items, and regenerating each of the one or more data items based on the cluster identifier.

Abstract: A user terminal apparatus may include a communication unit for communicating with a server; a memory in which applications are stored; and a processor for executing an application including a first logic which requires security processing, performing mutual verification with the server, controlling the communication unit such that a request for executing the first logic on the server is sent to the server, and when the execution result of the first logic is received from the server, proceeding with the execution of the application by using the received execution result.

Abstract: The present embodiments relate to methods and apparatuses for side-band management of security for server computers. According to certain aspects, such management is directed to the security of data that is stored under the local control of the server, as well as data that flows through the network ports of the server. Such locally stored data is secured by encryption, and the encryption keys are managed by a management entity that is separate from the server. The management entity can also manage the security of network data flowing through the server using its own configuration of network security applications such as firewalls, monitors and filters.

Abstract: A method for establishing and maintaining a security policy for a device can include establishing a secure channel between a secure execution environment (SEE) operating on the device and a security entity external to the device. The method can also include configuring, by a security manager executing on the SEE, access to sensitive operations of an environment interactor coupled to the device based on a security policy provided from the security entity. The method can further include resetting, by the security manager, a secure watchdog timer in response to a reset authorization token provided from the secure entity. If the secure watchdog timer expires a given predetermined number of times since a last reset authorization token is received, the security manager executes a given prescriptive operation dictated by the security policy.

Abstract: Techniques for obfuscating and deploying digital assets (e.g., mobile applications) are provided to mitigate the risk of unauthorized disclosure. An asset can be received that is to be deployed to a plurality of mobile devices, each of the mobile devices associated with a corresponding account having account attributes. A deployment group of one or more mobile devices for deploying the asset can be identified based on a set of one or more obfuscation parameters, comprising account attributes shared among the one or more mobile devices within the deployment group. A customized obfuscation scheme to be applied to the asset can be determined based at least in part on the set of obfuscation parameters. The customized obfuscation scheme can be applied to the asset to generate an obfuscated asset. The obfuscated asset can be transmitted and/or updated over a network to the one or more mobile devices within the deployment group.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for determining an applicable privacy policy based on various criteria associated with a user and the associated product or service. User and product criteria may be obtained automatically and/or based on user input and analyzed by a privacy policy rules engine to determine the applicable policy. Text from the applicable policy can then be presented to the user. A default policy can be used when no particular applicable policy can be identified using by the rules engine. Policies may be ranked or prioritized so that a policy can be selected in the event the rules engine identifies two, conflicting policies based on the criteria.

Abstract: Implementations of the present disclosure include receiving a record corresponding to a private transaction recorded in two or more private state databases of entities participating in the private transaction within a distributed ledger system (DLS), generating a data representation based on the record, transmitting the data representation for public consensus processing within the DLS, and recording within a public ledger of the DLS, and providing a public record for recording in the DLS, the public record being recorded in a public state database of each of entity participating in the DLS.

Abstract: Techniques are disclosed for enhanced crawling of unexposed web applications for vulnerability scanning purposes. A response to a request to a web application is received and a web application framework detection routine is executed on the response. A determination is made that a web application framework is part of the response and the response is loaded in a web browser associated with the web application. A custom web application framework hook for the web application framework is injected into a web page of a web browser and a list of Document Object Model (DOM) elements and corresponding event handlers is received. A determination is made, based on the list, to execute DOM events to discover functionality of the web application. The DOM events are executed, and network activity of the web browser during execution of the DOM events is recorded.

Abstract: A security agent configured to initiate a security agent component as a hypervisor for a computing device is described herein. The security agent is further configured to determine a subset of memory locations in memory of the computing device to be intercepted. The security agent component may then set intercepts for the determined memory locations. Setting such intercepts may include setting privilege attributes for pages which include the determined memory locations so as to prevent specific operations in association with those memory locations. In response to one of those specific operations, the security agent component may return a false indication of success or allow the operation to enable monitoring of the actor associated with the operation. When an operation affects another memory location associated with one of the pages, the security agent component may temporarily reset the privilege attribute for that page to allow the operation.

Abstract: A reprogramming method of a vehicle includes authenticating a diagnostor; receiving integrated firmware comprising a plurality of firmwares that correspond to a plurality of target controllers, respectively, from the diagnostor that is completely authenticated; authenticating the integrated firmware; encrypting and storing the plurality of firmwares included in the integrated firmware; and generating encryption keys that corresponds the plurality of target controllers, respectively apparatus. The encrypting and storing comprises encrypting and storing the plurality of firmwares to the encryption keys that correspond to the plurality of firmwares, respectively.

Abstract: An information processing device shifts to first and second power states and includes an output unit to output an operation stop signal, and a device to receive the operation stop signal and to shift to an operation stop state based on the operation stop signal, and to shift to an electric power saving mode where less power is consumed than in the operation stop state on condition that the operation stop signal has not been input. A signal control unit provides control that prevents the operation stop signal from being input to the device when the information processing device shifts to the second power state. The signal control unit controls the operation stop signal when a restart unit restarts the information processing device.

Abstract: A process monitoring methodology is disclosed. In a computer-implemented method, a selection of a process to be monitored is received. The process is to be at least partially performed using a component of a computing environment. An expected operating parameter of the process is determined. The process is also monitored to determine an actual operating parameter of the process. The actual operating parameter of the process is compared with the expected operating parameter of the process to generate a comparison result. An operation is then automatically performed based upon the comparison result.

Abstract: A malicious code detection module identifies potentially malicious instructions in memory of a computing device. The malicious code detection module examines the call stack for each thread running within the operating system of the computing device. Within each call stack, the malicious code detection module identifies the originating module for each stack frame and determines whether the originating module is backed by an image on disk. If an originating module is not backed by an image on disk, the thread containing that originating module is flagged as potentially malicious, execution of the thread optionally is suspended, and an alert is generated for the user or administrator.

Abstract: One embodiment provides a method, including: generating, using an information handling device, digital content; providing an indication of the digital content to at least one other device; and receiving, from the at least one other device, a digital signature for the digital content. Other aspects are described and claimed.

Abstract: Systems are provided for managing access to a log of dataset that is generated when the dataset is accessed. A system stores, with respect to each of a log producer and a log accessor, an encrypted symmetric key for dataset that is encrypted using a corresponding public key. The system returns the encrypted symmetric key for the log producer, such that the log producer can decrypt the dataset that is encrypted using the symmetric key. A log of the dataset is generated when the log producer accesses the dataset.

Abstract: Methods and systems for verifying, via formal verification, a hardware design for a data transformation pipeline comprising one or more data transformation elements that perform a data transformation on one or more inputs, wherein the formal verification is performed under conditions that simplify the data transformations calculations that the formal verification tool has to perform.

Abstract: Functionality is disclosed herein for providing temporary access to a resource. A software product that is executing in response to a request from a customer may access one or more resources of a software provider. The resources that may be accessed by a software product may be identified within an access policy. The customer is prevented from accessing the resource when the software product is not executing.

Abstract: Systems and methods of disarming malicious code in protected content in a computer system having a processor are provided. The method includes determining that a received input file intended for a recipient is protected, the recipient may be connected to a network; accessing a credential associated with the intended recipient for accessing the protected input file; accessing the content of the protected input file based on the credential; modifying at least a portion of digital values of the content of the input file configuring to disable any malicious code included in the input file, thereby creating a modified input file; and protecting the modified input file based on the credential associated with the intended recipient. The method also includes forwarding the protected modified input file to the intended recipient in the network.

Abstract: Techniques for implementing a ledger-independent token service are provided. According to one set of embodiments, a computer system executing the service can receive, from a user, a request to create a token on a distributed ledger network. The computer system can further provide to the user one or more token templates, where each token template corresponds to a type of physical or digital asset and defines a set of one or more attributes and one or more control functions associated with the type. The computer system can then receive, from the user, a selection of a token template in the one or more token templates and create the token on the distributed ledger network, where the created token includes the set of one or more attributes and one or more control functions defined in the selected token template.

Abstract: Disclosed are various approaches for providing on-demand virtual private network (VPN) connectivity on a per-application basis. An application is determined to have begun execution on a computing device. The application is identified. A determination that the application is authorized to access a VPN connection is made, and the VPN connection is created.

Abstract: A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree. The first device then sends the validator to the second device.

Abstract: In various embodiments, the present invention is directed to a decentralized and secure method for developing machine learning models using homomorphic encryption and blockchain smart contracts technology to realize a secure, decentralized system and privacy-preserving computing system incentivizes the sharing of private data or at least the sharing of resultant machine learning models from the analysis of private data. In various embodiments, the method uses a homomorphic encryption (HE)-based encryption interface designed to ensure the security and the privacy-preservation of the shared learning models, while minimizing the computation overhead for performing calculation on the encrypted domain and, at the same time, ensuring the accuracy of the quantitative verifications obtained by the verification contributors in the cipherspace.

Abstract: Methods, non-transitory computer readable media, and network traffic management apparatuses that obtain one or more custom selection rules and one or more custom priority rules via a graphical user interface (GUI). One or more of the custom selection rules are applied to a cipher suite database to generate a result set of cipher suites. The cipher suite database includes a plurality of cipher suite sets. One or more of the custom priority rules are applied to the result set of cipher suites to generate an ordered result set of cipher suites. A cipher string is generated based on the ordered result set of cipher suites. The cipher string is stored in a secure socket layer (SSL) profile to be used during negotiation of secure network sessions.

Abstract: Embodiments of the present invention include a system for utilizing setting information, including a first electronic device and a second electronic device communicably connected to an information processing apparatus via a network. The first electronic device includes first circuitry to: obtain, from a first memory, setting information relating to setting of the first electronic device; accept selection of a saving destination of the setting information; encrypt the setting information in an encryption method determined in accordance with the saving destination; and store the encrypted setting information in the saving destination.

Abstract: Some implementations relate detection of malicious games. In some implementations, a computer-implemented method includes obtaining a list of games that includes a plurality of games, analyzing the plurality of games to identify at least one likely malicious game, and creating a ticket.

Abstract: A computer-implemented method, non-transitory, computer-readable medium, and computer-implemented system are provided for data transmission in a trusted execution environment (TEE) system. The method can be executed by a thread on a TEE side of the TEE system. The method includes obtaining first data; calling a predetermined function using the first data as an input parameter to switch to a non-TEE side; obtaining a write offset address by reading a first address; obtaining a read offset address by reading a second address; determining whether a quantity of bytes of the first data is less than or equal to a quantity of writable bytes; if so, writing the first data into third addresses starting from the write offset address; updating the write offset address in the first address; and returning to the TEE side.

Abstract: A computing device comprising a frontend and a backend is operably coupled to a plurality of storage devices. The backend comprises a plurality of buckets. Each bucket is operable to build a failure-protected stripe that spans two or more of the plurality of the storage devices. The frontend is operable to encrypt data as it enters the plurality of storage devices and decrypt data as it leaves the plurality of storage devices.

Abstract: A database transaction is executed in a computer of a system of networked computers having secure processing enclaves. Within the secure processing enclave, a database transaction log record for the executed database transaction is generated and cryptographically secured using a private key held in secure storage of the secure processing enclave. A state of the distributed database is recorded in a series of transaction log records which is replicated in distributed computer storage accessible to the networked computers. Consensus messages are transmitted and received via secure communication links between the secure processing enclaves of the networked computers, to incorporate the database transaction log record into the series of transaction log records in accordance with a distributed consensus protocol, which is implemented based on consensus protocol logic held within the secure processing enclave.

Abstract: A data partition unit partitions character string data D into N pieces of element data w1, w2, . . . , wN from a front to an end of the character string data D. A partial character string generation unit generates a set A={A1, A2, . . . , AN} and an element Ai={(wi), (wiwi+1), . . . , (wiwi+1 . . . wN)} of the set A where i=1, . . . , N, from the element data w1, w2, . . . , wN. A position information assignment unit generates a set B={B1, B2, . . . , BN} and an element Bi={(i, wi, (i, wiwi+1), . . . , (i, wiwi+1 . . . wN)} of the set B by associating each of (wi), (wiwi+1), . . . , (wiwi+1 . . . wN) which are components of the element Ai with position information i. An encryption unit encrypts each of (i, wi), (i, wiwi+1), . . . , (i, wiwi+1 . . . wN) which are components included in the element Bi.

Abstract: A boot process security system includes a processing system including a plurality of registers, and at least one memory system that includes instructions that, when executed by the processing system, cause the processing system to provide a BIOS. During a Driver eXecution Environment (DXE) sub-process that is included in a boot process and that occurs prior to passing control of the boot process to any third-party drivers, the BIOS programs at least one of the plurality of registers in order to configure at least one secure subsystem. The BIOS then verifies, during the boot process, that the at least one secure subsystem has been configured to provide a predetermined configuration, and locks the at least one secure subsystem. The BIOS then confirms that the at least one secure subsystem has been locked prior to passing control of the boot process to any third-party drivers.

Abstract: A system generates at least one of a customer token or device token configured to facilitate a mobile wallet transaction, transmits the customer token or device token to a server system for verification of the mobile wallet transaction, receives a screen display to present to the user, the screen display including the account balance information for the account held by the user at the financial institution, receives determination of rewards information regarding rewards available to the user if the user uses the account to perform the transaction, wherein the screen display comprises the rewards information, and provides an indication from the user that the user wishes to perform the mobile wallet transaction to transfer funds to a recipient, wherein the funds are transmitted to the recipient responsive to the provision of the indication from the user.

Abstract: A method, apparatus and system for a secure memory with restricted access by processors. System has a plurality of processor units (PUs) coupled to a block of memory with at least one section secured (BMSS) against hacking by not allowing all PUs to access BMSS. One or more PUs has access to BMSS and is implemented with a dedicated function(s) that no other PU can perform such as a security function for encryption key checks. A thread running on a given PU that lacks access to a given memory location in BMSS is transferred to another PU with i) access to given memory location in BMSS; ii) implemented dedicated function; and/or iii) locked down instruction memory not free to run other code. Any attempt to breach protocol issues a fault. Existing code is hardened against less secure user code by only permitting authorized routines to transfer to the implemented PU.

Abstract: A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

Abstract: A method is provided that protects electronic Identity information based on key derived operation. The method includes using an electronic Identity server to send an application derived identifier of the application and user electronic Identity code to a host security module that randomly generates an application master key, encrypts the application derived identifier with the application master key, and gets an application encryption key. The host security module encrypts the user electronic Identity code with the application encryption key, and gets an encryption document. The electronic Identity server codes the encryption document and an application identity code, and gets an application electronic Identity code. The electronic Identity server uses the application electronic Identity code as the user identifier.

Abstract: Systems and methods for fast storage allocation for encrypted storage are disclosed. An example method may include receiving, by a processing device executing an operating system, an identification of a first storage block that has been released by a first virtual machine; tracking, by the operating system, an encryption status corresponding to the first storage block to indicate whether the first storage block contains encrypted content; receiving a request to allocate storage to a second virtual machine; analyzing, by the operating system, the first storage block to determine that the first storage block contains encrypted content in view of the encryption status corresponding the first storage block; and allocating the first storage block containing the encrypted content to the second virtual machine without clearing the encrypted content of the first storage block.

Abstract: There is described a computer device, including at least a processor and a memory, configured to control process components on the computer device, the computer device comprising: an operating system, a privilege access management service cooperating with the operating system and an agent; wherein the agent is configured to: intercept a request to instantiate a new process component in a user account of a logged-in user, wherein the request originates from an instance of a particular process component amongst a set of process components and wherein the user account has assigned thereto default user privileges by the privilege access management service; determine whether to permit the intercepted request including by: validating a relationship between the new process component and the particular process component; and establishing a set of identified owners by identifying owners of the new process component, the particular process and any parents thereof; permit the intercepted request if the relationship is v

Abstract: A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

Abstract: A method for detecting a cyberattack on a network device is described. The method features receiving script text and performing a normalization operation on the script text to produce a normalized script text. The normalized script text includes a plurality of analytic tokens each being an instance of a sequence of characters grouped together as a useful semantic unit for natural language processing (NLP). Thereafter, a NLP model is applied to the normalized script text to classify a script associated with the script text as malicious or benign. Responsive to the script being classified as malicious, generating an alert message provided to an administrator to identify the malicious script.

Abstract: An apparatus for detecting a physical manipulation on a security module that stores security-relevant data includes a sensor device for generating sensor data that describe a physical influence on the security module, and a first and a second monitoring device, wherein the first monitoring device is set up to receive the sensor data from the sensor device and to take the sensor data as a basis for generating first monitoring data, and the second monitoring device is set up to receive the first monitoring data from the first monitoring device and to use the received first monitoring data to detect a manipulation of the security module. Two monitoring devices communicating with one another that in each case can discern a manipulation on the security module are used to ensure a high level of security for the security module.

Abstract: Systems and methods for providing security services during a power management mode are disclosed. In some embodiments, a method comprises detecting with a mobile security system a wake event on a mobile device, providing from the mobile security system a wake signal, the providing being in response to the wake event to wake a mobile device from a power management mode, and managing with the mobile security system security services of the mobile device. Managing security services may comprise scanning a hard drive of the mobile devices for viruses and/or other malware. Managing security services may also comprise updating security applications or scanning the mobile device for unauthorized data.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for communicating and sharing blockchain data. One of the methods includes sending, by a consensus node of a blockchain network, current state information associated with a current block of a blockchain to a trusted node with proof of authority outside of the blockchain network; sending a hash value to the trusted node for retrieving an account state stored in the historic state tree; receiving the account state in response to sending the hash value; and verifying that the account state is part of the blockchain based on the hash value.

Abstract: An exemplary access control system controls access to a computing system such as a data storage system. For example, the exemplary access control system includes a remote management system that receives a request to operate on an element of the computing system and generates a message based on the request and a first token for the remote management system that is associated with the request. The message includes data representative of a second token for the remote management system. The remote management system signs the message and transmits the signed message to the computing system, which is configured to verify and use the signed message, including the second token included in the signed message, to obtain and use a local access token to access and operate on the element in accordance with the request.

Abstract: Embodiments described include systems and methods for executing in an embedded browser an application script for network applications of different origins. A client application can establish a first session with a first network application of a first entity at a first origin via an embedded browser within the client application and a second session with a second network application of a second entity at a second origin via the embedded browser within the client application. A scripting engine within the client application of a client device of a user at a third origin can identify an application script having instructions to interact with the first network application and the second network application, and can execute the instructions to perform a task across the first network application of the first entity at the first origin and the second network application of the second entity at the second origin.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for a checkout system executable code monitoring, and user account compromise determination system. The system monitors executable code initiating and executing on checkout systems, including determining hashes of the executable code. The system determines whether the executable code is malicious based on the hash, and associated information of the executable code. Additionally, the system monitors user access to checkout systems, and determines user accounts associated with being compromised. User interfaces are generated describing checkout systems associated with a risk of being compromised, and are configured for user interaction, which cause generation of updated user interfaces and access to electronic data stores to determine information relevant to the user interaction.

Abstract: A method for execution by a dispersed storage network (DSN), the method begins by determining a slice name of an encoded data slice to verify, obtaining the encoded data slice and optionally compressing the encoded data slice, determining a dispersed storage (DS) unit of the stored set of DS units to produce a selected DS unit, sending the compressed encoded data slice request message to the selected DS unit, receiving a compressed encoded data slice response message to produce a selected compressed encoded data slice, determining a compressed encoded data slice partial of the encoded data slice, determining whether a sum of compressed encoded data slice partials compares favorably to the selected compressed encoded data slice, indicating a failed test when the processing module determines that the comparison is not favorable and indicating a passed test when the processing module determines that the comparison is favorable.

Abstract: An example method includes storing a scenario event list that defines one or more events associated with a training exercise, and configuring, based on the events defined in the scenario event list, one or more software agents to emulate one or more cyber-attacks against a host computing system during the training exercise, which includes configuring the software agents to save a state of one or more resources of the host computing system prior to emulating the cyber-attacks and to restore the state of the resources upon conclusion of the cyber-attacks. The example method further includes deploying the software agents for execution on the host computing system during the training exercise to emulate the cyber-attacks against the host computing system using one or more operational networks.