Implementations are directed to methods for detecting and identifying advanced persistent threats (APTs) in networks, including receiving first domain activity data from a first network domain and second domain activity data from a second network domain, including multiple alerts from the respective first and second network domains and where each alert of the multiple alerts results from one or more detected events in the respective first or second network domains. A classification determined for each alert of the multiple alerts with respect to a cyber kill chain. A dependency is then determined for each of one or more pairs of alerts and a graphical visualization of the multiple alerts is generated, where the graphical visualization includes multiple nodes and edges between the nodes, each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts.

A function is decomposed into a plurality of function shares. The function returns a Boolean result based on whether an input y satisfies a query on a data set. The function shares hide the function from non-collaborating entities that separately execute the function shares. Each of the functions shares are sent to one of a plurality of servers having a same data set. The function shares are executed on the data set at the servers to obtain a respective plurality of shares. A conditional disclosure of secrets operation is simulated on the shares and the input y. The conditional disclosure of secrets operation uses a secret known to at least one of the servers, and further uses a source of randomness shared between the servers. A Boolean value corresponding to the Boolean result is returned based on the conditional disclosure of secrets operation returning the secret.

A system and method for intrusion detection on automotive controller area networks. The system and method can detect various CAN attacks, such as attacks that cause unintended acceleration, deactivation of vehicle's brakes, or steering the vehicle. The system and method detects changes in nuanced correlations of CAN timeseries signals and how they cluster together. The system reverse engineers CAN signals and detect masquerade attacks by analyzing timeseries extracted from raw CAN frames. Specifically, anomalies in the CAN data can be detected by computing timeseries clustering similarity using hierarchical clustering on the vehicle's CAN signals and comparing the clustering similarity across CAN captures with and without attacks.

Embodiments of the invention provide for malware collusion detection in a mobile computing device. In one embodiment, a method for malicious inter-application interaction detection in a mobile computing device includes filtering applications installed in a mobile device to a set of related applications and then monitoring in the mobile device execution of the related applications in the set. The method additionally includes computing resource utilization of one of the related applications executing in a background of the mobile device while also computing execution performance of a different one of the related applications. Finally, the method includes responding to a determination that the computed resource utilization is high while the computed execution performance is poor by generating a notification in the display of the mobile device that the one of the related applications is suspected of malware collusion with the different one of the related applications.

Embodiments herein facilitate resisting side channel attacks through various implementations and combinations of implementations. In embodiments, this is accomplished by preventing sensitive data from consecutively following other data through potentially vulnerable resources which otherwise may cause data to leak. Where such vulnerabilities to attacks are known, suspected, or as a proactive precaution, a cleaner can be used to inhibit the sensitive data from passing through the vulnerable areas consecutively and thus inhibit the leakage. Embodiments also envision utilizing certain types of circuits to assist in preventing leakage. By using such circuits one can reduce or even potentially eliminate the requirement for cleaners as mentioned previously.

Provided herein are systems and methods for defining and securely sharing objects for use in preventing data breach or exfiltration. Memory may be configured to store a plurality of objects for use in preventing data breach or exfiltration. A validation engine can validate the objects, incorporate into each object an object identifier and a signature, and generate a subset of the objects for use by a first user. The validation engine can store, in the memory, the plurality of objects as a superset of objects corresponding to the generated subset. An evaluation engine may, responsive to identifying that one or more object identifiers and signatures in a received set of objects belong to the subset corresponding to the stored superset, verify whether any object in the received set has been tampered with.

Techniques for monitoring for fraudulent login attempts to remote services through an application. The method generally includes receiving a request to connect an application to a remote service. A login attempt counter tracking a number of attempts by a user to connect the application to one or more remote services is incremented. Based on determining that the login attempt counter is less than a maximum number of login attempts predicted to correspond to legitimate login activity in the application, the first username is compared to a second username included in a previous request. A distance is calculated between the first username and the second username, and one or more actions are taken to process the request based on determining whether the calculated distance exceeds a maximum predicted distance between usernames in successive requests that corresponds to legitimate login activity.

AMD's Secure Encrypted Virtualization (SEV) is a hardware extension available in AMD's EPYC™ server processors to support confidential cloud computing. Although known attacks against SEV, which exploit its lack of encryption in the virtual machine (VM) control block or the lack of integrity protection of the encrypted memory and nested page tables, have been addressed in subsequent releases of SEV-Encrypted State (SEV-ES) and SEV-Secure Nested Paging (SEV-SNP), a new CipherLeaks attack presents a previously unexplored vulnerability for SEV-ES and SEV-SNP. The attack allows a privileged adversary to infer a guest VM's execution states or recover certain plaintext, e.g., to steal private keys from the constant-time implementation of the Rivest-Shamir-Adleman (RSA) algorithm and the Elliptic Curve Digital Signature Algorithm (ECDSA) in the latest OpenSSL library.

One embodiment provides a method, including: receiving, at a database proxy acting as an intermediary between a plurality of database clients and a service provider providing data management services for the plurality of database clients, a set of queries, of at least one of the plurality of database clients, for data stored at the service provider in an encrypted form, wherein the database proxy maintains a security budget defining a maximum threshold amount of data leakage for the plurality of database clients; batching the set of queries into query batches; transforming, for each query batch, each query within the query batch, wherein the transforming includes changing the query to reduce data leakage; performing, responsive to transforming each query within the query batch, a transformation on each of the query batches to reduce data leakage; executing, at the database proxy and utilizing an order-preserving encryption algorithm, the query batches; and calculating a remaining security budget based upon data leakage resulting from the executing.

To protect against physical and side-channel attacks, circuit assemblies may mount a main processor opposite of a cryptographic processor such that traces between the two processors are hidden in a substrate. Another substrate defining a cavity may be mounted on the bottom of the substrate to enclose the cryptographic processor and prevent physical access without disrupting the cryptographic operations. Voltage converters with integrated inductors may also be included in the cavity to generate electromagnetic noise that will disrupt the sensitive equipment used in side-channel attacks. An electromagnetic shield may be sputtered on top of the main processor to block electromagnetic sniffing attacks while still allowing the processor to be coupled with a heat sink.