-
公开(公告)号:US11210410B2
公开(公告)日:2021-12-28
申请号:US16573326
申请日:2019-09-17
发明人: Roger C. Raphael , Hani Talal Jamjoom , Rajesh M. Desai , Iun Veng Leong , Uttama Shakya , Arjun Natarajan
摘要: Serving data assets based on security policies is provided. A request to access an asset received from a user having a particular context is evaluated based on a set of asset access enforcement policies. An asset access policy enforcement decision is generated based on evaluating the request. It is determined whether the asset access policy enforcement decision is to transform particular data of the asset prior to allowing access. In response to determining that the asset access policy enforcement decision is to transform the particular data of the asset prior to allowing access, a transformation specification that includes an ordered subset of unit transformations for transforming the particular data of the asset is generated based on the particular context of the user and the set of asset access enforcement policies. A transformed asset is generated by applying the transformation specification to the asset transforming the particular data of the asset.
-
公开(公告)号:US11921885B2
公开(公告)日:2024-03-05
申请号:US17340145
申请日:2021-06-07
CPC分类号: G06F21/6245 , G06F9/45558 , G06F9/4881 , G06F21/577 , G06F2009/45595
摘要: A method, apparatus and computer program product for scheduling placement of containers in association with a set of hosts. The technique utilizes metrics that characterize container-specific risks. A first metric is a host interface risk for a container that quantifies how similar or dissimilar the container is relative to other containers running on a host. Preferably, host interface risk is derived with respect to a system call interface comprising a set of system calls, and the metric is based at least in part on a measure of dissimilarity among system calls. A second metric is a data sensitivity score that quantifies a degree to which sensitive data accesses are associated to the container. Based at least in part on the host interface risk scores and the data sensitivity scores, one or more containers are automatically scheduled for placement on the set of hosts to minimize security risk for the set of hosts.
-
公开(公告)号:US11853751B2
公开(公告)日:2023-12-26
申请号:US17644021
申请日:2021-12-13
发明人: Qiushi Wu , Zhongshu Gu , Hani Talal Jamjoom
摘要: Indirect function call target identification in software is provided. A set of explicit data flows that pass a function address between software modules of a program is determined using an explicit data dependency analysis. A set of indirect function call targets is generated from results of the explicit data dependency analysis and a dynamic execution analysis of the program. The set of indirect function call targets is expanded by identifying similar target functions based on feature embeddings generated by a graph neural network.
-
公开(公告)号:US20230069035A1
公开(公告)日:2023-03-02
申请号:US17411974
申请日:2021-08-25
发明人: Michael Vu Le , Hani Talal Jamjoom
摘要: An approach is provided that, after receiving a request to execute a computer program, determines an active set of metadata that corresponds to the requested computer program and then loads basic blocks of the requested computer program into memory. One of the loaded basic blocks is a starting block of the requested computer program. The memory also stores basic blocks corresponding to some previously loaded computer programs. The approach also inactivates basic blocks that are currently stored in the memory, with the inactivated basic blocks being identified based on a comparison of the active set of metadata to the sets of metadata that corresponding to the basic blocks of previously loaded computer programs. After inactivating some basic blocks, the approach executes the starting block of the requested computer program.
-
公开(公告)号:US20240311491A1
公开(公告)日:2024-09-19
申请号:US18121650
申请日:2023-03-15
IPC分类号: G06F21/57
CPC分类号: G06F21/577 , G06F2221/033
摘要: A critical-object guided operating system fuzzing method, system, and computer program product for guiding an operating system fuzzer to find security-related bugs in a kernel space of the operating system that includes identifying critical/sensitive objects, determining binary code addresses that result in access to the critical/sensitive objects, and executing the operating system fuzzer based on the binary code addresses.
-
公开(公告)号:US20230185568A1
公开(公告)日:2023-06-15
申请号:US17644021
申请日:2021-12-13
发明人: Qiushi Wu , Zhongshu Gu , Hani Talal Jamjoom
摘要: Indirect function call target identification in software is provided. A set of explicit data flows that pass a function address between software modules of a program is determined using an explicit data dependency analysis. A set of indirect function call targets is generated from results of the explicit data dependency analysis and a dynamic execution analysis of the program. The set of indirect function call targets is expanded by identifying similar target functions based on feature embeddings generated by a graph neural network.
-
公开(公告)号:US20220374763A1
公开(公告)日:2022-11-24
申请号:US17323099
申请日:2021-05-18
发明人: Zhongshu Gu , Jayaram Kallapalayam Radhakrishnan , Ashish Verma , Enriquillo Valdez , Pau-Chen Cheng , Hani Talal Jamjoom , Kevin Eykholt
IPC分类号: G06N20/00
摘要: Techniques for distributed federated learning leverage a multi-layered defense strategy to provide for reduced information leakage. In lieu of aggregating model updates centrally, an aggregation function is decentralized into multiple independent and functionally-equivalent execution entities, each running within its own trusted executed environment (TEE). The TEEs enable confidential and remote-attestable federated aggregation. Preferably, each aggregator entity runs within an encrypted virtual machine that support runtime in-memory encryption. Each party remotely authenticates the TEE before participating in the training. By using multiple decentralized aggregators, parties are enabled to partition their respective model updates at model-parameter granularity, and can map single weights to a specific aggregator entity. Parties also can dynamically shuffle fragmentary model updates at each training iteration to further obfuscate the information dispatched to each aggregator execution entity. This architectural prevents the aggregator from being a single point-of-failure, and serves to protect the model even if all aggregators are compromised.
-
公开(公告)号:US11277434B2
公开(公告)日:2022-03-15
申请号:US16827798
申请日:2020-03-24
IPC分类号: H04L29/06
摘要: Reducing attack surface by selectively collocating applications on host computers is provided. System resources utilized by each application running in a plurality of host computers of a data processing environment are measured. Which applications running in the plurality of host computers that utilize similar system resources are determined. Those applications utilizing similar system resources are collocated on respective host computers.
-
公开(公告)号:US20220391532A1
公开(公告)日:2022-12-08
申请号:US17340145
申请日:2021-06-07
摘要: A method, apparatus and computer program product for scheduling placement of containers in association with a set of hosts. The technique utilizes metrics that characterize container-specific risks. A first metric is a host interface risk for a container that quantifies how similar or dissimilar the container is relative to other containers running on a host. Preferably, host interface risk is derived with respect to a system call interface comprising a set of system calls, and the metric is based at least in part on a measure of dissimilarity among system calls. A second metric is a data sensitivity score that quantifies a degree to which sensitive data accesses are associated to the container. Based at least in part on the host interface risk scores and the data sensitivity scores, one or more containers are automatically scheduled for placement on the set of hosts to minimize security risk for the set of hosts.
-
公开(公告)号:US20220374762A1
公开(公告)日:2022-11-24
申请号:US17323006
申请日:2021-05-18
发明人: Jayaram Kallapalayam Radhakrishnan , Ashish Verma , Zhongshu Gu , Enriquillo Valdez , Pau-Chen Cheng , Hani Talal Jamjoom
摘要: Techniques for distributed federated learning leverage a multi-layered defense strategy to provide for reduced information leakage. In lieu of aggregating model updates centrally, an aggregation function is decentralized into multiple independent and functionally-equivalent execution entities, each running within its own trusted executed environment (TEE). The TEEs enable confidential and remote-attestable federated aggregation. Preferably, each aggregator entity runs within an encrypted virtual machine that support runtime in-memory encryption. Each party remotely authenticates the TEE before participating in the training. By using multiple decentralized aggregators, parties are enabled to partition their respective model updates at model-parameter granularity, and can map single weights to a specific aggregator entity. Parties also can dynamically shuffle fragmentary model updates at each training iteration to further obfuscate the information dispatched to each aggregator execution entity. This architectural prevents the aggregator from being a single point-of-failure, and serves to protect the model even if all aggregators are compromised.
-
-
-
-
-
-
-
-
-
搜索结果
18 条记录 (耗时 0.019 秒)
