Abstract: Systems and methods for transacting over a network. A first agent operating on a first computing system is operable to transact on behalf of a first entity. The first agent transacts with a second agent operating on a second computing system for a first cryptographically verifiable credential, transmits the first cryptographically verifiable credential to a third agent, and transacts with the third agent based on the first cryptographically verifiable credential for a second cryptographically verifiable credential to facilitate transacting with a fourth agent for a service. The second agent is operable to receive telemetry data of the first computing system which is configured to monitor the telemetry data, determine an assessment of the first entity based on the telemetry data, generate the first cryptographically verifiable credential based on the assessment of the first entity by the second agent, and transmit the first cryptographically verifiable credential to the first agent.

Abstract: A method of filtering a URL against a blacklist includes receiving at least a portion of a Uniform Resource Locator (URL), and determining which of a plurality of XOR filters is applicable to the received at least a portion of a URL, where each of the plurality of XOR filters represents a different portion of a URL blacklist. At least a portion of a URL is forwarded to the applicable one of the plurality of XOR filters, and the at least a portion of the URL is processed in the applicable one of the plurality of XOR filters to produce an output indicating whether the URL is likely on the blacklist.

Abstract: A method of authenticating a user to a computer in an adverse environment includes receiving the user's password in a trusted user device, such as by the user typing the password, and encoding a keyword with a hash of the entered password to create an encoded keyword. The encoded keyword is sent from the trusted user device to the computer using a physical communication channel perceivable by the user; and the encoded keyword is compared in the computer with a keyword encoded with a known hash of the user's password in the computer to authenticate the user.

Abstract: A method of managing access to a network destination. The method includes establishing a first network zone for a user, the first network zone including a plurality of network destinations. The first network zone is monitored and one or more changes in the first network zone are determined. A first network destination in the first network zone is analyzed responsive to determining the one or more changes in the first network zone to determine a first threat. An attempt by the user to access the first network destination is detected, and access by the user to the first network destination is restricted based on the determining the first threat.

Abstract: A method including detecting a webpage accessed by a user on a computing device via a browser. Content on the webpage is determined, and a model is applied to the content to determine a plurality of keyword sets. A network search is performed based on each of the plurality of keyword sets to generate a plurality of search results. The plurality of search results are compared to the content, and the plurality of search results are compared to each other. A factualness of the content is determined based on the comparing of the plurality of search results to the content and based on the comparing of the plurality of the search results to each other, and the user is notified via the browser of the factualness of the content.

Abstract: A method for accessing a network resource including detecting an attempt by a user via a computing device to access a service enabled by a computing system via a network and transmitting via the network to the computing system a first request to access the service in response to detecting the attempt by the user to access the service, the first request including at least one empty personally identifiable data structure. A failure to access the service responsive to the first request is determined. A second request to access the service in response to the first failure to access the service is transmitted via the network to the computing system, the second request including artificial personally identifiable information, and access to the service from the computing system is received for the user.

Abstract: A method includes enabling a messaging server and providing credentials for the messaging server. A computing system is enabled and a malware application is received by the computing system. The malware application is executed by the computing system. The credentials are rendered accessible to the malware application via the computing system, and the malware application is enabled to transmit the credentials via network transmission from the computing system to a computer. An actor is enabled to access the messaging server over a network in response to the actor applying the credentials, and a first electronic message transmitted by the actor is received by the messaging server, the first electronic message including first content.

Abstract: A method includes accessing a first intelligence feed including a plurality of cybersecurity incidents. A second intelligence feed is generated including a plurality of technical indicators defined on one or more virtual private network internet point of presence (“VPN internet PoP”) that connects a plurality of VPN tunnels to an internet. The first and second intelligence feeds are compared, a particular incident is determined, and a time frame of the particular incident is determined. Use of a particular VPN internet PoP by a plurality of sources including a plurality of clients is monitored to determine a plurality of time-based behaviors. The plurality of time-based behaviors are compared to the particular incident and to the time frame to determine a match. A particular source is blocked at the particular VPN internet PoP based on the determination of the match.

Abstract: A computing threat detection rule method and system for performing the method. The method includes determining identifiers for data points. One or more terms for each of the data points are determined to determine terms respectively associated with the identifiers. Collections of identifiers respectively associated with the terms are determined, the number of identifiers in each of the collections of identifiers limited to a threshold number. Conditions of a rule are determined. The conditions of the rule are compared to the terms to determine matching terms respectively associated with corresponding collections of identifiers. An intersection of the corresponding collections of identifiers is determined, and a number of the data points covered by the rule is determined based on the intersection of the corresponding collections of identifiers. A transmission is performed based on the number of the data points covered by the rule.

Abstract: Systems and methods for transacting over a network. A first agent and a second agent are provided. The second agent is operable to transact with a third agent for use of a service, the third agent enabled to communicate with a fourth agent. The first agent is operable to communicate with the second agent to facilitate the transacting by the second agent with the third agent for the use of the service. The first agent is further operable to communicate with the fourth agent to facilitate the transacting by the second agent with the third agent for the use of the service.

Abstract: Data relating to attacks is collected in honeypots, including network address of attacks and time of attacks. The attack data is analyzed to generate a predicted likelihood of future attacks from network addresses in the activity data, and a network address blacklist is constructed including network addresses predicted likely to be a source of a future attack. The process is repeated over time, such that network addresses with no recent honeypot activity are removed from the blacklist.

Abstract: A method of managing a fill state of a buffer in an external device includes monitoring the latency of a network connection to an external device having a network buffer via a managing device. A state of fill of the network buffer is determined based on at least the monitored latency of the network connection, and the effective network speed is estimated based on the state of fill of the network buffer. One or more network traffic scheduling parameters are adjusted in response to the estimated effective network speed, such as a maximum currently usable network speed that is lower than a maximum possible speed of the network. The maximum currently usable network speed of the network connection is periodically increased if the monitored latency is in a normal state and the maximum currently usable network speed is lower than the maximum possible speed of the network.

Abstract: Systems and methods receiving an indication that a domain has been blocked. A temporary web server is created that has network address that is different from the network address associated with the blocked domain. Content is created that indicates the blocked domain, and optionally, a reason for the blocking. The network address of the temporary web server is returned to a requesting browser application, which can display the content without providing a security warning.

Abstract: A reference file set having high-confidence malware severity classification is generated by selecting a subset of files from a group of files first observed during a recent observation period and including them in the subset. A plurality of other antivirus providers are polled for their third-party classification of the files in the subset and for their third-party classification of a plurality of files from the group of files not in the subset. A malware severity classification is determined for the files in the subset by aggregating the polled classifications from the other antivirus providers for the files in the subset after a stabilization period of time, and one or more files having a third-party classification from at least one of the polled other antivirus providers that changed during the stabilization period to the subset are added to the subset.

Abstract: A method and system for updating and applying a ruleset used for determining and mitigating malware threats. Communications of computing devices are monitored and first data file extracted. A first and second set of features are extracted. A first rule is applied to the first set of features of the first data file to determine a non-match. A second rule is applied to the second set of features to determine a match. A third rule is generated based on the first set of features, non-match, and match. Communications of a particular computing device are monitored and second data file extracted. A first set of features of the second data file are extracted. The third rule is applied to the first set of features of the second data file to determine a match. The second data file is disabled, blocked, or deleted based the match determination by the third rule.

Abstract: A computer-implemented method includes creating an account including an account value on an online service. The account value is modified periodically to activate a plurality of account values respectively associated with a plurality of times at which the plurality of account values were respectively activated on the account. A network-accessible data repository is scanned to detect a first value of the plurality of account values, the first value associated with a first time of the plurality of times at which the first value was activated. Responsive to detecting the first value a notification is provided indicating a data leak from the online service including an indication of when the data leak occurred based on the first time at which the first value was activated on the account and a second time at which a second value was activated on the account to replace the first value.

Abstract: A method of determining the security condition of a network includes executing an agent program on one or more computerized devices coupled to the network. Each executing agent program executes one or more security tests and reports the results of such tests to a network assessment engine, and the network assessment engine determines an authoritative security test score and a configurable security test score for the network based on a weighted combination of the security test results.

Abstract: A method of providing a content feed. The method includes monitoring a plurality of user content streams of a plurality of users on a plurality of computing devices, the plurality of user content streams including a plurality of content instances accessible via a network. A plurality of archetypes are generated based on the plurality of user content streams. A selection of a particular archetype of the plurality of archetypes from a particular user is received on a particular computing device. A particular content stream is determined based on the particular archetype, and the particular content stream is delivered to the particular user via the particular computing device.

Abstract: A method of collecting user device data includes receiving a probabilistic cardinality estimator data structure in the user device from a server, the probabilistic cardinality estimator data structure associated with a survey question. An answer to the survey question associated with the probabilistic cardinality estimator data structure is determined, and one or more elements are selectively added to the probabilistic cardinality estimator data structure based on the determined answer to the survey question. The probabilistic cardinality estimator data structure is sent back to the server, which calculates the survey result from the probabilistic cardinality estimator data structure.

Abstract: A system and method for preventing access to potentially malicious network destinations. The method includes determining a plurality of network destinations and indicators of the plurality of network destinations including an indicator of a first network destination. A plurality of feature vectors are generated based on the plurality of network destinations including a first feature vector based on the first network destination. Access by a user via a computing device to a second network destination is detected. A second feature vector is generated, and an indicator is determined based on the second network destination. The second feature vector is compared to the plurality of feature vectors. The access by the user to the second network destination is blocked based on the indicator of the first network destination, the indicator of the second network destination, and the comparison of the second feature vector to the plurality of feature vectors.