Abstract: A method and system is provided for setting network policies based on electronic devices connected to a network. The electronic devices present on the network are detected and their behavior is captured using profiles. These profiles are then used to generate network policies based on the electronic devices connected to the network. Instead of reacting to behavior of the electronic devices (e.g., anomaly detection to detect malware), the method and system sets the network policies to prevent unauthorized communications (e.g., before malware is present in the system).

Abstract: A system, method, and device are provided for detecting and mitigating a storage attack at the block level by generating canary blocks by marking blocks of data (referred to as memory blocks) such that other programs do not modify these canary blocks that are monitored to detect data storage attacks that attempt to modify the canary blocks and/or by monitoring statistical and behavioral features of activities over blocks, whether they can be modified by other programs or not. The system and method also backup the memory blocks by backing up memory blocks as they are modified. When a data storage attack is detected, the attack is stopped, and the files are remediated using the backup of the affected memory blocks.

Abstract: An instantiated application includes both a runtime instantiation of an application image, and an administrative service operable to install in the instantiated application at least one security module during runtime of the instantiated application in a container. Prior to runtime, a design time agent can access the application image in a repository, examine the application image, and based on the examining, adding at least one security module to the application image prior to instantiation. During runtime, a runtime agent can query parameters of the container, such as static and dynamic variables available on the machine on which the container is running. The runtime agent processes these parameters in conjunction with predefined rules to determine an action such as starting, stopping, adding, and/or changing the security module, such as the method of packet inspection.

Abstract: An automated method executed by circuitry is provided for monitoring a software platform including multiple pods that manage, deploy, and execute micro services. The method uses monitoring pods at locations of interest in the software platform to label transactions that pass through the monitoring pods. The labels applied to the transactions are sent to a security program for review.

Abstract: Computerized methods and systems identify malware enabled by automatically generated domain names. An agent executes a malware, in a controlled environment, at a first temporal input value and a second temporal input value. A first set of domain names is generated in response to the execution at the first temporal input value. A second set of domain names is generated in response to the execution at the second temporal input value. The agent compares the first set of domain names with the second set of domain names to produce a comparison output metric.

Abstract: A method and system is provided for setting network policies based on electronic devices connected to a network. The electronic devices present on the network are detected and their behavior is captured using profiles. These profiles are then used to generate network policies based on the electronic devices connected to the network. Instead of reacting to behavior of the electronic devices (e.g., anomaly detection to detect malware), the method and system sets the network policies to prevent unauthorized communications (e.g., before malware is present in the system).

Abstract: A method is provided for identifying improperly redacted information in documents. The documents are analyzed to detect redacted areas and text elements and to identify an intersection between a redacted area and a text element. When an area of the intersection is greater than an intersection threshold, the document is identified as containing improperly redacted information.

Abstract: Methods and systems are provided for protecting DNS traffic locally on an electronic device (e.g., a smart phone) by capturing DNS traffic from network traffic transmitted from the device and ensuring the DNS traffic is routed to a trusted DNS server via a prescribed transmission protocol.

Abstract: An instantiated application includes both a runtime instantiation of an application image, and an administrative service operable to install in the instantiated application at least one security module during runtime of the instantiated application in a container. Prior to runtime, a design time agent can access the application image in a repository, examine the application image, and based on the examining, adding at least one security module to the application image prior to instantiation. During runtime, a runtime agent can query parameters of the container, such as static and dynamic variables available on the machine on which the container is running. The runtime agent processes these parameters in conjunction with predefined rules to determine an action such as starting, stopping, adding, and/or changing the security module, such as the method of packet inspection.

Abstract: Methods and systems for processing cryptographically secured connections by a gateway, between a client and a server, are performed. Upon receiving TCP and TLS/SSL handshakes associated with a client side connection, from a client (client computer) to the gateway, a probing connection is established. The probing connection completes the handshakes, and based on the completion of the handshakes, the gateway renders a decision, to bypass, block or inspect, the connections between the client and the server, allowing or not allowing data to pass through the connections between the client and the server.

Abstract: Transparently identifying users using a shared VPN tunnel uses an innovative method to detect a user of a shared VPN tunnel, after authenticating the user, using an assigned userid (that may be a virtual IP). The virtual IP is used as a cookie in each request made by the user. This cookie is an authentication token used by the gateway to detect the user behind a specific request for an Internet resource (such as an http/s request). The cookie is stripped by the gateway so the cookie is not sent to the resource.

Abstract: Methods and systems utilizing sandbox outputs for files, such as dynamic file analysis (DFA) reports, regardless of size, to automatically create rules. From these rules, the maliciousness of the file is determined, and if the file is malicious, i.e., malware, the malware is classified into malware families.

Abstract: Computerized methods and systems detect unauthorized and potentially malicious, as well as malicious records, typically in the form of electronic forms, such as those where users input information (into input blocks or fields), such as bank and financial institution electronic forms and the like. Should such an unauthorized form, be detected, the detection causes the taking of protective action by the computer whose on whose browser the unauthorized form has been rendered.

Abstract: Computerized methods and systems reduce the false positive rate of Web Application Firewalls (WAFs), by operating automatically and utilizing system defined “trusted sources”.

Abstract: Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.

Abstract: Computerized methods and systems determine an initial execution of an attack on an endpoint. An indicator of the attack is obtained by analysis of a first process on the endpoint. A sequence of processes that includes the first process associates the initial execution of the attack with the first process. Each respective process in the sequence of processes is created or executed by at least one of the initial execution or a process in the sequence of processes. The initial execution is identified based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.

Abstract: Computerized methods and systems identify malware enabled by automatically generated domain names. An agent executes a malware, in a controlled environment, at a first temporal input value and a second temporal input value. A first set of domain names is generated in response to the execution at the first temporal input value. A second set of domain names is generated in response to the execution at the second temporal input value. The agent compares the first set of domain names with the second set of domain names to produce a comparison output metric.

Abstract: Computerized methods and systems inspect data packets received from a web server for the presence of a value from a list of prohibited values. If a prohibited value is absent, a gateway injects at least one JavaScript code segment for execution by a web browser. The at least one JavaScript code segment includes a plurality of JavaScript functions which include at least one security analysis JavaScript function and a plurality of modified JavaScript functions. Each of the modified JavaScript functions is created from a respective native JavaScript function to include at least one code segment that when executed inspects for at least one of: a dynamic modification of at least one JavaScript function from a prohibited list of JavaScript functions, a dynamic creation of at least one JavaScript function from the prohibited list of JavaScript functions, or a dynamic reference to a value from the list of prohibited values.

Abstract: A method for monitoring access of users to Internet SaaS applications includes the CISO (company Internet security office) in the configuration and operation of the method, instead of relying only on whatever security the SaaS application implements. Certificates, not accessible to users, are pushed to a user's client. When an access request is received from a client by an application, a gateway requests from the client the certificate. After a notification and approval process with the user, a received certificate is verified, user access to the application is allowed or denied, and the CISO notified of the attempted access.

Abstract: Methods and systems provide mechanisms for inspection devices, such as firewalls and servers and computers associated therewith, to selectively manipulate files, for which a download has been requested. The manipulation is performed in a manner which is transparent to the requesting user.