Abstract: Systems and methods are provided for creating, managing and implementing data encryption and key management in a software application through an application programming interface (API) via a SAAS-based API-based platform. A developer can quickly and easily build encryption into any application with an API accessed through an API-based platform that allows the developer to enter basic information about an application, generate encryption keys, download a client library and implement the encryption into the application based on the application information and encryption keys with only two calls to the API. The encryption is built into the software layer and the keys are managed remotely, providing security and simplicity for implementing and executing encryption.

Abstract: In one embodiment, data at rest is securely stored. A data safe performing data plane processing operations in response to requests of received read data requests, received write data requests, and received read information responses, with the data safe being immutable to processing-related modifications resulting from said performing data plane processing operations. In one embodiment, performing these data plane processing operations does not expose any pilot keys outside the data safe in clear form nor in encrypted form. The pilot keys are used to encrypt information that is subsequently stored in a storage system. One embodiment uses pilot keys to encrypt data that is subsequently stored in a storage system. One embodiment uses data cryptographic keys to encrypt data, uses the pilot keys to cryptographically-wrap (encrypt) the data cryptographic keys, and stores the cryptographically wrapped data keys and encrypted data in a storage system.

Abstract: Embodiments described herein provide for systems and methods for implementing a neural network architecture for spoof detection in audio signals. The neural network architecture contains a layers defining embedding extractors that extract embeddings from input audio signals. Spoofprint embeddings are generated for particular system enrollees to detect attempts to spoof the enrollee's voice. Optionally, voiceprint embeddings are generated for the system enrollees to recognize the enrollee's voice. The voiceprints are extracted using features related to the enrollee's voice. The spoofprints are extracted using features related to features of how the enrollee speaks and other artifacts. The spoofprints facilitate detection of efforts to fool voice biometrics using synthesized speech (e.g., deepfakes) that spoof and emulate the enrollee's voice.

Abstract: Disclosed techniques include cybersecurity operations case triage groupings. A plurality of network-connected cybersecurity threat protection applications is accessed. A plurality of inputs is received from the cybersecurity threat protection applications. The plurality of inputs is initiated by one or more cybersecurity events. A computer platform is used to analyze metadata associated with the plurality of inputs from the cybersecurity threat protection applications. The analyzing is based on parsing incoming traffic alerts from the cybersecurity threat protection applications. The inputs are triaged into groupings, based on the metadata. The triaging determines commonality of threats among the plurality of inputs. The groupings are based on a number of users experiencing the plurality of inputs. The number of users is matched against a threshold for the plurality of inputs and a particular grouping. A cybersecurity threat response is generated, based on the groupings.

Abstract: Systems and methods of defending against stack-based cybersecurity attacks that exploit vulnerabilities in buffer overflows. The embodiments disclosed herein propose applying a randomized modification to the original size of the stack frames of functions of a program. By applying a randomized modification to the length of the stack frame, e.g., randomly increasing the length of the allocated stack frame memory, it becomes harder (if not impossible) for the attacker to guess or estimate the memory location where the return address of a function is stored, regardless of the attacker's knowledge of the length of the stack frame. Multiple implementations, e.g., randomizations at transform time, load time, and run time are discussed herein.

Abstract: In one embodiment, data at rest is securely stored. A data safe performing data plane processing operations in response to requests of received read data requests, received write data requests, and received read information responses, with the data safe being immutable to processing-related modifications resulting from said performing data plane processing operations. Performing these data plane processing operations does not expose any pilot keys outside the data safe in plaintext form nor in encrypted form. The pilot keys are used to encrypt information that is subsequently stored in a storage system. In one embodiment, the information encrypted and decrypted by the data safe includes data structure instances including feature-preserving encrypted entries generated using feature-preserving encryption on corresponding plaintext data items.

Abstract: A system and a method are disclosed for determining that a first electronic communication, received in a first private repository of a user, has been identified (e.g., flagged) as including a threat, and determining a probability that the first electronic communication includes the threat. In response to determining that the probability exceeds a threshold probability, the system monitors monitoring for a second electronic communication, received in a second private repository, that includes contents that match the contents of the first electronic communication.

Abstract: Systems and methods for permitting software presence/configurations to function as a factor in a multi-factor authentication scheme so that a user's access to a different software program/application is conditioned on the presence of certain pre-specified software or software configurations that would otherwise not be necessary for access and/or operation of the different software program/application. Generally, by confirming the presence/configuration of the pre-specified software on a computing device, the system ensures that a user, in one embodiment, may only access the different software program/application with the proper configuration of the pre-specified software.

Abstract: Methods, systems, and apparatuses for audio event detection, where the determination of a type of sound data is made at the cluster level rather than at the frame level. The techniques provided are thus more robust to the local behavior of features of an audio signal or audio recording. The audio event detection is performed by using Gaussian mixture models (GMMs) to classify each cluster or by extracting an i-vector from each cluster. Each cluster may be classified based on an i-vector classification using a support vector machine or probabilistic linear discriminant analysis. The audio event detection significantly reduces potential smoothing error and avoids any dependency on accurate window-size tuning. Segmentation may be performed using a generalized likelihood ratio and a Bayesian information criterion, and the segments may be clustered using hierarchical agglomerative clustering. Audio frames may be clustered using K-means and GMMs.

Abstract: Memory access control in a virtualization environment is provided by maintaining sets of page tables each corresponding to a given hypervisor application and guest virtual machine (VM), and controlling presentation of the sets of page tables to selectively present just one of the sets at any given time for hypervisor processing to access guest VM memory, where access to guest VM memory is controlled by controlling a page table base address presented in hardware of the computer system, and controlling presentation includes, based on a request for hypervisor processing for a guest VM: identifying a hypervisor application to service the request for hypervisor processing, identifying the set that corresponds to the combination of that guest VM and that hypervisor application, and presenting that identified set for guest VM memory access by the identified hypervisor application and the microkernel hypervisor.

Abstract: Systems and methods for intercepting an operation requested by a user (e.g., print a document, cut text, copy an image, paste a hyperlink, embed an audio clip, save as a document in a new location, etc.) and performing one or more actions based on the level of security associated with the originating program, originating file, intended program, and/or intended file for that operation. As such, the disclosed systems and methods may enable consistent data security to be applied to a particular data item regardless of the location of that data item or the operations performed on the same.

Abstract: A threat detection system for detecting malware can automatically decide, without manual expert-level interaction, the best set of features on which to train a classifier, which can result in the automatic creation of a signature-less malware detection engine. The system can use a combination of execution graphs, anomaly detection and automatic feature pruning. Execution graphs can provide a much richer structure of runtime execution behavior than conventional flat execution trace files, allowing the capture of interdependencies while preserving attribution (e.g., D happened because of A followed by B followed by C). Performing anomaly detection on this runtime execution behavior can provide higher order knowledge as to what behaviors are anomalous or not among the sample files. During training the system can automatically prune the features on which a classifier is trained based on this higher order knowledge without any manual intervention until a desired level of accuracy is achieved.

Abstract: An apparatus and method for responding to an invalid state occurrence encountered during execution of a third-party application program is included. The apparatus performing the method which includes registering a trap signal handler with a kernel of an operating system. The method also including intercepting calls from the third-party application program to the operating system and processing an exception signal corresponding to the invalid state to generate a response. The response including performing a signal reporting process.

Abstract: Apparatuses, methods, systems, and program products are disclosed for endpoint-based security. An apparatus includes a network module that is configured to receive, at an end user device, a request for content from a network source. An apparatus includes a policy module that is configured to compare a network source of requested content against a policy that is stored on an end user device prior to the content being allowed on the end user device. An apparatus includes an action module that is configured to modify at least one header in a request for content based on a requirement for a network source.

Abstract: Embodiments described herein provide for a computer that detects one or more keywords of interest using acoustic features, to detect or query commonalities across multiple fraud calls. Embodiments described herein may implement unsupervised keyword spotting (UKWS) or unsupervised word discovery (UWD) in order to identify commonalities across a set of calls, where both UKWS and UWD employ Gaussian Mixture Models (GMM) and one or more dynamic time-warping algorithms. A user may indicate a training exemplar or occurrence of call-specific information, referred to herein as “a named entity,” such as a person's name, an account number, account balance, or order number. The computer may perform a redaction process that computationally nullifies the import of the named entity in the modeling processes described herein.

Abstract: Aspects of the subject technology relate to determining a defense surface change command to be applied to a defense surface. An organizational threat profile is stored and a baseline exposure score for threats is generated. The baseline exposure score is weighted based on at least the organizational threat profile to generate a prioritized exposure score. A defense surface change command is generated based on at least the prioritized exposure score, which is transmitted to hardware or software components, and an updated prioritized exposure score for the one or more hardware or software components is generated.

Abstract: An example method comprises receiving, by a secure content system, an email from a sender to a recipient, scanning the contents of the email, evaluating the contents of the email based on a plurality of security rules, storing the sensitive data within a secure storage, generating a replacement email including a security link and not including at least the sensitive data, the security link providing a requester access to the sensitive data providing that a security function is satisfied, sending the replacement email including the security link to the recipient, receiving a request to access the sensitive data, the request being related to the security function challenging the requester using the security function, receiving, from the requester, a response to the security function, determining if the security function is satisfied by the response, and if the security function is satisfied, providing access to the sensitive data to the requester.

Abstract: Apparatuses, methods, systems, and program products are disclosed for endpoint-based security. An apparatus includes a network module that is configured to receive, at an end user device, a request for content from a network source. An apparatus includes a policy module that is configured to compare a network source of requested content against a policy that is stored on an end user device prior to the content being allowed on the end user device. An apparatus includes an action module that is configured to segment network traffic associated with a request for content from a network source, based on a comparison of the network source against a policy, between at least one of directly accessing the content from the network source and indirectly accessing the content via a remote cloud device by rerouting the network traffic from an end user device to the remote cloud device.

Abstract: Techniques for detecting emails that pertain to Internet services are disclosed. Such emails can be recognized by heuristic pattern analysis that scans incoming emails for patterns known to pertain to certain Internet services. Emails relating to other Internet services can be detected by a machine learning classifier that uses labeled training data. These accesses to Internet services can be written to a data store. By employing these techniques across all emails of an entity, insight may be gained into the aggregate nature of Internet services being used. A policy engine may act on an individual email to request further information or action, quarantine the email, or to pass the email to other security tools. An aggregate account analysis engine can update the data store to provide a broad picture of Internet service usage within the organization (e.g., by department).

Abstract: Disclosed techniques include cybersecurity operations center load balancing. A cybersecurity security operations center (SOC) caseload history is accessed. Triage results from the SOC caseload history are analyzed on a computer platform to produce an analyst threat response profile. The analyst threat response profile is augmented with threat response resolution metrics. The threat response resolution metrics are updated with a subjective rating. The subjective rating is supplied by management, peers, or machine learning. Notification of a new cybersecurity threat is received across a cybersecurity network by the SOC. The new cybersecurity threat is assigned to a specific analyst, based on the augmented analyst threat response profile. The assigning is further based on weighting of threat severity, threat complexity, and analyst availability. An existing SOC caseload is reassigned to increase availability of the specific analyst.