Abstract: Synthetic training sets for machine learning are created by identifying and modifying functional features of code in an existing malware training set. By filtering the resulting synthetic code to measure malware impact and novelty, training sets can be created that predict novel malware and to seek to preemptively exhaust the space of new malware. These synthesized training sets can be used in turn to improve training of machine learning models. Furthermore, by repeating the process of new code generation, filtering and training, an iterative machine learning process may be created that continuously narrows the window of vulnerabilities to new malicious actions.

Abstract: Systems and methods for Data Loss Prevention (DLP) on images include detecting an image in monitored user traffic; scanning the image to identify any text and extracting any identified text therein; responsive to the extracting, scanning the extracted text with a plurality of DLP techniques including one or more DLP engines where the extracted text is checked to trigger the one or more DLP engines, Exact Data Matching (EDM) where the extracted text is matched to see if it matches specific content, and Indexed Data Matching (IDM) where the extracted text is matched to some part of a document from a repository of documents; and performing one or more actions based on results of the plurality of DLP techniques.

Abstract: Disclosed herein is a method of detecting a security event associated with an IoT device configured to store data on a primary blockchain, in accordance with some embodiments. Accordingly, the method may include receiving, using a communication device, actual operational data associated with the IoT device. Further, the method may include retrieving, using a storage device, standard operational data associated with the IoT device. Further, the method may include analyzing, using a processing device, each of the actual operational data and the standard operational data. Further, the method may include detecting, using the processing device, the security event based on the analyzing. Further, the method may include generating, using the processing device, a notification based on the detecting. Further, the method may include transmitting, using the communication device, the notification to at least one user device associated with the IoT device.

Abstract: A method of unlocking a locked device includes receiving a device identifier over a wireless communication protocol, determining if the device identifier is associated with a list of trusted devices, transmitting a request to generate an acoustic signal over the wireless communication protocol based on the determination, receiving the acoustic signal as an audio sound generated external to the locked device, estimating a distance between a source of the audio sound and the locked device, and unlocking the locked device based on the estimation.

Abstract: Systems and methods for detecting malicious clients through inspecting application properties are described. These may include requesting application properties from a client application, receiving a digital fingerprint from the client device, determining whether the digital fingerprint indicates that the client application is likely a malicious client, and taking a mitigation action based on determining that the client application is likely a malicious client.

Abstract: A system and method for catastrophic event modeling are provided. The method includes generating a cyber event catalog based on a past cyber event, the cyber event catalog including a plurality of cyber events; and simulating a cyber event, of the plurality of cyber events included in the cyber event catalog, to predict whether an organization is affected by a simulated cyber event, wherein the organization is an organization selected from a hazard table.

Abstract: A user may access an institution system via more than one communications channel, either by the same device (e.g., a mobile device accessing the institution system via a voice channel and a data channel) or by different devices (e.g., a personal computer via a web channel and a phone via a voice channel). If a user is not currently authenticated to a communications channel and attempts to access the institution system via a communications channel, the user may be authenticated using strong authentication. If the user is currently authenticated to the institution system via a communications channel and would like to engage a second communications channel to access the institution system, the user may authenticate to the second communications channel using both communications channels and weak authentication, such as single factor authentication or a challenge question.

Abstract: Devices, systems and methods are provided to implement key generation for secure pairing between first and second devices using embedded out-of-band (OOB) key generation and without requiring the devices to have input/output (IO) capability to enter authentication information. Bluetooth Smart or Low Energy (BLE) OOB pairing option can be used for pairing medical devices with added security of OOB key generation. The OOB key generation comprises providing first and second devices with the same predefined credential and secure hashing algorithm, and making input of the hashing algorithm of the first and second devices the same. The first device transmits unique data to second device (e.g., via BLE advertising) to share and compute a similar input. The first and second devices use the credential and shared data with the hashing function to generate a key that is the same at each of first and second devices.

Abstract: The present invention relates to a reconfigurable switch forwarding engine parser capable of disabling hardware Trojans. The parser comprises a data preprocessing unit, several cascaded basic processing units and an extraction unit, wherein a key path of a basic processing unit of the first stage extracts and shifts a key bit keyword of a key, and sends a result to a data path of the current stage and a key path of the next stage; basic processing units of other stages carry out keyword extraction and shifting on a key frame and the data frame in sequence; and the extraction unit extracts the key frame and the data frame from a basic processing unit of the last stage, and forwards same to a subsequent packet processing part. The present invention can be widely applied to the design of the switch forwarding engine parser.

Abstract: A network manager manages a network topology. The network manager includes storage for storing a signature of a network device of the network topology. The network manager also includes a device state manager that obtains a signature of a device that participates in the network topology, the signature indicating that the device is operating in an undesired manner; makes a determination, based on signature, that the device should be in a quarantined state; in response to making the determination: generates a quarantine state update that indicates that the device is in the quarantined state; and sends, by the network manager, the quarantine state update to the device. The quarantine state update does not indicate how the quarantined state is implemented.

Abstract: A method may include receiving a data file including a plurality of tuples, each respective tuple including a username and password; matching a username from a tuple in the data file to a username of an account stored in an account database; determining that the password from the tuple matches a password for the account; in response to the determining indicating a match, setting a security flag for the account identifying the account as compromised; subsequent to the security flag being set, receiving a login request with validated credentials for the account from a computing device; and in response to the login request, transmitting a request to the computing device to modify the password for the account.

Abstract: An impact range estimation apparatus 10 estimates a range of impact due to infection by malware in a network system with a plurality of nodes. The impact range estimation apparatus 10 includes: a reverse propagation probability calculation unit 11 configured to, when a specific node is infected with the malware, based on scenario information that specifies a pattern of attack by the malware and a communications log in the network system before infection by the malware, for each node other than the specific node, calculate a probability that the malware propagates from that other node to the specific node; and a simulation execution unit 12 configured to, using the calculated probability, execute a plurality of times a simulation in which the malware is propagated to the specific node, and for each other node, calculate a number of times that that node becomes a propagation source of the malware.

Abstract: A system and a method of providing security to an in-vehicle network are provided. The method efficiently operates multiple detection techniques to reduce the required system resources while maintaining robustness against malicious message detection.

Abstract: An integrated vehicle health management (IVHM) system to resolve equipment-fault related anomalies detected by cyber intrusion detection system (IDS). A benefit of the present system is that it can result in fewer alerts that need manual analysis. A combination of cyber and monitoring with integrated vehicle health management (IVHM) may be a high value differentiator. As a solution gets more mature through a learning loop, it may be customized for different customers in a cost-effective manner, something that might be expensive to develop on their own for most original equipment manufacturers (OEMs). An IVHM symptom pattern recognition matrix may link a pattern of reported symptoms to known equipment failures. This matrix may be initialized from the vehicle design data but its entries may get updated by a learning loop that improves a correlation by incorporating results of investigations.

Abstract: A computer-implemented method for computing or modeling the risk of a cyber security breach to an asset begins by gathering coverage information from network sensors, endpoint agents, and decoys related to the asset, as well as gathering importance information related to the asset, alerts and anomalies from an enterprise and vulnerability information related to the asset. From this, a threat-score is computed for the asset. Connections or coupling information is gathered between users and assets, users and data, and assets and data, which is fused to generate a 3-dimensional vector representation of coverage, importance, and threat-score of the assets, users and data. From this 3-dimensional vector, an asset risk score is computed to provide the asset risk score.

Abstract: A system and method detect a malware infection path in a compute environment. The method includes detecting a malware object on a first workload in a computing environment including a plurality of workloads, wherein the first workload is represented by a resource node on a security graph, the security graph including an endpoint node representing a resource which is accessible to a public network; generating a potential infection path between the resource node and the endpoint node including at least a second resource node connected to the resource node; inspecting a second workload of the plurality of workloads represented by the second resource node; determining that the potential infection path is a confirmed infection path, in response to detecting the malware on the second workload; and determining that the potential infection path is not an infection path, in response to detecting that the second workload does not include the malware.

Abstract: In one embodiment, a secure network system includes a two-way bridge connecting a protected packet data network with an external packet data network so as to allow bidirectional communication between the protected and external networks, a one-way link unidirectionally connecting the protected network to the external network and physically configured to carry signals in one direction from the protected network to the external network and to be incapable of carrying signals in the opposite direction from the external packet data network to the protected packet data network, and a security server to receive an indication of a security threat to at least one of the networks, and in response to the indication, to deactivate the two-way bridge and activate the one-way link so as to prevent the protected network from receiving packets from the external network while allowing forwarding of packets from the protected network to the external network.

Abstract: An integrated computer network security and threat prevention and detection platform includes a central processor and a display operable to aggregate and present data from a plurality of network security applications in an integrated dashboard format to a system administrator. The network security applications may be hardware, software, or hybrid applications running on local machines, local networks, remote machines, or remote networks, in communication with the central processor. In one embodiment implementation of the integrated computer network security and threat prevention and detection platform is performed on premises, in an alternative embodiment the integrated computer network security and threat prevention and detection platform is provided in an Internet or cloud-based environment, in other embodiments the computer system security platform is a hybrid configuration having both on-premises and cloud base components.

Abstract: A system and method for generating event-specific handling instructions for accelerating a threat mitigation of a cybersecurity event includes identifying a cybersecurity event; generating a cybersecurity event digest based on the cybersecurity event, computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest; searching, based on the distinct cybersecurity hashing-based signature of the cybersecurity event, an n-dimensional space comprising a plurality of historical cybersecurity event hashing-based signatures; returning one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event based on the search; deriving one or more cybersecurity event-specific handling actions for the cybersecurity event based on identifying a threat handling action corresponding to each of the one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event; and executi

Abstract: Methods and apparatus consistent with the present disclosure may be used after a computer network has been successfully attacked by new malicious program code. Such methods may include collecting data from computers that have been affected by the new malicious program code and this data may be used to identify a type of damage performed by the new malicious code. The collected data may also include a copy of the new malicious program code. Methods consistent with the present disclosure may also include allowing the new malicious program code to execute at an isolated computer while actions and instructions that cause the damage are identified. Signatures may be generated from the identified instructions after which the signatures or data that describes the damaging actions are provided to computing resources such that those resources can detect the new malware program code.