Abstract: Techniques for detecting emails that pertain to Internet services are disclosed. Information about such emails can be recognized by performing a discrete analysis of the email before delivering the email to the user and determining whether a corrective action is warranted. Such emails can be recognized by heuristic pattern analysis that scans incoming emails for patterns known to pertain to certain Internet services. Emails relating to other Internet services can be detected by a machine learning classifier that uses labeled training data. These accesses to Internet services can be written to a database. In many implementations, such discrete analysis is performed after an email has been classified as legitimate by one or both of a spam filter and a malware detector. An aggregate analysis, whose output can also update the database, can provide a broad picture of Internet service usage within a set of email users (e.g., by department).

Abstract: The system inhibits malware, which has infected user equipment (UE), from establishing a communication channel between to the UE and a malware command and control (C2) website. A malware threat detector detects traffic generated by user equipment generated by malware. The system extracts the logs of these detections and processes the packet capture and extracts the fully qualified domain name (FQDN). The FQDN is then transmitted to a malware information sharing platform and added to the domain name system response policy zone (DNS RPZ). The DNS RPZ can block subsequent access to the malware C2 website due to the inclusion of the FQDN on the DNS RPZ.

Abstract: A cloud-based security system includes a plurality of enforcement nodes connected to one another; a central authority connected to the plurality of enforcement nodes; and a Data Loss Prevention (DLP) service executed between the plurality of enforcement nodes, wherein the DLP service includes one or more DLP rules based on one or more DLP engines for a tenant, and wherein, for the DLP service, a first enforcement node is configured to monitor traffic of a user of the tenant, detect a DLP rule violation based on the one or more DLP rules, and forward DLP incident information to a second enforcement node, and the second enforcement node is configured to transmit the DLP incident information to a server for the tenant, including both DLP triggering content that cause the DLP rule violation and DLP scan metadata.

Abstract: A data processing method is provided. A terminal device encrypts a target instruction and a first identifier using a first key to obtain a first ciphertext; and sends the first ciphertext to an IoT device through an IoT platform. The IoT device decrypts the first ciphertext using a second key to obtain the target instruction and the first identifier; determines whether the first identifier matches a second identifier stored locally and comes to a matching result, the first key and the second key being negotiated by the terminal device and the IoT device; and obtains a second cipher text by encrypting the matching result using the second key. The terminal device receives the second ciphertext returned by the IoT device through the IoT platform; decrypts the second ciphertext using the first key to obtain a decryption result; and performs a corresponding operation using the decryption result.

Abstract: A highly secure networked system and methods for storage, processing, and transmission of sensitive information are described. Sensitive, e.g. personal/private, information is cleansed, salted, and hashed by data contributor computing environments. Cleansing, salting, and hashing by multiple data contributor computing environments occurs using the same processes to ensure output hashed values are consistent across multiple sources. The hashed sensitive information is hashed a second time by a secure facility computing environment. The second hashing of the data involves a private salt inaccessible to third parties. The second hashed data is linked to previously hashed data (when possible) and assigned a unique ID. Prior to a data dictionary being accessible by a researcher computing device, the data dictionary undergoes compliance and statistical analyses regarding potential re-identification of the source unhashed data. The data dictionaries are viewable by researchers as certified views via a secure VPN.

Abstract: Provided are a computer program product, system, and method for detecting a security breach in a system managing access to a storage. Process Input/Output (I/O) activity by a process accessing data in a storage is monitored. A determination is made of a characteristic of the data subject to the I/O activity from the process. A determination is made as to whether a characteristic of the process I/O activity as compared to the characteristic of the data satisfies a condition. The process initiating the I/O activity is characterized as a suspicious process in response to determining that the condition is satisfied. A security breach is indicated in response to characterizing the process as the suspicious process.

Abstract: A method and system for detecting intrusion on a CAN bus or vehicle network and neutralizing unauthorized intrusions. The system monitors the bit timing characteristics of CAN bus messages, message establishes trusted bit timing characteristics, and identifies unauthorized CAN bus messages. The device neutralizes unauthorized messages on the CAN bus by injecting data on the CAN bus at the appropriate time, preventing the unauthorized messages from being received, and presents alerts upon detection of the one or more of intrusions. It can be used as a standalone or hard-wired system, and may be accessible to the ODB-II port, relay or fuse port on a vehicle and may put other electronic control units on the vehicle into a safe operating mode upon receipt of the intrusion, neutralize all CAN message identifiers or set the intrusion detection flag to TRUE for all CAN message identifiers, sent by the same electronic control unit node.

Abstract: A system can be configured to determine whether a user is a human or a computer based on whether the user is capable of intuitive-based decision making to identify requested features. The system can generate a challenge that includes a question emphasizing mental shortcuts and associations developed through social and cultural interactions. The challenge also includes one or more media objects that are distinguishable to a human user due to the mental shortcuts and associations that permit selection of the correct media object in light of the question. Intuitive connections between statements and media objects are often difficult to implement within computer programs and algorithms due to the two-stage challenge requiring both comprehension and recognition of important features.

Abstract: A computer security monitoring system and method are disclosed that feature, in one general aspect, monitoring on an ongoing basis for evidence of the presence of infected systems in one or more networks that are each associated with a monitored organizational entity possessing digital assets, continuously updating risk profiles for the entities based on information about intrusion features from the monitoring, aggregating risk scores for the entities, and electronically reporting the aggregated risk score to an end user. In another general aspect, a method is disclosed that includes acquiring and storing data relating to interactions with malware controllers over a public network, acquiring and storing a map of relationships between networks connected to the public network, extracting risk data from the stored interaction data and the stored relationship map by cross-referencing the acquired interaction data against the map of relationships, and issuing security alerts based the extracted risk data.

Abstract: A system and method for securing execution environments by quarantining software containers. A method includes: determining, based on configuration data for an application stored in the application software container, at least one intended behavior of the application when executed by the application software container; monitoring execution of the application software container in a first execution environment, wherein the monitoring further comprises comparing the execution of the application software container to the at least one intended behavior; detecting an unauthorized action by the application software container when the execution of the application software container is anomalous as compared to the at least one intended behavior; and quarantining the application software container by migrating the application software container from the first execution environment to a second execution environment when the unauthorized action is detected.

Abstract: Methods and systems are disclosed for service provider based advanced threat protection. A service provider network may include one or more network devices. The service provider network may be configured to determine network isolation configuration information for a client device, on a local area network (LAN), associated with a client account. The network isolation configuration information may include an identification of trusted network destination and/or untrusted network destinations for the client device. The service provider network may send the network isolation configuration information to the client device. The service provider network may be configured to authenticate a segregated memory space operating on the client device.

Abstract: A system for determining identification of a patient communicating over a computer network with a medical provider with certainty is provided using biometric data captured by said medical provider with subsequent biometric data generated by biometric sensors proximal to a patient. Using previously captured biometric information concerning physical characteristics unique to the patient and comparing such to subsequently generated biometric data from the patient, a medical provider can determine the identity of a patient attempting communication over a computer network with the medical provider.

Abstract: Disclosed are systems and methods for detecting malicious applications. An exemplary method may comprise detecting that a first process has been launched on a computing device. The method may comprise receiving, from the first process, an execution stack associated with one or more control points of the first process. The method may comprise applying a machine learning classifier on the execution stack, wherein the machine learning classifier is configured to classify whether a process is malicious based on activity on control points captured on a given execution stack, and wherein a feature of a malicious process is detection of a system call to create a remote thread that runs in a virtual address space of a shared-service process configured to import third-party processes to be embedded as separate threads. The method may comprise generating an indication that the execution of the first process is malicious/non-malicious.

Abstract: Techniques and systems to provide a more intuitive user overview of events data by mapping unbounded incident scores to a fixed range and aggregating incident scores by different schemes. The system may detect possible malicious incidents associated with events processing on a host device. The events data may be gathered from events detected on the host device. The incident scores for incidents may be determined from the events data. The incident scores may be mapped to bins of a fixed range to highlight the significance of the incident scores. For instance, a first score mapped to a first bin may be insignificant while a second score mapped to a last bin may require urgent review. The incident scores may also be aggregated at different levels (e.g., host device, organization, industry, global, etc.) and at different time intervals to provide insights to the data.

Abstract: An example operation may include one or more of storing a full-step hash of a data file and a reduced-step hash of the data file within a data block of a hash-linked chain of blocks of a blockchain, receiving a request from a client application to verify the data file, determining whether to provide the full-step hash of the data file or the reduced-step hash of the data file based on the request, and in response to determining to provide the reduced-hash, transmitting the reduced-step hash of the data file to the client application.

Abstract: A system and method for generating event-specific handling instructions for accelerating a threat mitigation of a cybersecurity event includes identifying a cybersecurity event; generating a cybersecurity event digest based on the cybersecurity event, computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest; searching, based on the distinct cybersecurity hashing-based signature of the cybersecurity event, an n-dimensional space comprising a plurality of historical cybersecurity event hashing-based signatures; returning one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event based on the search; deriving one or more cybersecurity event-specific handling actions for the cybersecurity event based on identifying a threat handling action corresponding to each of the one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event; and executi

Abstract: Herein disclosed is a method for automatically extracting signatures for malware. The method takes advantage of a fundamental economic requirement of malware authors: they must reuse code to manage the time investment. The method disclosed finds shared code between malware and generates signatures from the code. A method is also disclosed for separating code that is found predominantly, if not exceptionally, in malware from code that may be found in benign program.

Abstract: Systems and methods are provided to measure the similarity between a first and second data sample. The method can include creating a plurality of k-mers from the first data sample, each k-mer having a first length; generating a first vector from the plurality of k-mers by processing the plurality of k-mers with a plurality of hash functions; calculating a similarity level between the first and second data sample by comparing the first vector to a second vector, the second vector representing the second data sample; and based on the similarity level, determining a maliciousness level of the first data sample.

Abstract: Methods and apparatus of Exclusive OR (XOR) engine in a random access memory device to accelerate cryptographical operations in processors. For example, an integrated circuit memory device enclosed within a single integrated circuit package can include an XOR engine that is coupled with memory units in the random access memory device (e.g., having dynamic random access memory (DRAM) or non-volatile random access memory (NVRAM)). A processor (e.g., System-on-Chip (SoC) or Central Processing Unit (CPU)) can have encryption logic that performs cryptographical operations using XOR operations that are performed by the XOR engine in the random access memory device using the data in the random access memory device.

Abstract: Systems and methods are disclosed to implement a self-learning machine assessment system that automatically tunes what data is collected from remote machines. In embodiments, agents are deployed on remote machines to collect machine characteristics data according to collection rule sets, and to report the collected data to the machine assessment system. The machine assessment system assesses the remote machines using the collected data, and automatically determines, based on what data was or was not needed during the assessment, whether an agent's collection rule set should be changed. Any determined changes are sent back to the agent, causing the agent to update its scope of collection. The auto-tuning process may continue over multiple iterations until the agent's collection scope is stabilized. In embodiments, the assessment process may be used to analyze the remote machine to determine security vulnerabilities, and recommend possible actions to take to mitigate the vulnerabilities.