Abstract: A biometric data processing method implemented by a proof entity and a verification entity that are connected. The proof entity has a candidate biometric data, a reference biometric data, cryptographic footprints of the reference biometric data, and the candidate biometric data. The verification entity has a set of cryptographic footprints of reference biometric data of authorized users. The method includes generating the proof entity of a zero-knowledge proof of the fact that the candidate biometric data and the reference biometric data match. Transmitting to the verification entity the zero-knowledge proof of the cryptographic footprints of the candidate biometric data and the reference biometric data. Verifying that the zero-knowledge proof is valid, and the received cryptographic footprint of the reference biometric data belongs to the set of cryptographic footprints of reference biometric data in the possession of the verification entity.

Abstract: Methods and systems are disclosed for improvements in cloud services by sharing estimated and actual usage data of cloud services recipients with the cloud services provider. The sharing of this data allows the cloud services provider to better apportion cloud resources between multiple cloud services recipients. By analyzing information included in the shared data (e.g., information about one or more applications that use the cloud resources), the cloud services provider may categorize the applications and/or the functions of those applications into authorized and unauthorized uses, the determination of which, is used to further efficiently apportion the cloud services resources.

Abstract: A highly secure networked system and methods for storage, processing, and transmission of sensitive information. Personal/private information is cleansed, salted, and hashed by data contributor computing environments, and occurs using the same processes to ensure output hashed values are consistent across multiple sources. Hashed sensitive information is hashed a second time by a secure facility computing environment. The second hashing of the data involves a private salt inaccessible to third parties. The second hashed data is linked to previously hashed data (when possible) and assigned a unique ID. Data dictionaries are created for particular individuals provided access to the highly secure information. Prior to a data dictionary being accessible, the data dictionary undergoes compliance and statistical analyses regarding potential re-identification of the source unhashed data. The data dictionaries are viewable as certified views via a secure VPN.

Abstract: Disclosed are systems and methods for detecting malicious applications. The described techniques detect a first process has been launched on a computing device, and monitor at least one thread associated with the first process using one or more control points of the first process. An execution stack associated with the one or more control points of the first process is received from the first process. In response to detecting activity on the one or more control points of the first process, an indication that the execution of the first process is malicious is generated by applying a machine learning classifier to the received execution stack associated with the one or more control points of the first process.

Abstract: A system for deriving a rating representative of a level of cybersecurity of a user is configured to execute steps of a method comprising requesting, from the user, identifying information about the user; requesting, from the user, input in response to a set of predetermined questions provided to the user based on the identifying information about the user; collecting, based on at least the identifying information, public domain data about the user and data from the user's digital assets; and computing, based on the collected data and the input to the set of predetermined questions provided by the user, a numerical value defining the cybersecurity rating.

Abstract: The present disclosure provides a system and method for allocating computer resources for detection of malicious files. In one aspect, the system comprises: a hardware processor configured to: form at least one behavior pattern grouping selected commands with shared parameters, apply a hash function on the at least one of the formed behavior pattern to obtain computed parameters, calculate a degree of harmfulness based on the obtained computed parameters using the hash function and a model for detection of malicious files, wherein the degree of harmfulness is a number value characterizing a probability that a malicious activity will be manifested by a time of computing said degree of harmfulness and wherein the model is a machine learning model trained using computed parameters of previous behavior patterns on which the hash function was applied to output degrees of harmfulness, and allocate the computing resources based on the calculated degree of harmfulness.

Abstract: The present disclosure relates to methods and apparatus that collect data regarding malware threats, that organizes this collected malware threat data, and that provides this data to computers or people such that damage associated with these software threats can be quantified and reduced. The present disclosure is also directed to preventing the spread of malware before that malware can damage computers or steal computer data. Methods consistent with the present disclosure may optimize tests performed at different levels of a multi-level threat detection and prevention system. As such, methods consistent with the present disclosure may collect data from various sources that may include endpoint computing devices, firewalls/gateways, or isolated (e.g. “sandbox”) computers. Once this information is collected, it may then be organized, displayed, and analyzed in ways that were not previously possible.

Abstract: A method for analyzing relationships between clusters of devices includes selecting a first device from a first cluster of devices and selecting a second device from a second cluster of devices. Information related to a first communication link associated with the first device and information related to a second communication link associated with the second device is obtained. A similarity metric is computed based on the obtained information. The similarity metric represents a similarity between the first communication link and the second communication link associated with the second device. A relationship between the first and second clusters is determined using the computed similarity metric. When a cyberattack is detected on the devices in the first cluster or the second cluster, protection of all devices in the first cluster and the second cluster is modified based on the determined relationship in order to defend the respective clusters from the cyberattack.

Abstract: Disclosed herein are systems and method for recovering a computing device after an intrusion is detected. In one aspect, an exemplary method comprises, by a minimalistic operating system running on the computing device, deploying a master container, wherein the deploying of the master container comprises creating and starting the master container from a container image, providing, to the master container, access to a storage area network (SAN) volume, providing, to the master container, read-only access to a Distributed Configuration Management (DCM) module domain, the domain being where a configuration of the computing device is stored, and invoking an Intrusion Detection Module (IDM) to start detecting intrusions into the master container; and upon receiving a notification from the IDM, re-deploying, by the minimalistic OS, the master container from the container image, wherein the deployed master container acts as a default runtime environment on the computing device.

Abstract: Techniques for mitigating cybersecurity performance gaps in an organization are disclosed. The method comprises the steps of selecting a threat framework for formulating a threat detection strategy, mapping most likely adversary tactics that may be used to circumvent the threat detection strategy, updating the threat detection strategy, and performing threat detection to determine threat assessment scores. Further, the determined scores are categorized and contextualized to identify cybersecurity gaps in the organization. These gaps are prioritized based on certain criteria to provide automated recommendations and alerts regarding cybersecurity performance gaps and related organizational risks.

Abstract: A method of using an interexchange to process states of subsystems tracked by disparate block chains. The method comprises locating a first block comprising current state information associated with a first process stored in a first block chain by an interexchange application executing on a computer system, wherein the first process is performed by a first subsystem, reading the current state information of the first process by the interexchange application from the located first block, transcoding a representation of the current state information by the interexchange application to a representation associated with a second block chain, creating a block by the interexchange application, wherein the created block stores the transcoded representation of the current state information in a data field of the created block that the predefined block structure associates to the transcoded current state information, and attaching the created block to the second block chain.

Abstract: The application discloses a data analysis system and a data analysis method. The data analysis system includes a data provider host and a data analysis host. The data provider host is configured to perform a stream cipher algorithm based on raw data to obtain first data. The data analysis host is configured to perform a data analysis based on the first data to obtain an analysis result. The data provider host or the data analysis host is further configured to perform a block cipher algorithm based on the analysis result to obtain second data, and send the second data to an external device. The data provider host is further configured to calculate an attribute-value correspondence between the raw data and the second data, and send the attribute-value correspondence to the external device.

Abstract: Embodiments of the present specification disclose data authorization information acquisition methods, apparatuses, and devices. One method comprises: receiving, from a data requestor and for data, a data use permission application; determining, based on the data use permission application, an approver, wherein the approver is an owner of the data; sending the data use permission application to the approver; receiving acknowledgement information of the approver for receiving the data use permission application; generating data authorization information based on the acknowledgement information; and sending the data authorization information to the data requestor.

Abstract: A personal information security system allows for the storage of data in a secure manner by assigning a key to the data and breaking up the data then sending parts or pieces to many computing devices on a network. The data is requested and gathered from the user base by providing the key to the data.

Abstract: A system and method is provided for determining the confidence level in attributing a cyber campaign to an activity group. The system and method allows for determining information gaps that need to be filled in order to perform attribution with higher degree of confidence. The system and method is able to extract quantitative data from the campaign intrusion set data and perform a multi-stage analysis and comparison with quantitative data extracted from threat intelligence feeds/platforms and/or vendor intelligence reports. This allows for identifying an activity groups that may be attributed for the campaign with the associated level of confidence.

Abstract: A method for detecting an intrusion (i.e. hacking) of an electronic device includes determining an expected activity value associated with one or more software applications executing on a processor, monitoring the one or more software applications executing on the processor to determine a current activity value associated with the one or more software applications, determining whether the current activity value exceeds a threshold associated with the expected activity value, and in response to determining that the current activity value exceeds the threshold, initiating one or more security actions associated with the one or more software applications. A system for detecting an intrusion of an electronic device includes an intrusion detection module configured to perform the steps of the method.

Abstract: The disclosed computer-implemented method for protecting users may include (i) intercepting, through a cloud-based security proxy service, network traffic originating from a mobile application at a mobile device connected to a local area network protected by the cloud-based security proxy service, (ii) detecting, by the cloud-based security proxy service, a threat indicator indicated by the mobile application, and (iii) modifying the network traffic originating from the mobile application at the mobile device by applying, by the cloud-based security proxy service based on detecting the threat indicator indicated by the mobile application, a security policy to protect the local area network from a candidate threat corresponding to the threat indicator. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods are disclosed to implement a self-learning machine assessment system that automatically tunes what data is collected from remote machines. In embodiments, agents are deployed on remote machines to collect machine characteristics data according to collection rule sets, and to report the collected data to the machine assessment system. The machine assessment system assesses the remote machines using the collected data, and automatically determines, based on what data was or was not needed during the assessment, whether an agent's collection rule set should be changed. Any determined changes are sent back to the agent, causing the agent to update its scope of collection. The auto-tuning process may continue over multiple iterations until the agent's collection scope is stabilized. In embodiments, the assessment process may be used to analyze the remote machine to determine security vulnerabilities, and recommend possible actions to take to mitigate the vulnerabilities.

Abstract: A symbol input method performed by a symbol input device having a display unit, a selector, and a determiner includes: displaying, by the display unit, a correspondence table indicating correspondences between input target symbols and selection target symbols and indicating that each of the input target symbols corresponds to one or more selection target symbols; ending the displaying by the display unit; prompting, by the selector, after the ending, a user to select one of the selection target symbols included in the displayed correspondence table; and determining, by the determiner, one input target symbol as a symbol to be input. The input target symbol is indicated in the displayed correspondence table and corresponds to the selection target symbol selected by the user in the prompting.

Abstract: Using a set of anomalies indicative of a malicious pattern of behavior collected from data to determine new alerts for anomalies included in subsequently collected data. A set of anomalies found in data collected from data sources is accessed. The set of anomalies is determined by a prior analysis to be indicative of a malicious pattern of behavior by entities associated with the set of anomalies. Data that is subsequently collected from the data sources is searched to determine if any of the data includes the set of anomalies. Alerts are generated for any of the subsequently collected data that includes the set of anomalies.