Abstract: Methods, systems, and apparatuses are provided for detecting a missing security alert by receiving an alert sequence generated by a network security provider, applying the received alert sequence to a security incident model, receiving an indication from the security incident model that the received alert sequence corresponds to a security incident defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence, and generating a notification to the network security provider that indicates at least one of the security incident or the missing alert(s). In addition, the security incident model may be generated by providing a set of historical alerts and a set of historical security incidents to a machine learning algorithm to generate the security incident model.

Abstract: Novel tools and techniques might provide for implementing secure communications for IoT devices. In various embodiments, a gateway or computing device might provide connectivity between or amongst two or more Internet of Things (“IoT”) capable devices, by establishing an IoT protocol-based, autonomous machine-to-machine communication channel amongst the two or more IoT capable devices. For sensitive and/or private communications, the gateway or computing device might establish a secure off-the-record (“OTR”) communication session within the IoT protocol-based, autonomous machine-to-machine channel, thereby providing encrypted machine-to-machine communications amongst the two or more IoT capable devices, without any content of communications that are exchanged amongst the IoT capable devices over the secure OTR communication session being recorded or logged.

Abstract: The principles described herein relate to the training and implementation of a model designed to estimate the probability of new security incidents being true incidents. This occurs in an environment where a service such as a SIEM monitors a network of computing systems and other resources and detects a variety of incidents that could be security threats. These incidents are reported to the SOC for investigation and the SOC will take appropriate action to mitigate potential threats of true security breaches. As part of the investigation process, the SOC can label whether a security incident is true, false or benign. After labeling enough security incidents a model can be produced to estimate the probability that new security incidents are true incidents. This would help the SOC filter through security incidents more efficiently and allow for quicker response of the most likely security breaches.

Abstract: An anomaly detection model is trained to detect malicious traffic sessions with a low rate of false positives. A sample feature extractor extracts tokens corresponding to human-readable substrings of incoming unstructured payloads in a traffic session. The tokens are correlated with a list of malicious traffic features and frequent malicious traffic features across the traffic session are aggregated into a feature vector of malicious traffic feature frequencies. An anomaly detection model trained on feature vectors for unstructured malicious traffic samples predicts the traffic session as malicious or unclassified. The anomaly detection model is trained and updated based on its' ongoing false positive rate and malicious traffic features in the list of malicious traffic features that result in a high false positive rate are removed.

Abstract: A secure storage module of a client device interacts with a set of secure storage servers to securely store data items of the client on the servers, such that no individual server has the data in readable (non-obfuscated) form. Additionally, the client secure storage module and the servers interact to allow the client device to read a given portion of the original data items from the servers, such that none of the servers can determine which portion of the original data is being requested. Similarly, the interactions of the client secure storage module and the servers allows the client device to update a given portion of the original data on the servers to a new value, such that none of the servers can determine which portion is being updated and that none of the servers can determine either the prior value or new value or the difference between the new value and the prior value.

Abstract: A method includes: in response to a request from a human user to access account information, authenticating the human user via a graphical user interface (GUI); storing a result of authenticating the human user in a storage system; in response to authenticating the human user, directing the human user to a voice-based communication session; accessing the result of authenticating the human user from the storage system by the voice-based communication session; and providing access by the human user to the account information in the voice-based communication session based on the result of authenticating the human user.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for lateral movement. In embodiments, the system uses network data from a computer network to build a baseline of connection behaviors for the network. Connection graphs are generated from new network data that indicate groups of nodes that made connections with one another during a last time interval. The graphs are analyzed for connection behavior anomalies and ranked to determine a subset of graphs with suspected lateral movement. Graphs with suspected lateral movement may be further analyzed to determine a set of possible attack paths in the lateral movements. The suspected attack paths are reported to network administrators via a notification interface. Advantageously, the disclosed system is able to detect potential lateral movements in localized portions of a network by monitoring for connection behavior anomalies in network data gathered from the network.

Abstract: Methods and systems for managing and/or processing a blockchain to maintain data security for confidential and/or personal data are provided. According to certain aspects, the disclosed data security techniques may enable access sharing functionality utilizing the blockchain. For example, access sharing may be utilized to share policy information. The policy information may be associated with a smart contract. Accordingly, the policy information may be encrypted using a public key for the smart contract and compiled into a block of the blockchain. In response to a request to provide access to the information to a particular node, the private key for the smart contract may be encrypted using the public key for the particular node and compiled into a block of the blockchain.

Abstract: A system and method for accelerating a threat mitigation of malicious cybersecurity activity includes: identifying, via one or more processors, a cybersecurity event associated with a third-party application or a third-party service of a subscriber; generating, via the one or more processors, a service-proposed remediation action for the cybersecurity event based on the identifying of the cybersecurity event; automatically assessing, via the one or more processors, the service-proposed remediation action against automated remediation criteria of the subscriber based on the generation of the service-proposed remediation action; automatically constructing, via the one or more processors, a remediation action application programming interface (API) request for the service-proposed remediation action based on the service-proposed remediation action satisfying the automated remediation criteria of the subscriber; and automatically executing, via the one or more processors, the remediation action API request to rem

Abstract: A method of detecting anomalous behaviour in data traffic on a data communication network having a first host and a second host being connected to the data communication network in which the data traffic on the data communication network forms a link between the first host and the second host.

Abstract: The technology disclosed relates to streamlined analysis of security posture of a cloud environment. In particular, the disclosed technology relates to accessing permissions data and access control data for pairs of compute resources and storage resources in the cloud environment, tracing network communication paths between the pairs of the compute resources and the storage resources based on the permissions data and the access control data, accessing sensitivity classification data for objects in the storage resources, qualifying a subset of the pairs of the compute resources and the storage resources as vulnerable to breach attack based on an evaluation of the permissions data, the access control data, and the sensitivity classification data against a set risk criterion, and generating a representation of propagation of the breach attack along the network communication paths, the representation identifying relationships between the subset of the pairs of the compute resources and the storage resources.

Abstract: An integrated circuit includes a semiconductor substrate having a rear face. A first semiconductor well within the substrate includes circuit components. A second semiconductor well within the substrate is insulated from the first semiconductor well and the rest of the substrate. The second semiconductor well provides a detection device that is configurable and designed to detect a DFA attack by fault injection into the integrated circuit.

Abstract: A system detects and responds to malicious acts directed towards machine learning models. Data fed into and output by a machine learning model is collected by a sensor. The data fed into the model includes vectorization data, which is generated from raw data provided from a requester, such as for example a stream of timeseries data. The output data may include a prediction or other output generated by the machine learning model in response to receiving the vectorization data. The vectorization data and machine learning model output data are processed to determine whether the machine learning model is being subject to a malicious act (e.g., attack). The output of the processing may indicate an attack score. A response for handling the request by a requester may be selected based on the output that includes the attack score, and the response may be applied to the requestor.

Abstract: Systems and method for URL filtering are provided herein. In some embodiments, a system includes a processor programmed to receive a URL request to access a resource associated with the URL; perform a first layer of URL filtering by comparing the URL to a blocklist of malicious URLs; determine that the URL does not match a URL on the blocklist; perform a second layer of filtering by applying a machine learning algorithm to analyze the URL to predict whether the URL is malicious; and generate and transmit a URL filter determination that the URL is malicious and update the blocklist to include the URL.

Abstract: Systems and methods for malware detection are provided herein. In some embodiments, a system having one or more processors is configured to: perform, on a plurality of user devices, at least one of a static analysis or a behavioral analysis of a file downloaded to a user device; receive a plurality of features extracted from the downloaded file; train at least one machine learning model, on a central server in communication with the plurality of user device, based on the plurality of features; distribute the at least one trained machine learning model to the plurality of user devices; and update at least one of a machine learning model used for the static analysis or behavioral analysis with the distributed at least one trained machine learning model.

Abstract: Computer-implemented method of detecting potential cybersecurity threats from collected data pertaining to a monitored network, the collected data comprising network data and/or endpoint data. The method comprises structuring the collected data as at least one data matrix, each row of the data matrix being a datapoint and each column corresponding to a feature. The method also comprises identifying one or more datapoints as anomalous, thereby detecting a potential cybersecurity threat. The method also comprises extracting causal information about the anomalous datapoint based on an angular relationship between a second-pass coordinate vector of the anomalous datapoint and a second-pass coordinate vector of one or more features. The second-pass coordinate vectors are determined by applying a second-pass singular value decomposition (SVD) to a residuals matrix.

Abstract: Methods and systems for managing and/or processing a blockchain to maintain data security for confidential and/or personal data are provided. According to certain aspects, the disclosed data security techniques may enable access sharing functionality utilizing the blockchain. For example, access sharing may be utilized to file documents, share policy information, and/or comply with an audit. The data security techniques disclosed herein also enable the use of smart contracts to transfer funds associated with payment obligations and/or other forms of blockchain based payments, comply with anti-money laundering requirements, report industry data, validate interest payments and/or maintain agent sales data. Data security may be achieved through the use of public key/private key encryption techniques.

Abstract: Various approaches for securing networks against access from off network devices. In some cases, embodiments discussed relate to systems and methods for identifying potential threats included in a remote network by a network access device prior to requesting access to a known secure network via the remote network.

Abstract: A method and system for generating dynamic applicative signatures of by application layer flood attack tools are provided. The method includes determining a plurality of different attributes of requests received during an on-going DDoS attack; clustering at least one attribute of the plurality of different attributes, wherein the clustering is based on values of the plurality of different attributes; determining clusters of attributes representing most frequent structures of the requests received during the on-going DDoS attack; and generating, based on the determined clusters of attributes, signature of an application layer flood attack tool executing the on-going DDoS attack.

Abstract: Various example embodiments relate generally to providing security for a communication network based on detection and mitigation of an attack in the communication network. Various example embodiments supporting attack detection and mitigation may be configured to support detection and mitigation of an attack in a communication network based on distributed collection of network traffic information at network elements and analysis of aggregated network traffic information at a network controller for determining whether a traffic anomaly indicative of an attack on the communication network is detected. Various example embodiments supporting attack detection and mitigation may be configured to support detection and mitigation of an attack in a communication network based on use of traffic records for supporting the collection, aggregation, and analysis of network traffic information.