Abstract: Methods, systems, and apparatuses are described for identifying potential identity fraud by tracking a user's typical communication patterns. If a new communication is received from someone who purports to be a trusted user, but the communication exhibits communication traits that are not typical for the user, additional identity fraud prevention steps may be taken.

Abstract: Disclosed is a system for customizing protections provided to different application programming interfaces (“APIs”) and different functions of an API based on different API context and user context associated with the different APIs and the different functions of each API. The system receives a particular API, determines API context for proper usage of one or more functions of the particular API, and determines user context associated with endpoints properly accessing the one or more functions. The system generates a model for differentiating between proper and improper use of the one or more functions based on contextual relationships between different combinations of the API context and the user context. The system monitors usage of the one or more functions based on the model, and performs an action that is associated with the model in response to the usage violating the contextual relationships for the one or more functions.

Abstract: A system and method for the detection and mitigation of data source compromises in an adversarial information environment. The system and method feature the ability to scan for, ingest and process, and then use relational, wide column, and graph stores for capturing entity data, their relationships, and actions associated with them. Furthermore, meta-data is gathered and linked to the ingested data, which provides a broader contextual view of the environment leading up to and during an event of interest. Data quality analysis is conducted on the data as it is ingested in order to identify various data source metrics and determine if a data source may be compromised. The results of the data quality analysis, the identified metrics, the gathered data, and meta-data are used to manage the reputation of the contributing data sources. The system can make recommendations on data sources based on the data source reputation scoring.

Abstract: Systems and methods for blocking spoofed traffic within communications networks include obtaining, at a computing system, routing information for an autonomous system of a communications network, the routing information identifying Internet Protocol (IP) addresses associated with the autonomous system. In response to receiving the routing information, the computing system generates a prefix list based on the routing information, the prefix list including one or more prefixes encompassing the IP addresses identified by the routing information. The computing system then transmits instructions to a network device of the communications network configured to cause the network device to update a filter function of the network device based on the prefix list such that the network device permits network traffic that originates from IP addresses within the prefixes of the prefix list.

Abstract: A processing blade is assigned from the plurality of processing blades to a session of data packets. The load balancing engine manages a session table and an IPsec routing table by updating the session table with a particular security engine card assigned to the session and by updating the IPsec routing table for storing a remote IP address for a particular session. Outbound raw data packets of a particular session are parsed for matching cleartext tuple information prior to IPsec encryption, and inbound encrypted data packets of the particular session are parsed for matching cipher tuple information prior to IPsec decryption. Inbound data packets assigned to the processing blade from the session table are parsed and forwarded to the station.

Abstract: A system and method for cybersecurity reconnaissance, analysis, and scoring that uses distributed, cloud-based computing services to provide sufficient scalability for analysis of enterprise IT networks using only publicly available characterizations. The system and method comprise an in-memory associative array which manages a queue of vulnerability search tasks through a public-facing proxy network. The public-facing proxy network has search nodes configurable to present the network to search tools in a desired manner to control certain aspects of the search to obtain the desired results. A distributed data processing engine and cloud-based storage are used to provide scalable computing power and storage. A data packet modifier is used to reveal the IP address of a threat actor behind a port scan and subsequently block the threat actor. Each of the cloud-based computing services is containerized and orchestrated for management and efficient scaling purposes.

Abstract: A distributed policy management (PM) system (e.g., system for authentication, authorization, and accounting (AAA) activities on a network) is provided. Nodes of the PM system may share information of the PM system using a distributed data store (e.g., a multi-master cache). Each node of the distributed PM system may further share information from the distributed data store with other nodes of a corporate infrastructure network by augmenting information in a remote authentication dial-in user service (RADIUS) protocol message. Nodes that are involved in policy management (e.g., network authentication server (NAS) or firewall) without access to the distributed data store may receive information via augmented RADIUS messages. In this manner, devices may be interfaced to the distributed PM system without having access to the distributed data store. High availability and load balancing implementations may be provided by leveraging the distributed data store across nodes of the PM system.

Abstract: Disclosed are a model parameter training method and a terminal based on federation learning, and a medium. The method includes: determining a feature intersection of a first sample of the first terminal and a second sample of a second terminal, training the first sample based on the feature intersection to obtain a first mapping model, sending the first mapping model to the second terminal; receiving a second encryption mapping model sent by the second terminal, predicting a missing feature of the first sample of the first terminal according to the second encryption mapping model to obtain a first encryption supplementary sample; receiving a first encryption federation learning model parameter sent by a third terminal, training a federation learning model to be trained according to the first encryption federation learning model parameter, and calculating a first encryption loss value; and sending the first encryption loss value to the third terminal.

Abstract: In an aspect, an integrated tamper resistant device generates initial network credentials for accessing a network, wherein the initial network credentials enable the integrated tamper resistant device to be authenticated by a network solution provider before operational network credentials are provided securely by the network solution provider. The integrated tamper resistant device encrypts the initial network credentials and cryptographically signs the encrypted initial network credentials. The integrated tamper resistant device outputs the encrypted and signed initial network credentials for delivery to the network solution provider.

Abstract: A system includes a memory and processor. The memory stores code segment vulnerability findings that were generated through static application security testing (SAST). For a first code segment, a first vulnerability finding has been classified as a real vulnerability, and a second vulnerability finding has been classified as a false positive by external review. The processor generates a code fingerprint for each code segment, which corresponds to an abstract syntax tree that has been augmented by data flow information and flattened. The processor determines that the fingerprint for the first code segment matches the fingerprint for a second code segment and that the vulnerability findings for the first code segment match those for the second. In response, the processor automatically classifies a matching first vulnerability finding for the second code segment as the real vulnerability, and a matching second vulnerability finding for the second code segment as the false positive.

Abstract: A system and method for cybersecurity reconnaissance, analysis, and scoring that uses distributed, cloud-based computing services to provide sufficient scalability for analysis of enterprise IT networks using only publicly available characterizations. The system and method comprise an in-memory associative array which manages a queue of vulnerability search tasks through a public-facing proxy network. The public-facing proxy network has search nodes configurable to present the network to search tools in a desired manner to control certain aspects of the search to obtain the desired results. A distributed data processing engine and cloud-based storage are used to provide scalable computing power and storage. Each of the cloud-based computing services is containerized and orchestrated for management and efficient scaling purposes.

Abstract: A method by a security analysis server to generate a traffic monitoring rule. The method includes receiving, from a database agent because of a current configuration of the database agent, counts of an amount of traffic sent over a first set of one or more of the database connections being monitored by the database agent and generating a traffic monitoring rule that indicates database connections for which the database agent is to send counts of an amount of traffic, rather than all the traffic, sent over those database connections to the security analysis server because those database connections have been determined by the security analysis server to be of an application database connection type based on an analysis by the security analysis server of the counts. The method further includes applying the traffic monitoring rule by sending instructions to the database agent to alter the current configuration.

Abstract: In one embodiment, a computing platform features a controller, one or more transit virtual private cloud networks (VPCs), and a plurality of spoke VPCs. Communicatively coupled to the transit virtual VPCs, the spoke VPCs include (i) a first spoke VPC associated with a first security region and (ii) a second spoke VPC associated with a second security region. Herein, the first security region is configured to permit spoke gateways of the first spoke VPC to communicate with each other while precluding communications with spoke gateways associated with another security region absent a connectivity policy being a set of rules established by the administrator/user of the network concerning permitted connectivity between different security regions.

Abstract: Disclosed are an apparatus and a method for Internet of Things (IoT) device security. The method includes unifying a port in a first IoT device for communication, receiving, by the first IoT device, a packet from a second IoT device through the port, identifying whether the packet in the first IoT device is in a preset packet form, verifying content of the packet in the first IoT device when the packet is in the preset packet form, and opening the port for providing a service in the first IoT device when the verifying of the packet content is successful.

Abstract: A universal tag linked to the content of a data file for protecting the authenticity of the data file and/or the owner/creator of a digital file. The universal tag is linked to the content in the data file via one or more input keys/seeds that are used to generate the universal tag and rely on data associated with the content. Once generated, the universal tag is registered on a distributed ledger of at least on distributed trust computing network, which acts as a source of truth to validate the universal tag and, as such, validate (i) an authenticity of the data file, and/or (ii) the user associated with the data file (e.g., rightful possessor and/or creator of the digital file).

Abstract: Embodiments of the present disclosure relate to managing admin-controlled access of external resources to group-based communication interfaces associated with an organization, via a group-based communication system including APIs for improved external resource permissioning, provisioning, and access handling. Embodiments include methods, computer program products, apparatuses, and systems configured to receive an external resource access request, determine an organization identifier, obtain an admin response indication, set an external resource permission status for the external resource based on the admin response indication, and cause rendering of the requested group-based communication interface based on the admin response indication. Embodiments further relate to provisioning and handling requests for services associated with an external resource by managing one or more single-interface access tokens linked to a multi-interface access token.

Abstract: Embodiments of the present disclosure provide hierarchical, differential privacy enhancements to federated, machine learning. Local machine learning models may be generated and/or trained by data owners participating in the federated learning framework based on their respective data sets. Noise corresponding to and satisfying a first privacy loss requirement are introduced to the data owners' respective data sets, and noise corresponding to and satisfying a first privacy loss requirement are introduced to the local models generated and/or trained by the data owners. The data owners transmit model data corresponding to their respective local models to a coordinator, which in turn aggregates the data owners' model data. After introducing noise corresponding to and satisfying a third privacy loss requirement to the aggregated model data, the coordinator transmits the aggregated model data to the data owners to facilitate updating and/or re-training on their respective machine learning models.

Abstract: A system, method and program product for implementing a compound security platform for providing secure access to private data in an encrypted storage area. A disclosed system includes an application configured to receive queries from application users requiring access to encrypted private data; a middle security layer callable from the application to facilitate predefined access to the encrypted private data; a root security layer configured to receive a decryption request from the middle security layer, perform decryption on specified encrypted private data, and return decrypted data to the middleware layer; a hashing system that generates a content hash of the middle security layer and root security layer to ensure integrity of the middle security layer and root security layer; and an auditing detection system that detects malicious auditing of parameters.

Abstract: A computer implemented and electronic process is provided that uses artificial intelligence to detect unauthorized activity by an insider or hacker. Electronic systems that employ artificial intelligence and machine learning to detect unauthorized transaction activity by insiders or hackers for a computer network system are also provided. Hardware required for carrying out the invention typically include a plurality of networked computers. Specialized software and/or firmware is typically needed in connection with the hardware for carrying out the invention.

Abstract: A computer-implemented method, executed by one or more email detection computers, receives from a computer network, a first email message from a first sender account to a first recipient account and having a plurality of attributes. The method determines that the first email message is a phishing email, extracts a subset of attributes, normalizes transformable attributes, and generates a hash representation from fixed attributes and the normalized transformable attributes, stores the hash representation in a database, receives a second email message, and determines that the second email message is a phishing email based on the stored hash representation.