Abstract: Systems and methods include establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between a local node including one or more processors and a remote node, and wherein the control channel includes a session identifier; establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier; performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier; and, subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier. The first encryption technique can be one of TLS and SSL, and the second encryption technique can be one of TLS and DTLS.

Abstract: Techniques are described herein that are capable of provisioning a trusted execution environment (TEE) based on (e.g., based at least in part on) a chain of trust that includes a platform on which the TEE executes. Any suitable number of TEEs may be provisioned. For instance, a chain of trust may be established from each TEE to the platform on which an operating system that launched the TEE runs. Any two or more TEEs may be launched by operating system(s) running on the same platform or by different operating systems running on respective platforms. Once the chain of trust is established for a TEE, the TEE can be provisioned with information, including but not limited to policies, secret keys, secret data, and/or secret code. Accordingly, the TEE can be customized with the information without other parties, such as a cloud provider, being able to know or manipulate the information.

Abstract: A virtual private network (VPN) security system obtains data regarding a VPN session including (i) for each of a plurality of first subnets, a number of allowed connection attempts by a computer system to that first subnet, (ii) for each of a plurality of second subnets, a number of blocked connection attempts by the computer system to that second subnet, (iii) for each of a plurality of first network ports, a number of allowed connection attempts by the computer system using that first network port, and (iv) for each of a plurality of second network ports, a number of blocked connection attempts by the computer system using that second network port. The security system determines, using a neural network, a metric representing an estimated likelihood that the VPN session is associated with a malicious activity, and controls the VPN session based on the metric.

Abstract: A method implements private categorization using shared keys. The method includes selecting an encryption key, encrypting a transaction vector, generated from a transaction record, with the encryption key to generate an encrypted transaction vector, and receiving an encrypted category vector generated by a classifier model, corresponding to the encryption key, from the encrypted transaction vector. The method further includes decrypting a category from the encrypted category vector with a decryption key corresponding to the encryption key and presenting the category.

Abstract: Methods, systems, and computer readable media for network security testing using at least one emulated server are disclosed. According to one example method, the method comprises: receiving, from a client device and at an emulated domain name service (DNS) server, a DNS request requesting an Internet protocol (IP) address associated with a domain name; sending, to the client device and from the emulated DNS server, a DNS response including an IP address associated with an emulated server; receiving, from the client device and at the emulated server, a service request using the IP address; sending, to the client device and from the emulated server, a service response including at least one attack vector data portion; and determining, by a test controller and using data obtained by at least one test related entity, a performance metric associated with a system under test (SUT).

Abstract: An initial risk of an electronic message is determined. Based on the initial risk, it is determined whether to modify the electronic message. In an event it is determined to modify the electronic message: the electronic message is modified; the modified electronic message is allowed to be delivered to an intended recipient of the electronic message; a secondary computer security risk assessment of the electronic message is automatically performed; and based on the secondary computer security risk assessment, the modified message is updated.

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

Abstract: A valid route origin authorization (ROA) for a specified IP address is published and a distributed denial-of-service (DDoS) attack to a given IP address is detected. A flowspec rule is advertised from a given autonomous system network to one or more neighboring autonomous system networks in response to the detection of the distributed denial-of-service (DDoS) attack. A modified Resource Public Key Infrastructure (RPKI) validation is performed using the published valid route origin authorization (ROA) in response to the advertisement of the flowspec rule. The flowspec rule is implemented to mitigate the distributed denial-of-service (DDoS) attack in response to the validation of the flowspec rule.

Abstract: An example operation may include one or more of receiving a blockchain request comprising a timestamp added by one or more endorsing nodes included within a blockchain network, identifying that the timestamp added by an endorsing node from among the one or more endorsing nodes is a modification to a previously added timestamp provided by the computing node, determining a reputation value for the endorsing node based on a difference between the timestamp added by the endorsing node and the previously added timestamp provided by the computing node, and transmitting the determined reputation value of the endorsing node to an ordering node within the blockchain network.

Abstract: An approach is provided for data-preserving trajectory anonymization. The approach involves, for example, processing a plurality of location trajectories to determine one or more exchange twists. The plurality of location trajectories are respectively a sequence of locations points determined by a location sensor of a device, and the one or more exchange twists are one or more locations at which at least two trajectories of the plurality of location trajectories match based on a matching criterion. The approach also involves initiating a swapping of one or more trajectory identifiers among the plurality of location trajectories based on the one or more exchange twists to generate anonymized trajectory data. The approach further involves providing the anonymized trajectory data as an output to a location-based service.

Abstract: A security assessment system is configured to provide a duplicated environment which duplicates an assessment target system comprising a plurality of physical components. The security assessment system includes a duplicated environment design circuitry and a duplicated environment construction circuitry. The duplicated environment design circuitry is configured to select a duplication level based on constraints specified by a user in order to design the duplicated environment to produce a designed result indicative of a duplicated environment design. The duplication level is indicative of any one of a simulation sub-module, an emulation sub-module, and a physical sub-module which are for reproducing the physical components of the assessment target system. The duplicated environment construction circuitry is configured to construct the duplicated environment based on the designed result. The duplicated environment includes components which are duplicated by one of the duplication level.

Abstract: Systems and methods of detecting an exploit of a vulnerability of a computing device, including receiving an execution flow of at least one process running in a processor of the computing device, wherein the execution flow is received from a performance monitoring unit (PMU) of the processor, receiving memory pages from a memory of the computing device, reconstructing the execution flow of the process on another processor based on PMU data and the memory pages, running at least one exploit detection algorithm on the reconstructed process in order to identify an exploit attempt and issuing an alert.

Abstract: Systems, devices, and methods are described herein for calculating a trust score. The trust score may be calculated between entities including, but not limited to, human users, groups of users, organizations, or businesses/corporations. A system trust score may be calculated for an entity by combining a variety of factors, including verification data, a network connectivity score, publicly available information, and/or ratings data. A peer trust score targeted from a first entity to a second entity may also be calculated based on the above factors. In some embodiments, the peer trust score may be derived from the system trust score for the target entity and may take into account additional factors, including social network connections, group/demographic info, and location data. Finally, a contextual trust score may be calculated between the first and second entities based on a type of transaction or activity to be performed between the two entities.

Abstract: A computer-implemented method for providing a distributed data processing service for performing a secure multiparty computation of a function on at least first and second items of private input data using at least a first and a second computing engine communicatively coupled via a communication network.

Abstract: Systems are provided for improving computer security systems that are based on user risk scores. These systems can be used to improve both the accuracy and usability of the user risk scores by applying multiple tiers of machine learning to different the user risk profile components used to generate the user risk scores and in such a manner as to dynamically generate and modify the corresponding user risk scores.

Abstract: Artificial Intelligence (“AI”) apparatus and method are provided that correlate and consolidate operation of discrete vendor tools for detecting cyberthreats on a network. An AI engine may filter false positives and eliminate duplicates within cyberthreats detected by multiple vendor tools. The AI engine provides machine learning solutions to complexities associated with translating vendor-specific cyberthreats to known cyberthreats. The AI engine may ingest data generated by the multiple vendor tools. The AI engine may classify hardware devices or software applications scanned by each vendor tool. The AI engine may decommission vendor tools that provide redundant cyberthreat detection. The AI engine may display operational results on a dashboard directing cyberthreat defense teams to corroborated cyberthreats and away from false positives.

Abstract: A method of monitoring a network is provided. The method includes receiving a packet of network traffic, determining a source IP address of the packet, consulting a database of source IP addresses, each source IP address having an associated probability of threat indicator (PTI) that indicates a probability of threat posed by the source IP address. The packet's source IP address' PTI is assigned to the packet as the packet's PTI, and one or more inspection checks are selected to be performed on the packet, wherein the selection of the inspection checks is a function of the packet's source IP address PTI. The method further includes performing the selected inspection checks, assigning treatment of the packet based on a result of the inspection checks performed, and adjusting the packet's source IP address' PTI or the packet's PTI based on the result of the one or more inspection checks performed.

Abstract: Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. A user utilizes a desktop computer, a laptop computer, a smartphone, a tablet, or other electronic device, to interact with a banking website or application, a retailer website or application, or other computerized service. Input-unit interactions are monitored, logged, and analyzed. Based on several types of analysis of the input-unit interactions, a score is generated to reflect fraud-relatedness or attack-relatedness of the input-unit interactions. Based on the score, the system estimates or determines whether the user is an attacker, and initiates attack-mitigation operations or fraud-mitigation operations.

Abstract: A method, system, and computer-implemented method to manage threats to a protected network having a plurality of internal production systems is provided. The method includes monitoring network traffic from the plurality of internal production systems of a protected network for domain names. For each internal production system, a first collection of each unique domain name that is output by the internal production system is determined over the course of a long time interval. For each internal production system, a second collection of each unique domain name that is output by the internal production system is determined over the course of a short time interval. Domain names in the first and second collections associated with the plurality of internal production systems are compared to determine suspicious domain names that meet a predetermined condition. A request is output to treat the suspicious the suspicious domain names as being suspicious.

Abstract: A DDoS handling device configured to handle communication directed to a target of a DDoS attack flowing in from an adjacent autonomous system in an autonomous system provided with a plurality of mitigating locations includes: a load distribution determination unit configured to determine whether or not to execute load distribution processing on the basis of an amount of available resources at mitigating locations corresponding to a gateway device into which the communication directed to the target flows and an amount of the communication directed to the target in a case in which at least one attack has been detected; a load distribution processing unit configured to decide mitigating locations to be used to handle the communication directed to the target from among the plurality of mitigating locations to solve shortage of resources at the mitigating locations for each attack, in a case in which the load distribution determination unit determines to execute the load distribution processing; and an attack hand