Abstract: Methods and systems for establishing a chain of relationships are disclosed. An identity verification platform receives a first request for registration comprising an identification of a first user, identification of an entity, and a relationship between the first user and the entity; verifies the identity of the first user and the relationship between the first user and the entity; and verifies that the entity is legitimate. Once a relationship between a first individual, invited by the first user, and the entity is confirmed, the platform creates a custom badge representing the relationship between the first individual and the entity for display on the entity's website. The platform receives an identification of a selection by an end user of the custom badge and, responsive to receiving the identification of the selection, renders, on a domain controlled by the identity verification platform, a verification that the relationship between the first individual and the entity is valid.

Abstract: In a method, a plurality of events is accessed, wherein an event of the plurality of events includes a portion of raw-machine data from a data source of a plurality of data sources. For at least one event of the plurality of events, a transaction phase of a computer security transaction is correlated with the at least one event based at least in part on a data source associated with the at least one event. The transaction phase of the at least one event is correlated with a particular asset of a plurality of assets.

Abstract: A content management system comprising one or more processing devices, a network interface, and a memory system configured to store programmatic instructions configured to cause the one or more processing devices to perform the following operations is described. An electronic document may be generated and rendered, where the content management system may configure the electronic document as a mesh document, with both forward links and backlinks to other electronic resources. The forward links and/or backlinks may be to local electronic resources or remote electronic resources. The mesh document may be transmitted to client device over an encrypted channel, and the client device may render the electronic document. In response to an activation of a forward or backlink, the corresponding resource may be accessed from a data store, transmitted via the encrypted channel to the client device, and the client device may render such resource.

Abstract: This disclosure describes techniques for setting and/or adjusting a security policy associated with a device based on the physical locations of endpoint devices exchanging data with the device. An example method includes performing, at a first time, a first authentication of a first device connecting to a service; determining addresses of second devices exchanging data with the first device; determining physical locations of the second devices based on the addresses; and defining a reauthentication interval based on the physical locations of the second devices. At a second time that is after the first time by the reauthentication interval, the example method further includes disconnecting the first device from the service; and based on disconnecting the first device from the service, triggering a second authentication of the first device.

Abstract: Techniques are disclosed relating to dynamically routing network traffic between defense layers. For example, in various embodiments, a server system may implement a traffic distribution module that is operable to distribute a particular type of network traffic across multiple different defense layers. The traffic distribution module may receive a first set of requests that have been identified as being indicative of that particular type of network traffic and then route this first set of requests across the different defense layers based on a set of distribution weightage values. In various embodiments, the disclosed techniques include determining an updated set of distribution weightage values based on an effectiveness of the defense layers in mitigating the particular type of network traffic. In such embodiments, the traffic distribution module may then use this updated set of distribution weightage values to route a second set of network traffic across the various defense layers.

Abstract: A method of utilizing a distributed ledger for a cloud service access control. The method may include receiving, by an identity and access management (IAM) service, an identifier of a client of a cryptographically protected distributed ledger; transmitting, to a proxy service, a subscription request for distributed ledger transactions initiated by the client; receiving, from the proxy service, a transaction notification comprising an identifier of the client, an identifier of an autonomous agent, and an identifier of a cloud service; receiving, from the cloud service, a validation request with respect to an action request submitted by the autonomous agent; validating, using the transaction notification, the action request; and notifying the cloud service of validity of the action request.

Abstract: Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Abstract: A first correspondence table in a terminal device stores a first correspondence between an identifier of a process running on the terminal device and an identifier of a data stream created by the process. A second correspondence table stores a second correspondence between an identifier of an application and an identifier of a process created by the application. The terminal device receives an identifier of a first data stream from a network security device, finds, in the first correspondence table, a first record where the identifier of the first data stream is stored to obtain an identifier of a process in the first record, finds, in the second correspondence table, a second record where the identifier of the process in the first record is stored to obtain an identifier of an application from the second record, and sends the identifier of the application to the network security device.

Abstract: An illustrative injection detection system receives a text statement that includes a set of text elements and implements instructions for performing an operation with respect to a data structure. The system identifies a target risk element count equal to a number of risk elements preapproved to occur within the set of text elements of the text statement. The system also determines a detected risk element count equal to a number of risk elements that occur within the set of text elements of the text statement. If the system detects a violation of a predetermined rule defining an acceptable relationship between the target and detected risk element counts for the text statement, the system triggers an exception condition indicating a risk that the text statement corresponds to an injection attack on the data structure. Corresponding methods and systems are also disclosed.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.

Abstract: A method for determining an access right of a user terminal to a first network, wherein the user terminal (110) includes a subscription of a second network (150). The method includes: receiving (310) an access request message (240) including a data record for a user name and a data record for a password; determining (320) that the records are in a pre-determined format and that at least one of them includes data from which a subscriber identity for the second network is derivable; generating (330) an authentication request message from the access server (140) to a server (160) configured to perform authentication related tasks in the second network; receiving (340) information on the outcome of the authentication of the subscriber in the second network, generating (350) an acknowledgement to the user terminal (110) indicating right to access to the first network.

Abstract: This disclosure is directed to detecting cybersecurity attacks in data processing systems. Methods, systems, and computer program products perform operations including determining baseline event clusters using baseline event data obtained from deterministic target systems. The operations also include determining a baseline cumulative trajectory of an event over time based on the baseline event clusters. The operations further include determining operational event clusters using operational event data from the deterministic target systems. Additionally, the operations include determining an operational cumulative trajectory of the event over time based on the operational event clusters. Further, the operations include detecting a cyber-attack by comparing the baseline cumulative trajectory of the event with the operational cumulative trajectory of the event.

Abstract: The disclosure provides a method for detecting and defending a Distributed Denial of Service attack in an SDN environment. The method includes: building data messages acquired as feature messages by a proxy module; sending the feature messages to a pre-built detection model to obtain a detection result; making a decision instruction based on the detection result; and performing control operations by the proxy module based on the decision instruction.

Abstract: An exemplary system and method are disclosed for detecting malware via an antimalware application employing adversarial machine learning such as generative adversarial machine learning and the training and/or configuring of such systems. The exemplary system and method are configured with two or more generative adversarial networks (GANs), including (i) a first generative adversarial network (GAN) that can be configured using a library of malware code or non-malware code and (ii) a second generative adversarial network (GAN) that operates in conjunction with the first generative adversarial network (GAN) in which the second generative adversarial network is configured using a library of non-malware code.

Abstract: Implementations include receiving flow data representative of communication traffic of the network, determining that at least one blacklisted Internet protocol (IP) address is present in the flow data, and in response: providing a set of high-dimensional flow representations of network traffic by processing historical flow data through a deep learning (DL) model, providing a set of low-dimensional flow representations of the network traffic based on the set of high-dimensional flow representations, and labeling at least a portion of the set of low-dimensional flow representations to provide a sub-set of labeled low-dimensional flow representations and a sub-set of unlabeled low-dimensional flow representations, and identifying a host associated with an unlabeled low-dimensional flow representation as a potentially malicious host, and in response, automatically executing a remedial action with respect to the potentially malicious host.

Abstract: A method and devices for verifying the integrity of an electronic device having connected thereto at least one connectable or disconnectable component. The method can include obtaining (D52) information specific to at least one connectable or disconnectable component, the information being stored in the connectable or disconnectable component; preparing (E54) a temporary first master value on the basis of the information specific to the at least one connectable or disconnectable component; and authenticating (E54) the temporary first master value by using a previously-prepared second master value in order to determine the integrity of the electronic device.

Abstract: A first computing device that provides a first service is configured to securely provide personalized services to a user of a second computing device. The first computing device obtains an authentication token and confirms the proximity of the user associated with the second computing device. The first computing device confirms the proximity of the user by detecting a connection of a physical cable between the first computing device and the second computing device. The first computing device provides the authentication token to the second computing device via the physical cable. The first computing device also authenticates the user of the second computing device and determines a second service available to the user of the second computing device. The first computing device combines the first service with the second service to provide a personalized service to the user at the first computing device.

Abstract: A system for establishing and maintaining a chain of trust can include a root of trust (RoT) executing a root trusted server that pushes authenticated code and data into memory of a given node in a plurality of nodes. The RoT can also record a memory address range of a static portion of the authenticated code and a corresponding static data in the given node and cause the given node to execute the authenticated code in response to the pushing to establish a trusted relationship between the trusted server of the RoT and the given node. The root trusted server also monitors the given node to ensure that the given node executes trusted operations. The authenticated code in the memory of the given node can include a trusted server that pushes authenticated code into memory of another node in the plurality of nodes.

Abstract: Embodiments of the present invention provide for a method, system, and apparatus for processing content during scan and/or remediation processing. The method includes receiving a scan request or a remediation request. Content from a datastore referencing one or more controls as well as one or more of a compliance value, remediation value, and an ignore switch corresponding to each control is then loaded. If a scan request is received, the computing environment is scanned to determine all controls in the computing environment and the current setting of each. Thereafter, a subset of controls is determined, where the current setting of each control in the subset is out of compliance, the out of compliance state for each control is not to be ignored, and a remediation value for the corresponding control is listed in the loaded content. Thereafter, information regarding each control is determined, captured, and then stored.