Abstract: Embodiments are disclosed for a method. The method includes determining multiple recommended actions based on a security incident using an action model trained to make recommendations. The method also includes determining multiple similar targets to a target of the security incident using a collaborative filtering model trained to assign a confidence value of similarity between two targets. The method further includes assigning a plurality of weights to the recommended actions based on one or more actions taken by the similar targets and the confidence value, and a success or failure of the recommended actions. Additionally, the method includes generating a prioritized list of the recommended actions that is sorted based on the assigned weights.

Abstract: The invention is directed to computer-based method and a computer system for generating a blockchain address. The method comprises receiving a request for a new blockchain address for a user, the request including a public key, which has an associated private key, and identification information for the user, and generating the address based on a combination of the public key and the identification information.

Abstract: A database management system receives a request to process a database query on behalf of a security principal. The database management system determines that processing the database query requires access to an encrypted portion of a file containing data subject to access conditions. The database management system determines that the security principle is authorized to use a key that corresponds to the encrypted portion of the file. The database management system then completes processing of the query by using the key to access the encrypted portion of the file.

Abstract: Data-driven applications depend on training data obtained from multiple internal and external data sources. Hence poisoning of the training data can cause adverse effects in the data driven applications. Conventional methods identifies contaminated test samples and avert them from entering into the training. A generic approach covering all data-driven applications and all types of data poisoning attacks in an efficient manner is challenging. Initially, data aggregation is performed after receiving a ML application for testing. A plurality of feature vectors are extracted from the aggregated data and a poisoned data set is generated. A plurality of personas are generated and are further prioritized to obtain a plurality of attack personas. Further, a plurality of security assessment vectors are computed for each of the plurality of attack personas. A plurality of preventive measures are recommended for each of the plurality of attack personas based on the corresponding security assessment vector.

Abstract: An approach to predicting the outcome of a computer security response. The approach can analyze an unlabeled set of network data and based on the analysis, create a language model of the network. The approach can process the language model to predict a reduction factor associated with network availability. The approach can further process the language model and a malicious sequence to predict an effectiveness factor associated with blocking the malicious sequence. The approach can output bot the reduction factor and the effectiveness factor to a network administrator for determining the applicability of the computer security response.

Abstract: Techniques for controlling data access using machine learning are provided. In one aspect, first, second, and third training data sets are generated from a set of historical access records and a set of historical data records, where the access records correspond to requests for data and comprise information identifying whether the request satisfies one or more data access rules, and the data records correspond to data elements and comprise information identifying whether the data element satisfies the one or more data access rules. One or more machine learning models are trained based on the first, second, and third training data sets to generate an output identifying whether requests for data should be granted.

Abstract: A computer device, including at least a processor and a memory, can be configured to control process components on a computer device. An agent can intercept a request to instantiate a new process component in a user account of a logged-in user. The request can originate on the computing device from an instance of a particular process component amongst a set of process components. The user account can be assigned default user privileges by a privilege access management service. The agent can determine whether to permit the intercepted request. The agent can permit the intercepted request if the relationship is validated and if a trusted owner is identified amongst the set of identified owners.

Abstract: Techniques for detecting emails that pertain to Internet services are disclosed. Such emails can be recognized by heuristic pattern analysis that scans incoming emails for patterns known to pertain to certain Internet services. Emails relating to other Internet services can be detected by a machine learning classifier that uses labeled training data. These accesses to Internet services can be written to a data store. By employing these techniques across all emails of an entity, insight may be gained into the aggregate nature of Internet services being used. A policy engine may act on an individual email to request further information or action, quarantine the email, or to pass the email to other security tools. An aggregate account analysis engine can update the data store to provide a broad picture of Internet service usage within the organization (e.g., by department).

Abstract: A system and method for adapting one or more cybersecurity microservices to accelerate cybersecurity threat mitigation includes constructing a subscriber-specific data corpus comprising a plurality of distinct pieces of computing environment-informative data of a target subscriber; adapting a subscriber-agnostic microservice of the cybersecurity service to a subscriber-specific microservice, wherein: the subscriber-agnostic microservice includes a plurality of subscriber-agnostic cybersecurity event handling instructions, and adapting the subscriber-agnostic microservice to the subscriber-specific microservice includes generating a plurality of context-informed cybersecurity event handling instructions; augmenting the subscriber-agnostic microservice to include the plurality of context-informed cybersecurity event handling instructions; computing for a target cybersecurity event a subscriber-specific threat severity level based on one or more of the plurality of context-informed cybersecurity event handling i

Abstract: The technology includes a method performed by a security system of a 5G network to thwart a cyberattack. The security system is instantiated to monitor and control network traffic at a perimeter of the 5G network in accordance with a security model based on a vulnerability parameter, a risk parameter, and a threat parameter. The security system can process the network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the network traffic in relation to the parameters. Based on the VRT score, the system redirects the network traffic to a containment area that mimics an intended destination or related process of the network traffic to induce malicious VRT traffic. When malicious VRT traffic is detected, the security system can, for example, prevent the network traffic from being communicated the 5G network.

Abstract: Aspects of the disclosure relate to dynamically generating activity prompts to build and refine machine learning authentication models. A computing platform may process a first set of login events associated with a first user account and may build a first user-specific authentication model for the first user account. Then, the computing platform may process a second set of login events associated with a second user account and may build a second user-specific authentication model for the second user account. The computing platform also may build a population-level authentication model for a plurality of user accounts. Thereafter, the computing platform may identify one or more activity parameters associated with at least one authentication model for refinement. Subsequently, the computing platform may generate and send one or more activity prompts to one or more client computing devices to request at least one user response.

Abstract: Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive image data of a graphical rendering of a resource available at a uniform resource locator (URL). The computing platform may compute a computer vision vector representation of the image data. The computing platform may compare the computer vision vector representation of the image data to stored numeric vectors representing page elements, resulting in a feature indicating whether the computer vision vector representation of the image data is visually similar to a known page element, and may input the feature to a classifier. The computing platform may receive, from the classifier, a phish classification score indicating a likelihood that the URL is malicious. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.

Abstract: The invention relates to a method and system for key distribution and encryption/decryption. An encryption key (Kenc) is derived in a terminal. The encryption key is applied by the terminal for encrypting at least a part of data included in an application message for an application server transmitted over a network. The terminal and the network both have access to a first key (K1). The terminal and the server both have access to a second key (K2). The encryption key is derived at the terminal using the first key and the second key. The first key or the derivative thereof is received at the server. The encryption key for decrypting the application message encrypted by the terminal is derived in the server using the shared second key and the received first key of the derivative thereof.

Abstract: Restricted access tokens are cognitively generated that provide cyber forensic specialists restricted access to applications that require investigation. Cognitive analysis is performed on case details and, in some instances, evidence logs of previously investigated applications to determine parties involved in the investigation and applications requiring investigation. In response to identifying one of the applications, the case details, applicable evidence logs and the identified application are cognitively analyzed to determine operations that are required to be performed in the application and a time required to perform the operations. A restricted access token is generated that is specific to the assigned specialist, the case, and the application.

Abstract: A method comprises generating a first set of hardware performance counter (HPC) events that is ranked based on an ability of an individual HPC event to profile a malware class, generating a second set of HPC event combinations that is ranked based on an ability of a set of at least two joint HPC events to profile a malware class, generating a third set of extended HPC event combinations, profiling one or more malware events and one or more benign applications to obtain a detection accuracy parameter for each malware event, applying a machine learning model to rank the third set of HPC event combinations based on malware detection accuracy, and applying a genetic algorithm to the third set of HPC event combinations to identify a subset of the third set of extended combinations of HPC events to be used for malware detection and classification.

Abstract: A system and method for digitally signing an object. An object signing agent sends a signing request for an object to a remote signing server, which, in response to receiving the request, generates a virtual machine executing code for signing the object. The object is signed within the virtual machine and returned to the object signing agent.

Abstract: Autonomous devices and systems, methods, and program products for authorizing and performing autonomous devices transactions are disclosed. An autonomous device can be configured to generate a first hash value of a chain of hash values by applying a hash algorithm to first data including first new data and a first previous hash value of the chain of hash values, the first previous hash value computed by applying the hash algorithm to first previous data. The device can transmit to a transaction computer system the first hash value and the first new data. The device can generate and transmit to the transaction computer system a first signed electronic transaction request comprising first transaction data comprising a sending account identifier associated with the autonomous device, a destination account identifier, a transaction amount, and a timestamp. The device can digitally sign the transaction request using a private key of an asymmetric key pair.

Abstract: Disclosed herein are methods, systems, and processes to detect anomalous computing assets based on open ports. Security data associated with computing assets executing in a computing environment is received from an agent executing on the computing assets. Open port information associated with the computing assets is extracted from the security data. The open port information and a list of computing assets with the open port information is used to generate a type similarity model and an open port model. The type similarity model clusters the computing assets and the open port model determines whether a port associated with a computing asset with the open port information is likely to be open or should be open in the computing environment, permitting detection of anomalous computing assets in the computing environment.

Abstract: A method including receiving, by a user device, harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; receiving, by the user device, a first portion of given data; determining, by the user device, a pattern associated with traits included in the first portion of the given data; determining, by the user device, whether the first portion of the given data includes the malicious content based at least in part on comparing the determined pattern with the harmful patterns and the clean patterns; and selectively receiving, by the user device, a second portion of the given data based at least in part on determining whether the first portion of the given data includes the malicious content is disclosed. Various other aspects are contemplated.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.