Abstract: Disclosed herein are methods, systems, and processes to detect anomalous computing assets based on open ports. Security data associated with computing assets executing in a computing environment is received from an agent executing on the computing assets. Open port information associated with the computing assets is extracted from the security data. The open port information and a list of computing assets with the open port information is used to generate a type similarity model and an open port model. The type similarity model clusters the computing assets and the open port model determines whether a port associated with a computing asset with the open port information is likely to be open or should be open in the computing environment, permitting detection of anomalous computing assets in the computing environment.

Abstract: A method including receiving, by a user device, harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; receiving, by the user device, a first portion of given data; determining, by the user device, a pattern associated with traits included in the first portion of the given data; determining, by the user device, whether the first portion of the given data includes the malicious content based at least in part on comparing the determined pattern with the harmful patterns and the clean patterns; and selectively receiving, by the user device, a second portion of the given data based at least in part on determining whether the first portion of the given data includes the malicious content is disclosed. Various other aspects are contemplated.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Abstract: This disclosure provides systems, methods and apparatuses for classifying traffic flow using a plurality of learning machines arranged in multiple hierarchical levels. A first learning machine may classify a first portion of the input stream as malicious based on a match with first classification rules, and a second learning machine may classify at least part of the first portion of the input stream as malicious based on a match with second classification rules. The at least part of the first portion of the input stream may be classified as malicious based on the matches in the first and second learning machines.

Abstract: A system, method, and computer readable medium for determining authenticity of digital content. The system includes obtaining a video including a plurality of intermediate video frames with respective digital signatures, each video frame of the plurality of intermediate video frames associated with a respective digital signature. The digital signature is generated based at least in part on the image content of the video frame and a hash value of a previous video frame in the same video. Based on using a cryptographic key associated with a recording device used to capture the video, the system can determine authenticity of the content and the ordering of the frames within a video.

Abstract: Various methods, apparatuses/systems, and media for detecting a target behavior are disclosed. A processor implements a machine learning cadence model that implements an algorithm to obtain, on a per session basis, cadence data that indicates average time between each call and a standard deviation of times across each call across all active sessions of a desired target. The processor compares the cadence data to predefined background cadence data to identify whether the desired target is a new threat target or a background traffic; generates an internet protocol (IP) address of the new threat target; inputs the IP address of the new threat target into a machine learning behavior model that implements an algorithm to generate a fingerprint of all known places that the new threat target is operating; and applies a mitigation algorithm to all active sessions of the new threat target.

Abstract: Techniques and mechanisms to reduce double encryption of packets that are transmitted using encrypted tunnels. The techniques described herein include determining that portions of the packets are already encrypted, identifying portions of the packets that are unencrypted, and selectively encrypting the portions of the packets that are unencrypted prior to transmission through the encrypted tunnel. In this way, potentially private or sensitive data in the packets that is unencrypted, such as information in the packet headers, will be encrypted using the encryption protocol of the encrypted tunnel, but the data of the packets that is already encrypted, such as the payload, may avoid unnecessary double encryption. By reducing (or eliminating) the amount of data in data packets that is double encrypted, the amount of time taken by computing devices, and computing resources consumed, to encrypted traffic for encrypted tunnels may be reduced.

Abstract: Methods, apparatus, and processor-readable storage media for automatically determining storage system data breaches using machine learning techniques are provided herein. An example computer-implemented method includes configuring a storage system by designating at least one storage object within the storage system for storing data identified as to be protected from breach; generating at least one multivariate data breach probability function using historical performance data of the designated storage object(s) and/or historical capacity data of the designated storage object(s); calculating at least one data breach score using the at least one multivariate data breach probability function, one or more machine learning techniques, and additional performance data of the designated storage object(s) and/or additional capacity data of the designated storage object(s); and performing one or more automated actions based at least in part on the at least one data breach score.

Abstract: A system and method for secure searching in a semi-trusted environment by comparing first and second data (query and target data). A first data provider may map first secret data to a first plurality of tokens using a token codebook, concatenate the first plurality of tokens to generate a first token signature, and homomorphically encrypt the first token signature. A second data provider may map second data to a second plurality of tokens using the token codebook, concatenate the second plurality of tokens to generate a second token signature, and compare the homomorphically encrypted first token signature and an unencrypted or homomorphically encrypted second token signature to generate a homomorphically encrypted comparison. A trusted party may decrypt the homomorphically encrypted comparison, using a secret homomorphic decryption key, to determine if the token signatures match or not respectively indicating the search query is found or not in the target data.

Abstract: Methods, a user data node (120), a policy node (150), an application node (170) and an operator network (101) for enabling management of an attack towards an application (190) hosted by the application node (170) are disclosed. The policy node (150) receives (3) attack information and an identifier of the application (190) to which the attack information applies. The attack information relates to the management of the attack and the attack information comprises a type of attack, a set of detection conditions relating to detection of attacks of the type of attack, and a mitigation action to be invoked when at least one detection condition of the set of detection conditions is fulfilled. In this manner, degeneration of the application (190) caused by the attacks of the type of attack is mitigatable. The policy node (150) generates (13) at least one rule based on the attack information.

Abstract: A method for validating a digital user certificate of a user by a checking device is provided. The user certificate is protected by a digital signature with an issuer key of an issuance location which issues the user certificate. The method has the steps of: receiving the user certificate in the checking device, checking the user certificate using a certificate path positive list with at least one valid certificate path which is provided to the checking device by at least one positive path server, and confirming the validity of the user certificate if the issuer key of the user certificate can be traced back to a root certificate according to one of the valid certificate paths of the certificate path positive list. Also provided is a system, a checking device, a user device, a positive path server, and a computer program product which are designed to carry out the method for validating a digital user certificate.

Abstract: Techniques for providing a smart proxy for a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a smart proxy for a large scale high-interaction honeypot farm includes receiving tunneled traffic at a smart proxy from a sensor for a honeypot farm that is executed in a honeypot cloud, wherein the tunneled traffic is forwarded attack traffic, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; and forwarding the tunneled traffic to an instance of the matching type of vulnerable service.

Abstract: A decentralized system for securely registering, updating, and/or resolving domain names in a distributed ledger is disclosed. The distributed ledger may comprise a smart contract that includes a look-up table that maps network names to network addresses and/or one or more keys. The smart contract may verify whether any updates and/or changes made to an entry in the look-up table are cryptographically authorized. Additionally, the smart contract may enforce any additional policies implemented by a domain administrator for authenticating changes and/or updates to a domain name entry. The unique combination of storing domain information in a decentralized ledger and validating changes and/or updates to the domain information provides a decentralized root of trust that allows for secure queries of network names (e.g., domain name) for secure cross-entity communications.

Abstract: The technology disclosed works in real time, as base and subordinate HTTP URL requests are received, to attribute subordinate HTTP URL requests to base web pages. The main case uses the “referer” or “referrer” HTTP header field for attribution, directly and through a referer hierarchy to the base web page. A second case, which minimizes false generation of base web page log entries, involves small files, such as cascading style sheets (CSS) files, that often have a blank or no referer field. The technology disclosed applies equivalently to hypertext transfer protocol secure (HTTPS) data (e.g., HTTPS transactions, requests, and/or events).

Abstract: A computing device detects that another computing device has connected to a network. The computing device determines whether the other computing device is valid and whether the computing device is being utilized for one or more suspicious activities. Based on determining that the other computing device is being utilized for one or more suspicious activities, the computing device determines a location of the other computing device, determines whether a user associated with the other computing device can be identified, and based on determining that the user associated with the other computing device cannot be identified, disables the other computing device, and transmits an alert to security personnel.

Abstract: A method, system, and medium used in unauthorized communication detection in an onboard network system having electronic control units connected to a network include: identifying, from information relating to an attack message on the onboard network system, a communication pattern indicating features of the attack message; determining whether a candidate reference message matches the communication pattern; and determining a reference message used as a reference in determining whether or not a message sent out onto the network is an attack message, using results of the determining of whether or not the candidate reference message matches the communication pattern identified in the identifying operation.

Abstract: Techniques for providing a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a large scale high-interaction honeypot farm includes sending traffic detected at a sensor to a smart proxy for a honeypot farm that is executed in a honeypot cloud, wherein the traffic is forwarded attack traffic that is sent using a tunneling protocol, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; forwarding the traffic to an instance of the matching type of vulnerable service; and executing a security agent associated with the instance of the matching type of vulnerable service to identify a threat by monitoring behaviors and detecting anomalies or post exploitation activities.

Abstract: Methods to securely remediate a captive portal are provided. In these methods, a processor of a user device detects a connection, via a network, to a captive portal. Based on the detected connection to the captive portal, the processor launches a dedicated secure web browser, and selectively restricts access of the user device to the network in order to only allow, via the dedicated secure web browser, communications related to remediation with the captive portal.

Abstract: Computer-implemented methods and systems (DMS) for facilitating data similarity queries across a network (CN) of data memories (DM1, DM2). The disclosed methods and system are configured for matching data items held in the data memories (DM1, DM2) in a probabilistic manner with cryptographic protection of the data items. The data matching methods and systems (DMS) are robust against inconsistencies within the data to be matched (such as typographical errors, minor mismatches etc), within a certain predetermined similarity threshold (q), usually described as a percentage. The disclosed methods and systems (DMS) allow fast, low latency turnaround by aggregating the data items to be matched into data structures (M1, M2) that facilitate group-wise matching as opposed to pair-wise matching.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.