Abstract: A system and method for digital wallet integration and scanning. A module is implemented with a digital wallet such that the module is adapted to intercept and scan calls to the digital wallet. The module may have limited communication capabilities that prevent leaking of data from the wallet with which the module is integrated while allowing for testing websites with which the module communicates. For example, the module may be configured to transmit only transactions and simulated RPC responses, and not to transmit any other data of the wallet or of a device associated with a user of the wallet. In some implementations, the module may be realized as a binary large object (blob) which is unilaterally pushed to a system on which the module will be deployed.

Abstract: Certain aspects of the present disclosure provide techniques for adjusting access control policies of access controlled systems, such as techniques for identifying a vulnerability or for identifying parameters and values achieving a specified result from a system whose access is controlled by the policy. Requests to the system can be made using a testing system that executes test scripts using avatars having various parameter types and values. The avatar information and results of the test scripts are provided as training data to a machine learning model training system to generate a model that provides recommendations for parameter types and values likely to achieve a particular result. The recommendations are used to execute the test script to determine results including a rate of success for the recommended parameters and/or values. Various actions, such as adjusting or adding a rule to an access control policy, can be performed based on the results.

Abstract: Systems and methods disclosed can evaluate security detection rules in a network security computing environment. Results for a processed log of security events can be retrieved. The results can identify determined outcomes for instances triggering security detection rules. The security detection rules can detect specific behavior on a network by being processed against a log of security events. Scores for the security detection rules can be determined based on the results of the processed log of security events and the determined outcomes. The security detection rules can be ranked based on the scores, from highest to lowest score. The highest score can indicate that a corresponding rule is performing worst among the security detection rules and the lowest score can indicate that a corresponding rule is performing best among the security detection rules. A rules score report can be generated based on the ranked rules.

Abstract: Method and systems for detecting and mitigating a malicious bot. Threat information is obtained, the threat information identifying one or more indicators of compromise (IOC) corresponding to suspected or known malicious network traffic. A control list (CL) corresponding to the threat information is generated, the CL describing rules for identifying network flows to be logged in a network log. The network log identifying the network flows is obtained and a suspect network flow identified by both the threat information and the network log is identified. An address corresponding to the suspect network flow is identified and the address is correlated with a user identifier. A notification is issued to a user associated with the user identifier, the notification indicating a suspected existence of a malicious bot.

Abstract: Robustness of a machine learning model can be characterized by receiving a file with a known, first classification by the machine learning model. Thereafter, a selection is made as to which of a plurality of perturbation algorithms to use to modify the file. The perturbation algorithm is selected as to provide a shortest sequence of actions to cause the machine learning model to provide a desired classification. Subsequently, the received file is iteratively modified using the selected perturbation algorithm and inputting the corresponding modified file into the machine learning model until the machine learning model outputs a known, second classification. Related apparatus, systems, techniques and articles are also described.

Abstract: The present disclosure relates to securing workloads of a network by identifying compromised elements in communication with the network and preventing their access to network resources. In one aspect, a method includes monitoring network traffic at network elements of a network; detecting a compromised element in communication with one or more of the network elements, the compromised element being associated with at least one network threat; and based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element.

Abstract: Provided is an infection-spreading attack detection system and method, as well as a program enabling an occurrence of an infection-spreading attack to be detected with high accuracy. A first feature amount is calculated based on traffic information on a packet transferred by a transfer device, and M partial address space(s) are identified to be a monitoring target based on the first feature amount. A second feature amount is calculated for each of the M partial address space(s) based on the traffic information related to the M partial address space(s). Abnormality detection determination is performed on each of the M partial address space(s) based on the second feature amount. Whether the infection-spreading attack has occurred is determined by evaluating M determination results.

Abstract: The present disclosure relates to computer-implemented methods, software, and systems for identifying potential attacks through monitoring of user credential login attempts across a network of websites. One example method includes monitoring login attempts associated with a plurality of websites and identifying a first login attempt at a first website associated with a set of user credentials. In response to determining that the set of user credentials do not correspond to a valid set of credentials, a count value associated with an entry in a failed credential log associated with the user credentials is incremented. If the count threshold associated with a compromised user credential rule is exceeded by the current count value, then the first set of credentials is identified as a set of compromised credentials and at least one protective action is initiated.

Abstract: A system for detecting phishing websites accesses a website that comprises a plurality of images. The system extracts the plurality of images from the website. The system generates a hash value for each image from the plurality of images. Each hash value uniquely identifies its corresponding image. The system generates a first overall hash value for the website by hashing the generated hash values. The first overall hash value represents a signature of the website. the system compares the first overall hash value with a second overall hash value that is associated with a phishing website. The system determines whether the first overall hash value corresponds to the second overall hash value. If it is determined that the first overall hash value corresponds to the second overall hash value, the system determines that the website is associated with the phishing website.

Abstract: A system and a method are disclosed for detecting a malicious website. In an embodiment, a mobile device detects a URL referencing an unknown website. Responsive to detecting the URL, the mobile device retrieves a representative image of the unknown website. The mobile device determines whether the representative image matches an image of a known legitimate website. Responsive to determining that the representative image matches the image of the known legitimate website, the mobile device determines if the unknown website is malicious. The mobile device performs a security action responsive to determining that the website is malicious.

Abstract: A computerized method for analyzing an object is disclosed. The computerized method includes obtaining, by a cybersecurity system, an object and context information generated during a first malware analysis of the object conducted prior to obtaining the object. Thereafter, the cybersecurity system performs a second malware analysis of the object to determine a verdict indicating maliciousness of the object. The scrutiny of the second malware analysis is adjusted based, at least in part, the context information, which may include (i) activating additional or different monitors, (ii) adjusting thresholds for determining maliciousness, or (iii) applying a modified rule set during the second malware analysis based on the context information.

Abstract: A method including receiving, by a user device, harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; determining, by the user device, a pattern associated with traits included in given data; and determining, by the user device, whether the given data includes the malicious content based at least in part on comparing the determined pattern with the harmful patterns and the clean patterns. Various other aspects are contemplated.

Abstract: A method including determining, by an infrastructure device, harmful patterns indicating characteristics of harmful traits included in affected data known to include harmful content, and clean patterns indicating characteristics of clean traits included in clean data known to be free of the harmful content; training, by the infrastructure device, a machine learning model to indicate presence of the harmful content based at least in part on utilizing the harmful patterns and the clean patterns; transmitting, by the infrastructure device to a user device, the harmful patterns, the clean patterns, and the machine learning model; and determining, by the user device, whether given data includes the harmful content based at least in part on utilizing the harmful patterns, the clean patterns, and the machine learning model. Various other aspects are contemplated.

Abstract: A website vulnerability test is performed by automatically checking that a website has not been compromised by malicious third party scripts. A system can test a dynamic behavior of a website that indicates a functional user flow through the website. A set of rules are applied against a log of dynamic behavior of the website, as well as static code of the website, to identify potential compromise by malicious scripts. Some rules can be configured for detecting modification of a third party script, or modified behavior of a third party script, in an attempt to detect security monitoring activity against the script and hide its presence from the security monitoring activity.

Abstract: In the context of a co-browse session, one of the participants elects to include a screenshare task in which a screenshare of a browser window displaying a website will be provided to other participants of the co-browse session. When the screenshare task is started, a location of an address bar of the web browser is identified, optional pre-processing is applied to the image of the address bar, and a character recognition process, is used to determine the characters of the URL in the browser's address bar. The URL is compared with a list of allowed website URLs, and the screenshare session is selectively allowed only if the URL is contained in the list of allowed URLs. Once the URL has been approved, a slice of pixels the address bar is obtained and monitored for changes to the pixels that may indicate a change to the URL.

Abstract: Phishing attacks cause financial frauds and credential thefts. The conventional blacklist, whitelist and Machine Learning (ML) based methods fail to provide an accurate detection of phishing attacks. The present disclosure provides a layered approach wherein a URL domain name is compared with blacklist domains and whitelist domains. Further, the URL undergoes Internet Protocol (IP) address checking followed by context checking. A clicked context is verified based on the number of search results from a popular search engine. Otherwise, the typed context is checked for non-ASCII characters in the domain name. Further, the URL is checked for any brand name. Further, the domain is checked for any misspelling. Further, the URL is examined using a Machine Learning (ML) model. Finally, the URL is classified as phishing if a number hits in a popular search engine is less. Here a phishing alert is generated in each layer based on the corresponding decision.

Abstract: Computing platform security methods and apparatus are disclosed. An example apparatus includes a graphics processor; and a graphics driver to facilitate access to the graphics processor, the graphics driver including: an authenticator to establish a trusted channel between the graphics driver and an application driver via mutual authentication of the graphics driver and the application driver; an offloader to offload a computing task to the graphics processor via the trusted channel, the computing task associated with the application driver; and a hypervisor to monitor memory associated with the offloaded computing task for an unauthorized access attempt.

Abstract: A method and apparatus are described for user protection from external e-mail attack. Some embodiments pertain to receiving a first e-mail at an e-mail client, receiving a detection of a suspicious element in the first e-mail from a detection system, flagging the first e-mail as suspicious with a first flag and a first warning level in response to receiving the detection, flagging a second e-mail with a second flag and a second warning level, displaying the first and second flags with explanatory text in a mailbox view of the e-mail client without opening the first and second e-mail for display to the user, the suspicious element not being selectable in the mailbox view, and sorting the first and the second e-mail with other e-mails of the mailbox view based on the flag warning levels.

Abstract: Knowledge about a user is used to determine whether one or more messages received by the user are malicious. The knowledge about the user may be based on the user's financial history such as transaction records. Particularly, a classifier model is trained on a supervised approach using a dataset containing, for example, a categorization of incoming messages (e.g., password change message), the user's aggregated transaction records, message attributes, user attributes, and corresponding classification labels. After the training, the classifier model is deployed to determine whether an incoming message is malicious.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.