Abstract: Systems and methods are described for synergistically combining static file based detection and behavioral analysis to improve both threat detection time and accuracy. An endpoint security solution running on an endpoint device generates a static analysis score by performing a static file analysis on files associated with a process initiated on the endpoint device. When the static analysis score meets or exceeds a static analysis threshold, then a network security platform treats the process as malicious and blocks execution of the process. When the static analysis score is less than the static analysis threshold, then the endpoint security solution obtains a dynamic analysis score for the process. The network security platform treats the process as malicious and causes execution of the process to be blocked based on a function of the static analysis score and the dynamic analysis score.

Abstract: A policy-controlled authorization system for managing tokens used to access services in a cloud based multi-tenant system. The policy-controlled authorization system includes a local application that executes on a client device, a policy component including a plurality of policies, and a mid-link server, coupled to the client device. A request for access to a service on a remote application running on a remote instance of a web server is provided by the local application. A token is required to access the service. A correlator correlates the token with the plurality of tokens for identifying a policy from the plurality of policies associated with the token. A token inspector authorizes the token for accessing the service based on the correlation. Based on the authorization, either the token is authorized for access to the service via the remote application, or the token is blocked when unauthorized to prevent access to the service.

Abstract: Systems and methods are disclosed for computer network threat assessment. For example, methods may include receiving from client networks respective threat data and storing the respective threat data in a security event database; maintaining affiliations for groups of the client networks; detecting correlation between a network threat and one of the groups; identifying an indicator associated with the network threat, and, dependent on the affiliation for the group, identifying a client network and generating a message, which conveys an alert to the client network, comprising the indicator; responsive to the message, receiving, from the client network, a report of detected correlation between the indicator and security event data maintained by the client network; and updating the security event database responsive to the report of detected correlation.

Abstract: Examples described herein relate to a system for orchestrating a security object, including a memory and processor configured to define a plurality of complex policies in a database, wherein the complex policies comprises one or more of EQUAL policy, ONE-OF policy, MEMBER OF policy, NULL policy, NOT-NULL policy, GREATER-THAN policy, GREATER-THAN-OR-EQUAL-TO policy, LESS-THAN policy, or LESS-THAN-OR-EQUAL-TO policy, receive the security object and at least one object attribute associated with the security object, determine acceptability of the security object based, at least in part, on the at least one object attribute and at least one of the plurality of complex policies corresponding to the at least one object attribute, and distribute the security object to at least one communication device associated with the processor when the security object is determined to be acceptable, wherein the at least one communication device establishes communication based, at least in part, on the security object.

Abstract: A computer implemented method of detecting anomalous behavior in a set of computer systems communicating via a computer network, the method including evaluating a difference in a level of activity of the computer system between a baseline time period and a runtime time period, and responsive to a determination of anomalous behavior, implementing one or more protective measures for the computer network.

Abstract: IPRID reputation assessment enhances cybersecurity. IPRIDs include IP addresses, domain names, and other network resource identities. A convolutional neural network or other machine learning model is trained with data including aggregate features or rollup features or both. Aggregate features may include aggregated submission counts, classification counts, HTTP code counts, detonation statistics, and redirect counts, for instance. Rollup features reflect hierarchical rollups of data using <unknown> value placeholders specified in IPRID templates. The trained model can predictively infer a label, or produce a rapid lookup table of IPRIDs and maliciousness probabilities. Training data may be organized in grids with rows, columns, planes, branches, and slots. Training data may include whois data, geolocation data, and tenant data. Training data tuple sets may be expanded by date or by original IPRID.

Abstract: Systems and methods to reverse-predict a MAC address associated with a computing device are described. In one embodiment, first temporal communication data associated with the computing device is accessed for a first time interval. The first temporal communication data is converted into a first image. Second temporal communication data associated with the computing device is accessed for a second time interval. The second temporal communication data is converted into a second image. An image ensemble including the first image and the second image is analyzed using a neural network. Each image in the image ensemble is converted from temporal communication data associated with the computing device. The neural network learns a temporal pattern associated with the image ensemble. Current temporal communication data associated with the computing device is accessed and converted into a current image. The current image is compared with the temporal pattern.

Abstract: The present invention discloses a system and a method for detecting anomalous patterns in a network such as a LAN, WAN, MAN, internet of things (Iot), cloud networks, or any other network. In operation, the system and method of the present invention determines a generic pattern of behavior associated with a plurality of anomaly classes based on a plurality of feature values using reinforcement learning technique. The generic pattern is fixed as a boundary for each of the plurality of anomaly classes and is representative of behavior which substantially simulates the network behavior on attack by any of the plurality of anomaly classes. Further, the present invention, provides for updating the generic pattern using reinforcement learning. The updated generic pattern is implemented to analyze and detect anomalous behavior in the incoming network traffic in real time.

Abstract: Aspects of the invention include receiving a request from a responder channel on a responder node to initiate a secure communication with an initiator channel on an initiator node. The request includes an identifier of a shared key, and a nonce and security parameter index generated by the initiator node for the secure communication. The receiving is at a local key manager (LKM) executing on the responder node. A security association is created at the LKM between the initiator node and the responder node. The shared key is obtained based at least in part on the identifier of the shared key. Based on obtaining the shared key, a message requesting initialization of the secure communication between the responder channel and the initiator channel is built. The message includes an initiator nonce and an initiator security parameter index generated by the LKM for the secure communication.

Abstract: A computing system for generating tamper-proof electronic messages is disclosed herein. A service provider application receives an electronic message from a client application. The electronic message comprises an authorization provider (AuP) token that includes a public key of a local signing authority (LSA) and a signed payload that has been signed by the LSA using a private key of the LSA that forms a cryptographic key pair with the public key, the signed payload comprising an indication of a programmatic task to be executed by the service provider application. Responsive to validating the AuP token in the electronic message, the service provider application extracts the public key from the electronic message. Responsive to validating the signed payload based upon the extracted public key of the LSA, the service provider application executes the programmatic task.

Abstract: A method provides for collecting data source images from multiple repositories. Application dependencies are discovered from the data source images. Status results are determined based on vulnerability and compliance scanning of all dependent sources for each data source image. The status results are aggregated across all data source images for each of the multiple repositories. Remediations are determined for violations indicated by the aggregated status results. Each of the remediations is aggregated and ordered to define a single global remediation solution.

Abstract: An Artificial Intelligence AI-based cyber threat analyst protects a system from cyber threats. A cyber threat analyst module uses i) one or more AI models, ii) a set of scripts, and iii) any combination of both, to form and investigate hypotheses on what are a possible set of cyber threats that include abnormal behavior and/or a suspicious activity. An analyzer module uses one or more data analysis processes including i) an agent analyzer data analysis process; ii) an Ngram data analysis process; iii) an exfiltration data analysis process; and iv) a network scan data analysis process; in order to obtain any of the abnormal behavior and the suspicious activity to start the investigation on the possible set of cyber threats hypotheses, as well as, to obtain the collection of system data points to either support or refute the possible cyber threat hypotheses.

Abstract: Providing virtualized credentials of a holder includes authorizing a subset of credential data to be sent to a device of a relying party that is different from the holder, where the subset of credential data depends on a role of the relying party, selection by the holder, and/or contextual data of the relying party and includes displaying the subset of credential data on a screen of the device of the relying party. The contextual data may be a privacy level setting, distance between the relying party and the holder, and/or geolocation of the relying party. The role of the relying party may be provided by the relying party. Role information provided by the relying party may be provided in a verifiable format. The role information may be digitally signed or securely derived and determined by a mutual authentication algorithm between the relying party and the holder.

Abstract: A cyber threat defense system can autonomously gather research data about external hosts visited by a network entity and present that information in a format integrated with a threat-tracking graphical user interface. A collation module can collect input data from the network entity. A cyber threat module can identify a cyber threat from the input data. A host module can determine at least one host metric for an external host in the input data based on the identified cyber threat. A researcher module can collect host research data describing the external host. A scoring module can analyze the host research data using the at least one host metric. The scoring module can generate an automatic threat score describing a threat level presented by the external host. A user interface module can present a threat-tracking graphical user interface displaying the automatic threat score.

Abstract: An apparatus for connecting a data-processing and/or data-generating production apparatus with a network includes a first network interface to be connected with the network, a second network interface to be connected with the production apparatus, and a program code stored in the memory for execution by the at least one processor. The program code includes instructions upon whose execution data packets received at the second network interface via a second protocol are forwarded to the first network interface, and/or upon whose execution data packets received at the first network interface via a first protocol are forwarded to the second network interface and there are sent via a second protocol to the production apparatus. The program code includes instructions upon whose execution the at least one processor applies a packet filter to the data packets on the way between the network interfaces.

Abstract: The present disclosure discloses method and an attack path prediction system for predicting an attack path in a computer network. The attack path prediction system receives static and dynamic data associated with a source node attacked in computer network along with static and dynamic risk attributes of one or more vulnerabilities associated with one or more target nodes reachable from source node. A likelihood score is calculated for each of one or more vulnerabilities associated with one or more target nodes in relation to each of one or more vulnerabilities associated with source node based on static and dynamic risk attributes. Additionally, a prediction score is calculated for each of one or more vulnerabilities associated with target nodes based on corresponding likelihood score and static and dynamic risk attributes. Thereafter, based on prediction score, the attack path is predicted between the source node and one or more target nodes.

Abstract: An electronic device is disclosed. The electronic device comprises: a camera; a storage unit; and a processor for capturing an image including authentication information of an external electronic device through the camera, acquiring first information related with a public key included in the image and storing the first information in the storage unit, and comparing second information with the first information so as to authenticate the external electronic device when the second information and identification information related with the public key are received from the external electronic device on the basis of a type of first information.

Abstract: Systems and methods are provided for a media provider to allow a user to access media objects with a third-party partner that authenticates the user and authorizes the user to access certain media objects. The media provider offers access to media objects, such as video content or audio content. The partner, through a relationship with the media provider, similarly offers access to the media provider's media objects, for example, as a service or benefit to the partner's customers or users. In particular, a partner integration server mediates user authentication and authorization by the partner. The partner integration server also allows the media provider to easily and flexibly to add and integrate additional partners.

Abstract: The present disclosure describes a system, method, and computer program for detecting unmanaged and unauthorized assets on an IT network by identifying anomalously-named assets. A recurrent neural network (RNN) is trained to identify patterns in asset names in a network. The RNN learns the character distribution patterns of the names of all observed assets in the training data, effectively capturing the hidden naming structures followed by a majority of assets on the network. The RNN is then used to identify assets with names that deviate from the hidden naming structures. Specifically, the RNN is used to measure the reconstruction errors of input asset name strings. Asset names with high reconstruction errors are anomalous since they cannot be explained by learned naming structures. After filtering for attributes or circumstances that mitigate risk, such assets are associated with a higher cybersecurity risk.

Abstract: An example operation may include one or more of receiving, via a network, tag data that is read from a tag associated with a physical object and signed with a key assigned to the tag, determining, via a blockchain peer, that the signed tag data is validly signed based on a corresponding key pair of the tag which is accessible to the blockchain peer, determining, via the blockchain peer, whether the tag data satisfies of one or more predefined conditions of the physical object, and storing the determination via a blockchain database.