Abstract: One or more computing devices, systems, and/or methods are provided. Event information associated with a plurality of events may be identified. The plurality of events may be associated with first entities corresponding to a first entity type and second entities associated with a second entity type. A first network profile associated with the first entities and the second entities may be generated based upon the event information. An arrangement of particles corresponding to the first entities and the second entities may be generated. Charges associated with the particles may be determined based upon the first network profile. The particles may be rearranged to a second arrangement of particles based upon the charges. One or more clusters of particles in the second arrangement of particles may be identified. One or more coalition networks associated with fraudulent activity may be identified based upon the one or more clusters of particles.

Abstract: Methods and systems are provided for identifying suspect Internet Protocol (IP) addresses, in accordance with embodiments described herein. In particular, embodiments described herein include obtaining a set of login pairs comprising login identifiers (e.g., user identifiers) and IP addresses used in attempts to login to a source. A set of IP clusters is generated using the set of login pairs. Each IP cluster can include one or more IP addresses identified as related based on a login identifier being used to attempt to login to the source via multiple IP addresses or an IP address being used to attempt to login to the source via multiple login identifiers. Thereafter, it is determined that a particular IP cluster exceeds a threshold amount of IP addresses. Each of the IP addresses within the particular IP cluster is designated as a suspect IP address.

Abstract: Systems and methods for detecting network anomalies are described. These may include determining burst scores for external network resources, determining burst scores for internal network resources, and using the burst scores to construct a burst graph where the edges are weighted by the number of connections between each resource. The graph is then analyzed by a graph convolutional neural network to identify patterns from which anomalous network traffic can be detected and from which corrective action can be taken. These techniques can allow for better detection and mitigation of abusive network traffic, improve computer network security, and provide more robust access to networked computer resources.

Abstract: A system for data protection includes a first computing device comprising a security module; and a storage device coupled to the first computing device via a network interface. The security module comprises at least one of Software Root of Trust (SRoT) and Hardware Root of Trust (HRoT). The security module is further configured to: establish a trust channel between the first computing device and the storage device or storage service; monitor the first computing device and the storage device; create and enforce multi-dimensional data access control by tightly binding data access and permissions to authorized computing devices, users, applications, system services, networks, locations, and access time windows; and take over control of the storage device or storage service in response to a security risk to the system.

Abstract: Methods and systems for penetration testing of a networked system involve assigning network nodes to disjoint classes based on current information about the compromisability of the network nodes. The classes distinguish between nodes not currently known to be compromisable, nodes that only recently have become known to be compromisable, e.g., by a first method of a attack, and nodes that have been known for a longer time to be compromisable. Nodes that only recently have become known to be compromisable can be re-targeted by the penetration testing system to determine whether such nodes can be compromised using multiple methods of attack and not just using the first method of attack.

Abstract: An electronic device and a control method thereof are provided. The electronic device includes an Internet protocol (IP) address corresponding to a domain name of a web page when a user command inputting the domain name is received, identifies a number of hops included in a network path connecting a server corresponding to the obtained IP address and the electronic device to each other, and determines that a man-in-the-middle attack exists in a network when a communication connection with the server is established on the basis of a smaller number of hops than the identified number of hops.

Abstract: Methods and systems for initiating a workflow are disclosed. The systems and methods described herein may receive as input a data segment from an external source, and identify at least one type of data object present in the data segment. The systems and methods described herein may then autonomously generate an application programming interface (API) trigger to initiate a workflow, wherein the API trigger is based on the at least one type of data object present in the data segment.

Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include monitoring use of web code by providing a web agent for embedding into the web code of a protected web site, and upon downloading the web code from a server to a client computer and running the web code on the client computer, identifying, by the web agent, attributes of the server. The attributes are analyzed by the web agent so as to detect malicious use of the web code, and a notification beacon is transmitted by the web agent in response to detecting the malicious use of the web code.

Abstract: A system and method for detecting anomalous hypertext transfer protocol secure (HTTPS) traffic are provided. The method includes receiving samples of at least rate-based features, wherein the rate-based features demonstrate a normal behavior of at least HTTPS traffic directed to a protected entity; computing a short-term baseline and a long-term baseline based on the received samples, wherein the short-term baseline is adapted to relatively rapid changes in the HTTPS traffic and the long-term baseline is adapted to relatively slow changes in the HTTPS traffic; computing at least one short-term threshold respective of the short-term baseline and at least one long-term threshold respective of the long-term baseline; evaluating each of the at least one threshold against real-time samples of HTTPS traffic to determine whether behavior of the HTTPS traffic is anomalous; and generating alarm when anomaly is detected.

Abstract: A method and device for providing notification of improper access to secure data on a mobile device. The mobile device detects a request to record content displayed on a display of the mobile device. A determination is then made regarding whether the content that was displayed on the screen when the request to record was received is protected content. If the displayed content was protected, then a third party is notified that a security breach has been detected. A remedial action is also performed regarding the security breach.

Abstract: A locality-sensitive hash value is calculated for a suspect file in an endpoint computer. A similarity score is calculated for the suspect hash value by comparing it to similarly-calculated hash values in a cluster of known benign files. A suspiciousness score is calculated for the suspect hash value based upon similar matches in a cluster of benign files and a cluster of known malicious files. These similarity score and the suspiciousness score or combined in order to determine if the suspect file is malicious or not. Feature extraction and a set of features for the suspect file may be used instead of the hash value; the classes would contain sets of features rather than hash values. The clusters may reside in a cloud service database. The suspiciousness score is a modified Tarantula technique. Matching of locality-sensitive hashes may be performed by traversing tree structures of hash values.