Abstract: A detection method for a malicious domain name in a domain name system (DNS) and a detection device are provided. The method includes: obtaining network connection data of an electronic device; capturing log data related to at least one domain name from the network connection data; analyzing the log data to generate at least one numerical feature related to the at least one domain name; inputting the at least one numerical feature into a multi-type prediction model, which includes a first data model and a second data model; and predicting whether a malicious domain name related to a malware or a phishing website exists in the at least one domain name by the multi-type prediction model according to the at least one numerical feature.

Abstract: Systems and methods are provided for dynamic virtual private network concentrators (VPNC) gateway selection and on-demand VRF-ID configuration. A dynamic VPNC gateway selection component can dynamically route to a particular VPNC gateway based on multiple user-specific factors, including: a) behavior of users on the network; and b) performance of a destination service/device. A dynamic VPNC gateway selection component can rank a user based on one or more factors relating to the behavior of the user. Also, the dynamic VPNC gateway selection component can determine whether a VPNC gateway at a data center is healthy, and whether a destination service at the data center is healthy. The dynamic VPNC gateway selection component can dynamically select a VPNC gateway from a plurality of VPNC gateways at the data center for communicating forwarded traffic from the user based on the user's ranking if either the VPNC gateway or the service are unhealthy.

Abstract: A device for detecting perturbation attacks performed on a digital circuit is provided.

Abstract: Systems and methods are disclosed herein for real-time digital authentication. According to some embodiments, a certification authentication method includes receiving a list of third party root certificates from a remote server, the list of third party root certificates including at least one association between a program configured to run on the computing apparatus and a public key for authenticating communication between the program and an associated server of the program. The method may also include authenticating the list of third party root certificates. The method may also include initiating a communication between the computing apparatus and the associated server and authenticating the communication with the associated server using the public key. Furthermore, the method may also include loading the program onto the one or more memories during a bootstrapping process in response to determining that the communication with the associated server is authentic.

Abstract: Techniques for mitigating BGP blackholes and hijackings are disclosed herein. The techniques include methods for determining, by a victim autonomous system (AS), that a first AS is associated with a first BGP route that includes the victim AS as the destination or as an AS along the first BGP route to the destination and sending a message to a second AS directing the second AS to refrain from using the first AS to propagate data to the victim AS. The message can include a set of one or more AS numbers to avoid in refraining from using to propagate data to the victim AS, a timestamp, an expiration interval, a signature of the victim AS, and an identifier identifying a certificate to be used to verify the signature. Systems and computer-readable media are also provided.

Abstract: Disclosed is an approach for detecting malicious network activity (e.g. based on a data hoarding activity identifies using a graph mixture density neural network (GraphMDN)). Generally, the approach includes generating embeddings using a graph convolution process and then processing the embeddings using a mixture density neural network. The approach may include collecting network activity data, generating a graph representing the network activity, or an aggregation thereof that maintains the inherent graphical nature and characteristics of the data, and training a GraphMDN in order to generate pluralities of distributions characterizing one or more aspects of the graph representing the network activity. The approach may also include capturing new network activity data, and evaluating that data using the distributions generated by the trained GraphMDN, and generation corresponding detection results.

Abstract: A system for to monitor image input of a computing device having a control circuit with a programmable processor, and configured to receive images and to output the images to an image output device coupled to the computing device. The computing device can be configured to monitor the received images via the processor of the computing device being programmed using a Machine Learning Image Classification (MLIC) algorithm configured to determine a score of at least one received image within a predetermined criteria for classifying said at least one received image as a restricted subject image. Based on determination of the score, a modify or non-modify command is generated; and wherein in response to said at least one received image being scored by said processor within the modify criteria, the processor is programmed to generate a command to output the modified image.

Abstract: A system is provided for detecting and remediating computing system breaches using computing network traffic monitoring. In particular, the system may identify one or more computing systems within a network as well as relationships between such computing systems to determine a network topology. Based on the network topology, the system may use historical network traffic data associated with the computing systems in the network to generate predicted entry points and lateral pathways of a security breach that may take place within particular computing systems. Then, based on the computing systems affected as well as entry points and path traversals of the breach, the system may generate and/or implement one or more remediation steps to address existing and/or future breaches. In this way, the system may provide an intelligent method of augmenting the security of a computing network.

Abstract: Systems and methods include obtaining file identifiers associated with files in production data; obtaining lab data from one or more public repositories of malware samples based on the file identifiers for the production data; and utilizing the lab data for training a machine learning process for classifying malware in the production data. The obtaining file identifiers can be based on monitoring of users associated with the files, and only the file identifiers are maintained based on the monitoring. The lab data can include samples from the one or more public repositories matching the corresponding file identifiers for the production data. The lab data can include samples from the one or more public repositories that have features closely related to features of the production data.

Abstract: A computer-based system and method for classifying data in real-time for data streaming may include: capturing a plurality of data packets flowing between a data source machine and a data client; searching at least one of the data packets for tokens associated with sensitive information; if tokens associated with sensitive information are not found in a data packet: allowing the data packet to flow between the data source machine and the data client; and sending the data packet to a comprehensive security analysis; and if tokens associated with sensitive information are found in the data packet: preventing the data packet form flowing between the data source machine and the data client; and sending the data packet to a comprehensive security analysis.

Abstract: The system and method may look for bots using statistics. At a high level, bots communicate back and forth to a command and control computer. The communications are at somewhat random times by design to not be obvious. Using expected probability of a normal distribution rather than simply analyzing time of communications may result in better bot recognition.

Abstract: Methods, systems, and apparatus, including computer-readable media, for predictively providing access to resources. In some implementations, a method includes receiving movement data indicating movement of a mobile device associated with a user while the mobile device approaches a resource is received. A credential of the user authorizes access to the resource. Based on the movement data, the movement of the mobile device is classified as corresponding to an attempt to access the resource. The mobile device is determined to be in proximity to the resource. Before the user interacts with the resource, the resource is caused to be unlocked or opened in response to determining that the credential of the user authorizes access to the resource, classifying the movement of the mobile device as corresponding to an attempt to access the resource, and determining that the mobile device is in proximity to the resource.

Abstract: The present disclosure provides a method and apparatus for suppressing the spread of viruses in a local area network (LAN). The method includes, in response to that an ARP packet is received, determining whether a number of interacting terminals corresponding to a target terminal that sent the ARP packet reaches a first preset threshold; in response to that the number of interacting terminals reaches the first preset threshold, further determining whether a number of abnormal terminal relationships corresponding to the target terminal reaches a second preset threshold; and in response to that the number of abnormal terminal relationships reaches the second preset threshold, providing protection to the target terminal to so to suppress virus propagation in the LAN.

Abstract: An anomaly detection system that includes a database and a server. The server is connected to the database. The server is configured to identify anomalous web traffic for a certain time period based on one or more client keys from the certain time period. The client key(s) includes at least two characteristics related to web traffic data. The server includes a processing unit and a memory. The server is configured to receive the web traffic data from the database, calculate a z-score metric for the client key, calculate a change rate metric for the client key, calculate a failure metric for the client key, determine an anomaly score based on the z-score metric, the change rate metric, and the failure metric, and determine that the certain time period is an anomalous time period based on the anomaly score.

Abstract: The present invention relates to a method and an apparatus for detecting anomalies of a DNS traffic in a network comprising analysing, through a network analyser connected to said network, each data packets exchanged in the network, isolating, through the network analyser, from each of the analysed data packets the related DNS packet, evaluating, through a computerized data processing unit, each of the DNS packets generating a DNS packet status, signaling, through the computerized data processing unit, an anomaly of the DNS traffic when the DNS packet status defines a critical state, wherein the evaluating further comprises assessing, through the computerized data processing unit, each of the DNS packet by a plurality of evaluating algorithms generating a DNS packet classification for each of the evaluating algorithms, aggregating, through the computerized data processing unit, the DNS packet classifications generating the DNS packet status, and wherein the critical state is identified when the DNS packet sta

Abstract: According to one embodiment, an information processing apparatus includes: an access detector configured to detect an access request for target data; and a determiner configured to determine necessity of checking information indicating whether access to the target data is permitted, based on position information on the target data, and on a data range to be checked.

Abstract: In an example, a method of encryption is described to include generation of a content encryption key and a key encryption key. In that example, the content encryption key is wrapped based on a key wrap operation using the key encryption key and the wrapped content encryption key is encrypted using a policy encryption key. Further in that example, the policy encryption key is encrypted using a public key corresponding to a print apparatus. In an example, a method of decryption is described. The example method of decryption performs recovery of a policy object using a private key corresponding to a print apparatus. In that example, the policy object includes a wrapped key that is unwrapped using a key encryption key to recover a content encryption key usable to decrypt an encrypted electronic document.

Abstract: A security system generates a digital signature for a small cell of a wireless network and assigns the digital signature to the small cell for connecting to the wireless network. The digital signature can be generated based on a connectivity schedule for the small cell. When the security system obtains a connection request from the small cell to connect to the wireless network, the security system compares an instance of the digital signature included in the connection request with an expected digital signature and compares the point in time when the connection request was communicated with an expected time indicated in the connectivity schedule. The security system detects an anomaly when the instance of the digital signature deviates from the expected digital signature or the point in time deviates from the expected time, and causes performance of an action based on a type or degree of the anomaly.

Abstract: A bot traffic detection system detects scripted network traffic. The bot traffic detection system may use a one-sided unsupervised machine learning technique to estimate distributions for human, non-scripted traffic (clean distributions). The clean distributions may be dynamically updated based on the latest traffic patterns. To estimate the clean distributions the bot traffic detection system may identify, for a certain subset of network traffic, feature values of the certain subset of network traffic that do not include bot traffic (clean buckets). Using clean traffic may provide more robust and stable behavior that can be tracked over time. Using the clean distributions, the bot traffic detection system may generate a rules table that indicates a likelihood that network traffic with a given combination of feature values is scripted network traffic. The bot traffic detection system may apply the rules table in real time to identify scripted network traffic.

Abstract: Efficient and effectiveness malware and phishing detection methods select specific objects of a document based on an analysis of associated graphical elements of a document rendering. A received document may include a number of blobs, which can include URLs or code that generates URLs that can present potential risks. The system can score and/or rank each blob and its corresponding URLs based on a size, shape, position, and/or other characteristics of a visual element associated with each blob. The score or rank can be increased for visual elements that are most likely to be selected by a user, such as large visual elements positioned near the center of a document. The system can then test individual URLs selected based a corresponding rank or score. The test can efficiently reveal the presence of malware or phishing tactics by forgoing tests on URLs that are not likely to be selected.