Abstract: Systems and methods for providing security services during a power management mode are disclosed. In some embodiments, a method comprises detecting with a mobile security system a wake event on a mobile device, providing from the mobile security system a wake signal, the providing being in response to the wake event to wake a mobile device from a power management mode, and managing with the mobile security system security services of the mobile device. Managing security services may comprise scanning a hard drive of the mobile devices for viruses and/or other malware. Managing security services may also comprise updating security applications or scanning the mobile device for unauthorized data.

Abstract: Methods and systems for detection of cyberattacks in onboard systems of aircraft. Measurements carried out on these onboard systems are correlated, in case of doubt of one of the measurements, to validate the doubt, (and therefore a cyberattack) or to avert the risk. The correlation can be understood as a coming into correspondence of two or more elements/facts (for example measurements or acquired values) which makes it possible to highlight if there is a dependence of one upon the other and thus to justify modifications of one by those of the other. The correlation, preferably temporal, between identification of a suspect measurement and one or more other (quasi)simultaneous measurements allows dynamic detection, in real time, of the cyberattacks, whether they be already known or not. Thus, there is no dependence on a static protection of the onboard systems developed on the a priori knowledge of the existing cyberattacks alone.

Abstract: A system for detecting and profiling endpoints of a computer network is provided. The system includes a first computing device including at least one processor in communication with at least one memory device. The first computing device is in communication with a computer network. The at least one memory device stores a plurality of instructions, which when executed by the at least one processor cause the at least one processor to receive a plurality of packets transmitted to the computer network, determine an identity of a first end point device associated with the plurality of packets, determine a behavior pattern for the first end point device based on the plurality of packets, and generate a synthetic profile for the first end point device based on the identity and the behavior pattern.

Abstract: In one aspect, a first device includes at least one processor and storage accessible to the at least one processor. The storage includes instructions executable by the at least one processor to access a first network connection history for a second device different from the first device. The instructions are also executable to determine in a first instance whether to authenticate the second device based on the first network connection history and to authenticate the second device based on a determination to authenticate the second device.

Abstract: A method, system and computer-usable medium for routing data loss prevention (DLP) events across different network levels. A determination is made as to a number of DLP networks. The classification and data as to a DLP network is determined. Certain data is processed, including an entity risk level and certain data is held, such as certificates. The held data is processed by a computing platform. Processed entity risk levels are returned to the DLP networks. When all networks are processed, processed and held data are sent to the computing platform.

Abstract: Typically, a business desires to track and monitor all applications run on its servers. Nonetheless, one or more unauthorized applications may be running on the business's servers, exposing the business to potential regulatory liability and security breaches. Apparatus and methods are provided for isolating and disabling one or more unauthorized applications running on a server. The apparatus may comprise a system including a content-filtering web proxy server configured to filter outgoing requests and data associated with the requests. The system may also include a remediation framework configured to monitor request data in a proxy log stored by the proxy server. The remediation framework may be triggered to perform remedial action when the remediation framework determines that a request and associated data, as stored in the proxy log, meets predetermined conditions. The remediation framework, when triggered, may execute steps to truncate functionality of the unauthorized applications.

Abstract: Disclosed herein are systems and methods for detecting anomalies in a technological system. In one aspect, an exemplary method comprises, intercepting, by a duplicator running on an upper-level element of the technological system at least one outgoing data packet addressed to a middle-level element of the technological system, sending, by the duplicator, information about the intercepted at least one outgoing data packet to a monitor using a secure connection, the monitor running on the middle-level element, intercepting, by the monitor, at least one incoming data packet, comparing, by the monitor, the information received from the duplicator with the intercepted at least one incoming data packet, and detecting, by the monitor, an anomaly in the technological system when the intercepted at least one incoming data packet does not conform to the information received from the duplicator.

Abstract: System and method for extracting and combining electronic risk information for business continuity management with actionable feedback methodologies. An example system includes computer agents deployed and configured to collect electronic threat and security information from publicly accessible information and to monitor network data transmitted via public networks, to private networks. An activity predictor extrapolates future electronic threat event frequency from observed electronic threat data and collected security information and uses polynomial regression to create distributions from threat activity prediction. Loss values are quantified for given network configurations and compared with values resulting from simulated changes to configurations or parameters, providing inputs for business continuity and pricing of risk transfer for an entity with given configurations of private network assets.

Abstract: A privacy protection component can automatically comply with a set of privacy requirements when displaying input data. An ingestion module collects input data describing network activity executed by a network entity. A clustering module identifies data fields with data values within the input data as data identifiable to the network entity using machine-learning models trained on known data fields and their data. The clustering module also clusters the data values with other data values having similar characteristics using machine-learning models to infer a privacy level associated with each data field. The privacy level is utilized to indicate whether a data value in that data field should be anonymized. A permission module determines a privacy status of that data field by comparing the privacy level from the clustering module to a permission threshold. An aliasing module applies an alias transform to the data value of that data field with a privacy alias to anonymize that data value in that data field.

Abstract: Cybersecurity is improved by automatically finding underutilized access capabilities. Some embodiments obtain an access capability specification, gather access attempt data, and computationally determine that the access capability has not been exercised sufficiently, based on an access capability exercise sufficiency criterion. Security is then enhanced by automatically producing a recommendation to harden a guarded computing system by reducing, disabling, or deleting the insufficiently exercised access capability. In some cases, security enhancement is performed by automatically hardening the guarded computing system. Access capability exercise sufficiency determination may be based on fixed, statistical, or learned time period thresholds or activity level thresholds, or on a combination thereof using confidence levels. Thresholds are compared to a detected time period value or a detected activity level value that is derived from the access attempt data, to determine exercise sufficiency.

Abstract: Described are platforms, systems, and methods for providing a set of detection rules for a security threat. In one aspect, a method comprises receiving, from an interface, a request for a set of detection rules to detect a specified security threat, the request comprising a threat landscape of an enterprise; processing the request through a machine-learning model to determine the set of detection rules, the machine-learning model trained with threat context data and other detection rules provided by a plurality of other enterprises; wherein each detection rule is included in the set of detection rules based on a relevance factor meeting a threshold, and wherein the relevance factor for each respective detection rule is determined based on an efficacy of detecting the security threat within the threat landscape; and providing, through the interface, the set of detection rules.

Abstract: A system or method may include an in-vehicle network including an interface port for connecting an external device to the in-vehicle network; and a security unit connected to the in-vehicle network, the security unit adapted to enable an external device to communicate with the in-vehicle network, over the interface port, based on a security token received from the external device. A system or method may, based on a token, prevent an external device from at least one of: communicating with a selected set of components on in an in-vehicle network, communicating with a selected set of network segments in the in-vehicle network and performing a selected set of operations.

Abstract: Disclosed is a method and a system for using techniques to stitch cybersecurity, generate network risks and predictive mitigations. The method includes collecting data from several data sources and labeling events. The method includes creating a profile for each entity observed in the data with the behavior of the profile determined through the analytical analysis of the events in which the entity participates including the transference of labels from events to the entity. One or more profiles of an organization are identified that have changed and the change is processed using specific attack sequence detection to identify one or more risks associated with each profile. The method further includes notifying one or more users associated with the one or more profiles based on the one or more risks.

Abstract: A computer-implemented system and method are disclosed that monitor and determine vendor compliance with at least some aspects of information and security criteria. At least one computing device is configured by executing code to access information and security criteria respectively associated with a vendor that provides a good and/or service. At least some aspects of the information and security criteria are provided by an organization considering the vendor and, further, the information and security criteria include at least one of cybersecurity criteria, regulatory criteria, intellectual property criteria, data management criteria, and policy criteria.

Abstract: A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.

Abstract: Systems, methods, and apparatuses enable one or more security microservices to optimize a security configuration of a networked environment by applying security policies to resource groups passively to determine whether network sets, resource groups, or security policies should be modified, prior to active enforcement. When security policies are applied passively, security actions that are performed in response to a violation of security policy do not impact network traffic. The one or more security microservices evaluate the results of the passive application of security policies to determine whether there is at least one recommended modification to network sets, resource groups, or security policies. When there is at least one recommended modification, the modification is applied.

Abstract: The disclosed technology is generally directed to secure transactions. In one example of the technology, a first enclave to be used for executing a cryptlet binary of a first cryptlet is identified. The first enclave may be a secure execution environment that stores an enclave private key, and the first cryptlet may be associated with at least a first counterparty. A cryptlet binding that is associated with the first cryptlet may be generated, and may include counterparty information that is associated with at least the first counterparty. Cryptlet binding information may be provided to a cryptlet binding key graph, and a location of a first hardware security module (HSM) that stores a key that is associated with the first counterparty may be received from the cryptlet binding key graph.

Abstract: Embodiments of the present specification disclose trusted hardware-based data management methods, apparatuses, and devices. One method comprising: identifying, by trusted hardware, data description information to be published, wherein the data description information describes target data of a data owner provided by a trusted institution, and the trusted hardware is associated with a decentralized identifier of the data owner; requesting the trusted institution to verify whether the trusted institution stores user service data for generating the target data; receiving a verification result from the trusted institution; and publishing the data description information in response to determining that the verification result indicating that the trusted institution stores the user service data for generating the target data.

Abstract: Provided are a method for detecting an anomaly in devices, the method being performed by a computing device and comprising: acquiring operation information on a first device connected to a security management unit (SMU) of a first domain, and operation information on a second device connected to a SMU of a second domain, and detecting an anomaly in the first device and/or the second device by comparing the operation information on the first device with the operation information on the second device, wherein the SMU of the first domain is not directly connected to the SMU of the second domain.

Abstract: A system and method for enhancing security for a high security embedded system. The system on chip device including at least one central processing unit (CPU) component, input and output component blocks, an independent hard or soft core dedicated to the input and output blocks, and a built-in, on die interposer, wherein the interposer consists of a field programmable gate array (FPGA) fabric, the FPGA fabric surrounding the components of the system on chip. The method for includes separating system components using a FPGA fabric, redirecting or changing the appearance of system components unknown to other system components, separating system code from security and recovery code, and providing proactive security problem detection and resolutions.