Abstract: Logic may implement observation layer intrusion detection systems (IDSs) to combine observations by intrusion detectors and/or other intrusion detection systems. Logic may monitor one or more control units at one or more observation layers of an in-vehicle network, each of the one or more control units to perform a vehicle function. Logic may combine observations of the one or more control units at the one or more observation layers. Logic may determine, based on a combination of the observations, that one or more of the observations represent an intrusion. Logic may determine, based at least on the observations, characteristics of an attack, and to pass the characteristics of the attack information to a forensic logging system to log the attack or pass the characteristics of the attack to a recovery system for informed selection of recovery procedures. Logic may dynamically adjust a threshold for detection of suspicious activity.

Abstract: A system is provided for managing booting of an OS that includes a UEFI controller comprising embedded application code instructions and a pre-loaded signed certificate, a boot process controller comprising application code instructions for the OS, pre-loaded signed certificates, and a plurality of application hash identifiers. The boot process controller receives signed communications from the UEFI controller and determines if the UEFI controller is authorized to manage the OS. The UEFI controller manages the OS in response to a positive authorization. The boot process controller determines if the UEFI controller is authorized to manage the OS in response to installation or execution of the OS. The UEFI controller receives a signed communication from the boot loader program, compares the signed communications with the plurality of application identifiers, and executes the boot loader program in response to the pre-loaded signed certificate matching an application identifier from the plurality.

Abstract: In one embodiment, an apparatus of a LISP environment includes one or more processors and computer-readable non-transitory storage media coupled to the one or more processors. The computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including receiving an attestation token from a first component of the LISP environment. The operations also include encoding the attestation token using a LISP message format. The operations further include distributing the encoded attestation token with a LISP signaling message to a third component of the LISP environment.

Abstract: Systems and methods for smart contract-based detection of authentication attacks are disclosed. According to one embodiment, a method may include: (1) receiving an identification of a plurality of password-protected resources from an account holder; (2) receiving a rule identifying an automated protective action to be taken in response to a failed login attempt with one of password-protected resources; (3) receiving, at a distributed ledger, a notification of a login attempt with one of the plurality of password-protected resources; (4) a smart contract or self-executing code executed by the information processing apparatus determining that the login attempt meets the rule; (5) the smart contract or self-executing code taking the automated protective action with the one of the plurality of password-protected resources and another of the plurality of password-protected resources; and (6) the smart contract or self-executing code committing the automated protective action to the distributed ledger.

Abstract: Methods, apparatus, systems, and articles of manufacture to deconflict malware or content remediation are disclosed. An example apparatus includes a site redirector to identify a first request to be transmitted from a client device to a destination site identified by a uniform resource locator (URL), a site verifier to determine whether the first request indicates that a user has authorized navigation to the destination site, and a URL encoder to, in response to determining that the user has authorized the navigation to the destination site, generate a data field based the domain of the destination site, the site redirector to transmit a second request to a network security monitor, the second request to indicate to the network security monitor that the user has authorized the navigation to the destination site, the second request including the data field and the URL.

Abstract: Disclosed herein are methods and systems for detecting a source of malicious activity in a computer system. An exemplary method comprises gathering information related to the objects of the computer system, forming a graph based on the information gathered on the objects, selecting at least two induced subgraphs (hereinafter, subgraph) from the resulting graph, determining the coefficient of harmfulness for each selected subgraph, the coefficient of harmfulness representing a numerical characteristic describing the strength of the relations between the vertices of that subgraph, determining, from the selected subgraphs, a subgraph whose coefficient of harmfulness is a minimum among the determined coefficients of harmfulness of the subgraphs, and the total coefficient of harmfulness of the subgraphs related to that subgraph is a maximum, identifying the object correlated with at least one vertex of the determined subgraph as a source of the malicious activity in the computer system.

Abstract: Provided herein are systems and methods for risk tracking. A tracker engine executable on servers may provide, in a user interface, a plurality of categories of locations for files in a networked environment. The tracker engine may identify in the user interface risk categories of the files in each of the categories of the locations. The tracker engine may provide, in the user interface, types of egress points for the files. The tracker engine may generate links between the categories of the locations of the files, the risk categories of the files and the types of egress points for the files. Details about each of the files may be navigable from the user interface via a corresponding category of a location of the file, a corresponding risk category of the file or a corresponding type of egress point for the file.

Abstract: A user provides an identification (ID) signal (e.g. a biometric ID signal like a self-snapshot) to a trusted cloud-based provider. When the user attempts to authenticate with the cloud-based provider, a similar ID signal (e.g. another self-snapshot) for the user is captured and provided to the cloud-based provider. The cloud-based provider then obtains a secondary ID signal, or a combination of secondary ID signals, and utilizes the secondary ID signal, or signals, to identify a subset of user records to be searched for the ID signal. The subset of the records, rather than all of the user records, can then be searched for the ID signal. The cloud-based provider can then authenticate the user based on the results of the search of the subset of the user records.

Abstract: A user provides an identification (ID) signal (e.g. a biometric ID signal like a self-snapshot) to a trusted cloud-based provider. When the user attempts to authenticate with the cloud-based provider, a similar ID signal (e.g. another self-snapshot) for the user is captured and provided to the cloud-based provider. The cloud-based provider then obtains a secondary ID signal, or a combination of secondary ID signals, and utilizes the secondary ID signal, or signals, to identify a subset of user records to be searched for the ID signal. The subset of the records, rather than all of the user records, can then be searched for the ID signal. The cloud-based provider can then authenticate the user based on the results of the search of the subset of the user records.

Abstract: A computer-implemented method for detecting cyber-attacks affecting a computing device includes retrieving a plurality of sensor datasets from a plurality of sensors, each sensor dataset corresponding to involuntary emissions from the computing device in a particular modality and extracting a plurality of features from the plurality of sensor datasets. One or more statistical models are applied to the plurality of features to identify one or more events related to the computing device. Additionally, a domain-specific ontology is applied to designate each of the one or more events as benign, failure, or a cyber-attack.

Abstract: A method of identifying anomalous behavior can include transforming input data to a series of numbers, determining first features and second features of the series of numbers that, given the same numbers in a different order, produce a different value for the respective feature, encoding the series of numbers by a key value indicating a number associated with a cell of a grid of cells to which the first and second features map, and determining, based on whether the key value has been previously provided, whether the input is anomalous.

Abstract: Deriving malware signatures by training a binary decision tree using known malware and benign software samples, each tree node representing a different software feature set and having one descending edge representing samples that are characterized by the node's software feature set and another descending edge representing samples that are not characterized thusly, selecting multiple continuous descending paths for multiple subsets of nodes, each path traversing a selected one of the edges descending from each of the nodes in its corresponding subset, deriving, based on the nodes and edges in any of the paths, a malware-associated software feature signature where the malware samples represented by leaves that directly or indirectly descend from an end of the continuous descending path meets a minimum percentage of the total number of samples represented by the leaves, and providing the malware signatures for use by a computer-based security tool configured to identify malware.

Abstract: A domain module computation unit has as a single board computer (1) a central processing unit (CPU) in communication with both a first bus and with a second bus with all communication between the first bus and the second bus being-through the CPU, (2) the first bus communicating with a plurality of internal modules and (3) the second bus communicating with an input/output (I/O) unit enabling communication with devices external to the single board computer. Representative internal modules include a kernel non-volatile memory, a working non-volatile memory, a random access memory and an encryption/decryption unit. The single board computational unit is configured to execute software code modeled in a form embedding data and software instructions in a single model.

Abstract: Methods and systems for reliability prediction of security policies in a cloud computing environment are provided. An example method includes providing a graph database representing workloads of the cloud computing environment as nodes and relationships between the workloads as edges, the relationships being associated with points in time, receiving a security policy including rules for the relationships between the workloads, generating a plurality of earliest points in time based on the rules and the graph database, wherein generating the plurality of earliest points in time includes: determining, for each rule of the rules, a subset of the relationships in the graph database such that each of the subset of the relationships matches the rule, and selecting an earliest point in time from points in time associated with relationships from the subset, and analyzing the plurality of earliest points in time to determine a reliability score for the security policy.

Abstract: A method and system for implementing security patches on a computer system is disclosed. The method includes finding one or more security patches; analyzing one of the one or more security patches to find one or more localized security fixes within the one or more security patches; and transforming a security patch within the one or more security patches into a honey patch that is configured to report security violations.

Abstract: Providing an accurate and on-demand status of audit compliance is disclosed. A security policy, agreed upon by a service provider and a service user, is provisioned in a compliance log. A service provider requests to add a first update to the compliance log, the first update indicating that a compliance action has been taken. The first update is added to the compliance log, and a first computational digest of the compliance log is added after adding the first update. An auditor of the compliance action requests to add a second update to the compliance log. The second update is added to the compliance log, and a second computational digest of the compliance log is added after adding the second update. Thereby, the user is provided a more current view of audit compliance that that can be trusted based on the tamper-proof compliance log.

Abstract: A computerized method for associating cyberthreat actor groups responsible for different cyberthreats is described. The method involves generating a similarity matrix based on content from received clusters of cybersecurity information. Each received cluster of cybersecurity information is assumed to be associated with a cyberthreat. The similarity matrix is composed via an optimized equation combining separate similarity metrics, where each similarity metric of the plurality of similarity metrics represents a level of correlation between at least two clusters of cybersecurity information, with respect to a particular aspect of operations described in the clusters. The method further involves that, in response to queries directed to the similarity matrix, generating a listing of a subset of the clusters of cybersecurity information having a greater likelihood of being associated with cyberthreats caused by the same cyberthreat actor group.

Abstract: Disclosed herein are methods and systems for detecting malicious files. An exemplary method comprises emulating execution of a file under analysis, forming a behavior log of the emulated execution of the file under analysis, forming one or more behavior patterns from commands and parameters selected from the behavior log, calculating a convolution of the one or more behavior patterns, selecting two or more models for detecting malicious files from a database, calculating a degree of maliciousness of the file being executed based using the convolution and the two or more models, forming a decision making template based on the degree of maliciousness and determining that the file is malicious when a degree of similarity between the decision making template and a predetermined decision making template exceeds a predetermined threshold value.

Abstract: An API transaction management computing device is provided that receives an API request from a source node and obtains an API response from a destination node. The device includes a receiving module configured to receive the API request from the source node, a scoring module configured to determine an assessment score based on information associated with the API request including information about a digital identity associated with the API request and match the assessment score to an actions rule comprising controlling deliverability, messaging, and content of the API request, and a transmission module configured to perform actions of the actions rule by controlling deliverability, messaging, and content of the API request to a destination node and the API response to a transmitting source node.

Abstract: Carrying out a penetration testing campaign in a networked system by a penetration testing system, for determining a way for an attacker to compromise the networked system, comprises determining that the attacker can obtain user credentials of a first user, determining that when using the user credentials the first user has access rights to a first network node of the networked system, determining that a second network node of the networked system is compromisable by the attacker during the penetration testing campaign, determining that the first network node was accessed from the second network node, and based on the foregoing, determining that the first network node is compromisable by the attacker during the penetration testing campaign, and determining the way for the attacker to compromise the networked system which includes a step of compromising the first network node using the user credentials of the first user.