Abstract: A method for data transfer and storage is provided. The method may include: encrypting data generated by a terminal device; storing duplicated copies of the encrypted data respectively in a first storage device and a second storage device, which are removably inserted into the terminal device; generating, with the terminal device, a message authentication code associated with the encrypted data; transmitting the message authentication code to a first server; physically transporting the first storage device to a remote location of the first server, and upon the first storage device being inserted into the first server, determining whether the encrypted data stored in the first storage device are damaged using the message authentication code; and in response to a determination that the encrypted data stored in the first storage device are not damaged, transmitting the encrypted data from the first storage device to the first server.

Abstract: Embodiments detect cyberattack campaigns against multiple cloud tenants by analyzing activity data to find sharing anomalies. Data that appears benign in a single tenant's activities may indicate an attack when the same or similar data is also found for additional tenants. Attack detection may depend on activity time frames, on how similar certain activities of different tenants are to one another, on how unusual it is for different tenants to share an activity, and on other factors. Sharing anomaly analysis may utilize hypergeometric probabilities or other statistical measures. Detection avoidance attempts using entity randomization are revealed and thwarted. Authorized vendors may be recognized, mooting anomalousness. Although data from multiple tenants is analyzed together for sharing anomalies while monitoring for attacks, tenant confidentiality and privacy are respected through technical and legal mechanisms. Mitigation is performed in response to an attack indication.

Abstract: One embodiment of the described invention is directed to a key management module and a consumption quota monitoring module deployed within a cybersecurity system. The key management module is configured to assign a first key to a subscriber and generate one or more virtual keys, based at least in part on the first key, for distribution to the subscriber. A virtual key is included as part of a submission received from the subscriber to authenticate the subscriber and verify that the subscriber is authorized to perform a task associated with the submission. The consumption quota monitoring module is configured to monitor a number of submissions received from the subscriber.

Abstract: Methods are systems are provided for onboarding network equipment to managed networks. An onboarding controller of a managed network may generate a challenge for network equipment to be onboarded into the managed network, and may send the challenge to a communication device different from the equipment network. The challenge may include information relating to a configuration change to be made to the network equipment. Further, the challenge is sent over a connection that is different than a connection used in communicating with the network equipment. The onboarding controller may verify, based on handling of the configuration change, an identity and/or a network location of the network equipment. Handling the configuration change may include applying the configuration change.

Abstract: Upgrade to a Trusted Application in a Trusted Execution Environment compliant to a Trusted Execution Environment standard to an as-a-server functioning by running, inside the Trusted Execution Environment, each instance of a Multi Instance/Single Session Trusted-Server Trusted Application compliant to the TEE standard in an infinite state-full loop polling a session of a Single Instance/Multi Session Trusted-Pipe Trusted Application, the single session of each of the instance of the Trusted-Server Trusted Application being adapted to perform a task as a server, said Trusted-Pipe Trusted Application being further polled by the Customer Application and opening session depending on command coming from the Customer Application.

Abstract: Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.

Abstract: An interface element connected to a device and a security die-chip are fabricated in a single package. The security die-chip may provide a security authentication function to the interface element that does not have the security authentication function. The security die-chip may include a physically unclonable function (PUF) to provide a private key, and a hardware security module to perform encryption and decryption using the private key.

Abstract: Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.

Abstract: A network device detecting possible malicious traffic and enlists the help of a co-operative group of downstream routers to perform enhanced deep packet analysis and firewalling in parallel with the transport of the packet through the network. The routers may also use other remote computational resource to perform some of the analysis along or close to the route 80 of the packet through the network. The packets are cached at the exit edge router, which does not release the packet from the cooperative group until all analyzers report the traffic is safe, or deletes the traffic if identified as malicious. By buffering at the remote end the packet can be forwarded promptly if approved, but protects downstream components if the traffic is malicious.

Abstract: Provided is a method for automatically registering a user on a field device for the purpose of administering the field device, including a) providing user information on the basis of an identity of the user and an identity of the field device by a security device; b) transmitting the provided user information to a mobile device of the user; c) generating field-device-specific registration information on the basis of the transmitted user information by the mobile device; and d) registering the user on the field device by the generated registration information. This method has the particular advantage that a highly secure infrastructure can be used for administering access information for administering the field devices without problems arising during the registration process.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: A system comprising one or more computers implements a hardware feature access service. The hardware feature access service stores private keys that correspond to digital certificates embedded in chipsets of devices enrolled in the hardware feature access service. The hardware feature access service is configured to issue access or access revocation messages to the chipsets to “lock” or “unlock” associated hardware components. The hardware feature access service also implements a service interface that allows clients to request changes to enabled feature sets for devices enrolled in the hardware feature access service. In response to such requests, the hardware feature service automatically and wirelessly enables or disables feature sets by locking or unlocking relevant hardware components of a device relevant to enabling or disabling the requested feature sets.

Abstract: Based on the interaction data and response data, an interaction monitoring platform may determine a first known sentiment and a second known sentiment, identify a first pattern and a second pattern in the interaction data, and generate a first pattern-level sentiment and a second pattern-level sentiment based on the known sentiments and the identified patterns. A binary indicator may indicate which identified patterns are exhibited in a subset of the interaction data. The platform may train a gradient boosting model using known sentiment as a target variable and using binary indicators and pattern-level sentiments as input data. The platform may predict a sentiment corresponding to a subset of interaction data with unknown sentiment that exhibits one or more of the first pattern or the second pattern based on a binary indicator and the trained gradient boosting model.

Abstract: A cyber security system includes a plurality of event sensors to detect events, a plurality of inference servers, and a server in communication with the plurality of inference servers. Each inference server of the plurality is in communication with a subset of event sensors of the plurality of event sensors. Each inference server has a portion of an event lattice and is to compare the event detected by the subset of event sensors to the event lattice. Each inference server is to identify an originator having a behavior pattern indicative of an attack and communicating an identifier associated with the originator. The server is to provide an interface indicating the behavior pattern indicative of an attack and the identifier of the originator.

Abstract: Methods and systems for performing an electronic security assessment of a building automation system are provided. The building automation system includes a controller and a network of electronic devices connected in electronic communication. The method includes requesting, by the controller, an electronic security scan of the controller with a data set of the controller via a secured channel to a cloud-based service. The method also includes initiating the electronic security scan of the controller based on the data set of the controller. The method further includes electronically assessing security vulnerabilities of the building automation system. The method also includes electronically assessing, by the controller, security vulnerabilities of the network of electronic devices connected in electronic communication with the controller.

Abstract: Methods, systems, and media for recovering identity information in verifiable claims-based systems are provided.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: A method of allowing collaboration on an encrypted document stored in a cloud computing network, the encrypted document associated with a first user having a first user account in the cloud computing network, the method comprising: in response to a request from the first user to share the encrypted document, sending a link to a public network destination to a second user address of a second user; receiving a request via the link from an unconfirmed user to access the data in the encrypted document; requesting of the unconfirmed user to login to a second user account on the cloud computing network; authenticating the identity of the unconfirmed user as the second user; upon authenticating the identity of the unconfirmed user as the second user, decrypting the encrypted document to generate a decrypted document; storing the decrypted document in the first user account; granting the second user access to the decrypted file simultaneously to access granted to the first user; subsequent to the first user or the se

Abstract: A device configured to obtain a first user interaction data at a first time instance for user devices, to obtain a first set of clusters from a machine learning model based on the first user interaction data, and to determine a first cluster quantity for the first set of clusters. The device is further configured to obtain a second user interaction data at a second time instance for the user devices, to obtain a second set of clusters from the machine learning model based on the second user interaction data, and to determine a second cluster quantity for the second set of clusters. The device is further configured to determine the second cluster quantity is greater than the first cluster quantity, to identify a cluster that is not present in the first set of clusters, and to modify settings on a user device from within the cluster.

Abstract: Described herein are systems, methods, and software to enhance incident response in an information technology (IT) environment. In one example, an incident service identifies a course of action to respond to an incident in the IT environment. The incident service further identifies a particular step in the course of action associated with a credential requirement based on traits associated with the particular step, and generates a credential request to obtain credentials to support the credential requirement.