Abstract: The present invention is directed to a method, apparatus and computer-readable medium for utilizing a shared computer system. The method includes receiving, by way of at least one interface, an access request associated with a potential user of a financial entity for access to a secure data processing center of a financial regulatory system, wherein the secure data processing center is configured to share information associated with specified financial activities. The method includes determining a classification of the potential user with respect to one or more potential or actual access rights to be associated with the potential user for accessing the secure data processing center. The determined classification of the potential user is that the potential user is an eligible user of the secure data processing center as defined by an accrediting organization of the financial regulatory system.

Abstract: Systems and methods for improving security event classification by leveraging user-behavior analytics are provided. According to an embodiment, a UEBA-based security event classification service of a cloud-based security platform maintains information regarding historical user behavior of various users of an enterprise network. An endpoint protection platform running on an endpoint device that is part of the enterprise network performs an initial classification of the event, based on which the endpoint protection platform blocks activity by the process. The endpoint production platform requests input from the cloud-based security platform which causes the cloud-based security platform performs a reclassification of the event based on contextual information, multiple data feeds and the UEBA-based security event classification service.

Abstract: A method for accessing cloud resources via a local application development environment on a computing device. The method includes invoking an access management client at the computing device; obtaining an account identifier associated with a user account and communicating the account identifier to an identity platform; receiving an authentication message from the identity platform in response to the identity platform validating the account identifier, the authentication message comprising a role identifier; communicating the authentication message to the cloud platform; receiving security credentials associated with the role identifier from the cloud platform in response to the cloud platform validating the authentication message and the associated role identifier; setting a variable in the local development environment based on the received security credentials for use by the local development environment to request access to one or more resources maintained by the cloud platform.

Abstract: Systems and methods for building systems of honeypot resources for the detection of malicious objects in network traffic. A system includes at least two gathering tools for gathering data about the computer system on which it is installed, a building tool configured for building at least two virtual environments, each including an emulation tool configured for emulating the operation of the computer system in the virtual environment, and a distribution tool configured for selecting at least one virtual environment for each computer system and for establishing connection between the computer system and the virtual environment.

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

Abstract: A method for detecting threat pathways using sequence graphs includes constructing a sequence graph from a set of data containing information about activities in a telecommunications service provider network, where the sequence graph represents a subset of the activities that occurs as a sequence, providing an embedding of the sequence graph as input to a machine learning model, wherein the machine learning model has been trained to detect when an input embedding of a sequence graph is likely to indicate a threat activity, determining, based on an output of the machine learning model, whether the subset of the activities is indicative of the threat activity, and initiating a remedial action to mitigate the threat activity.

Abstract: The network reachability module maps and dynamically tracks network reachability of network addresses and/or devices. The network reachability module can map and dynamically track network reachability of a response-orchestrator engine, via communicating and cooperating with the response-orchestrator engine. The network reachability module has a tracking module to 1) monitor network traffic and 2) keep a list of known devices and/or known subnets on the network, which is dynamically tracked and updated as previously unknown devices and subnets on the network are detected. A trigger module generates a spoofed transmission and/or response communication, supported by a network protocol used by the network. The spoofed transmission and/or response communication can be used to map network reachability of i) network devices, ii) network addresses, and iii) any combination of both, which either 1) can receive or 2) cannot receive protocol communications from a host for the network reachability module in the network.

Abstract: Machine learning techniques are described for analyzing information network traffic to identify different devices connected to a network. Transmitted network packets may be passively collected and analyzed. In some cases the described techniques may be used to identify distinct devices connected to a network even though the collected and analyzed packets may lack a unique device identifier, such as a media access control (MAC) identifier, corresponding to a device that originated the packets.

Abstract: In some aspects, a method for mediation of a screenshot capture by a client application based on policy includes identifying, by a client application on a client device, a policy for mediating one or more screenshots of content displayed via the client application. An embedded browser within the client application accesses a network application of one or more servers. The method further includes intercepting, by the client application, a request to capture a screenshot of at least a portion of the network application being displayed, determining, by the client application, one or more mediation actions to perform on the screenshot responsive to the policy, performing, by the client application, the one or more mediation actions on the screenshot, and providing, by the client responsive to the request, the screenshot resulting from the one or more mediation actions.

Abstract: The present disclosure relates to a pre-5th-Generation (5G) or 5G communication system to be provided for supporting higher data rates Beyond 4th-Generation (4G) communication system such as Long Term Evolution (LTE). In accordance with an aspect of the present disclosure, a method of transmitting data in a device to device communication system is provided. The method includes determining whether a security feature is applied to one or more packet data convergence protocol (PDCP) data units, configuring the one or more PDCP data units based on the determined result, and transmitting the one or more PDCP data units to one or more receiving user equipments (UEs).

Abstract: Centralized systems execute one or more applications for monitoring and operating a plurality of network enabled medical devices. An indication to start a selected application at the centralized system or at a network enabled medical device is received at the centralized system/network enabled medical device. The selected application may require a license to operate and, at the time the indication is received, may have a first license available. Instead of using the first license, the centralized system/network enabled medical device may determine to inherit at least a portion of a second license to operate the selected application. The centralized system/network enabled medical device may inherit at least the portion of the second license to form an inherited license, where the inherited license enables features of the selected application. Using the inherited license, the selected application is started with the enabled features. Related apparatus, systems, techniques and articles are also described.

Abstract: This disclosure provides systems, methods and apparatuses for classifying traffic flow using a plurality of learning machines arranged in multiple hierarchical levels. A first learning machine may classify a first portion of the input stream as malicious based on a match with first classification rules, and a second learning machine may classify at least part of the first portion of the input stream as malicious based on a match with second classification rules. The at least part of the first portion of the input stream may be classified as malicious based on the matches in the first and second learning machines.

Abstract: Systems and methods for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform are provided. The SOAR platform captures information regarding execution of a sequence of actions performed by analysts responsive to a first incident of a first type. The captured information is fed into a machine-learning model. When a second incident, observed by the SOAR platform, is similar in nature to the first incident or the first type a recommended sequence of actions is generated based on the machine-learning model for use by an analyst in connection with responding to the second incident. In response to rejection of the recommended sequence by the analyst, revising the recommended sequence based on input provided by the analyst and storing the revised recommendation sequence in a form of a revised playbook for response to subsequent incidents that are similar to the second incident.

Abstract: Techniques for generating actionable indicators of compromise (IOCs) are disclosed. A set of potential sources for IOCs are received. One or more candidate IOCs are extracted from at least one source included in the set of potential sources. An actionable IOC is automatically identified from the one or more candidate IOCs. The actionable IOC is provided to a security enforcement service.

Abstract: A method of automatically determining operation rules for access control related to container operations on a plurality of computing nodes is disclosed. The method comprises receiving operation datasets representing operations that have been performed by one or more processes associated with one or more computer applications instantiated within one or more containers on the computing nodes; generating a baseline dataset of operations having operation properties from the operation datasets; computing a score for each operation in the baseline dataset, the score indicating whether the operation is a candidate for generating a rule that defines one or more expected values for an operation property of the operation; automatically generating a set of baseline operation rules for only those operations in the baseline dataset that score more than a score threshold; and causing modifying an orchestrator configuration file for the plurality of computing nodes based on the set of baseline operation rules.

Abstract: Remote instructions are received at a remote computing device from a requesting device through a firewall. The remote computing device resides in a secured data center. Access credentials are presented by the requesting device. A request is made to an assistant computing device to query a dataset in communication with the remote computing device. Encrypted access credentials and encrypted remote instructions are received from the assistant computing device. The encrypted access credentials are configured to allow the requesting computing device to access the remote computing device. The encrypted remote instructions are configured to enable the remote computing device to execute at least one of the following: at least one data query, or at least one data manipulation. The encrypted access credentials are decrypted. The encrypted remote instructions are decrypted. The remote instructions are executed to generate query results. The query results are communicated to the requesting device.

Abstract: A method for halting malware includes: monitoring plural file system events with a system driver to detect an occurrence of a file system event having a predetermined file type and log event type; triggering a listening engine for file system event stream data of a file associated with the detection of the file system event, the file system event stream data indicating data manipulation associated with the file due to execution of a process; obtaining one or more feature values for each of plural different feature combinations of plural features of the file based on the file system event stream data; inputting one or more feature values into a data analytics model to predict a target label value based on the one or more feature values of the plural different feature combinations and agnostic to the process; and performing a predetermined operation based on the target label value.

Abstract: A verifiable, redactable log, which, in some embodiments, may contain multiple hash values per entry in order to sever confidentiality of a log from verifiability. Logs may be verified using recalculation of hashes and verification of trusted digital signatures. In some embodiments, the log may be divided into segments, each signed by a time server or self-signed using a system of ephemeral keys. In some embodiments, log messages regarding specific objects or events may be nested within the log to prevent reporting omission. The logging system may receive events or messages to enter into the log.

Abstract: A method may include receiving data from a device within a network, wherein the data is associated with one or more features of the device, and determining a subset of the features of the device that is associated with a runtime behavior of the device. The method may also perform a univariate analysis on a feature dataset that is associated with the subset of the features of the device, perform a multivariate analysis on the feature dataset that is associated with correlated features in the subset of the features, and generate a device signature based on the univariate analysis and the multivariate analysis.

Abstract: Systems, methods, and related technologies for determining an issue based on a plurality of events. The determining of an issue may include accessing network traffic from a network and accessing a plurality of events associated with the network traffic. An issue can be determined based on a correlation of a portion of the plurality of events, where the issue represents an incident associated with the portion of the plurality of events. The correlation of the portion of the plurality of events is based on network specific information. Information associated with the issue including the portion of the plurality of events may then be stored.