Abstract: A method may include receiving data from a device within a network, wherein the data is associated with one or more features of the device, and determining a subset of the features of the device that is associated with a runtime behavior of the device. The method may also perform a univariate analysis on a feature dataset that is associated with the subset of the features of the device, perform a multivariate analysis on the feature dataset that is associated with correlated features in the subset of the features, and generate a device signature based on the univariate analysis and the multivariate analysis.

Abstract: Systems, methods, and related technologies for determining an issue based on a plurality of events. The determining of an issue may include accessing network traffic from a network and accessing a plurality of events associated with the network traffic. An issue can be determined based on a correlation of a portion of the plurality of events, where the issue represents an incident associated with the portion of the plurality of events. The correlation of the portion of the plurality of events is based on network specific information. Information associated with the issue including the portion of the plurality of events may then be stored.

Abstract: An approach to predicting the outcome of a computer security response. The approach can analyze an unlabeled set of network data and based on the analysis, create a language model of the network. The approach can process the language model to predict a reduction factor associated with network availability. The approach can further process the language model and a malicious sequence to predict an effectiveness factor associated with blocking the malicious sequence. The approach can output bot the reduction factor and the effectiveness factor to a network administrator for determining the applicability of the computer security response.

Abstract: Data-driven applications depend on training data obtained from multiple internal and external data sources. Hence poisoning of the training data can cause adverse effects in the data driven applications. Conventional methods identifies contaminated test samples and avert them from entering into the training. A generic approach covering all data-driven applications and all types of data poisoning attacks in an efficient manner is challenging. Initially, data aggregation is performed after receiving a ML application for testing. A plurality of feature vectors are extracted from the aggregated data and a poisoned data set is generated. A plurality of personas are generated and are further prioritized to obtain a plurality of attack personas. Further, a plurality of security assessment vectors are computed for each of the plurality of attack personas. A plurality of preventive measures are recommended for each of the plurality of attack personas based on the corresponding security assessment vector.

Abstract: A database management system receives a request to process a database query on behalf of a security principal. The database management system determines that processing the database query requires access to an encrypted portion of a file containing data subject to access conditions. The database management system determines that the security principle is authorized to use a key that corresponds to the encrypted portion of the file. The database management system then completes processing of the query by using the key to access the encrypted portion of the file.

Abstract: The technology includes a method performed by a security system of a 5G network to thwart a cyberattack. The security system is instantiated to monitor and control network traffic at a perimeter of the 5G network in accordance with a security model based on a vulnerability parameter, a risk parameter, and a threat parameter. The security system can process the network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the network traffic in relation to the parameters. Based on the VRT score, the system redirects the network traffic to a containment area that mimics an intended destination or related process of the network traffic to induce malicious VRT traffic. When malicious VRT traffic is detected, the security system can, for example, prevent the network traffic from being communicated the 5G network.

Abstract: Various methods, apparatuses/systems, and media for detecting a target behavior are disclosed. A processor implements a machine learning cadence model that implements an algorithm to obtain, on a per session basis, cadence data that indicates average time between each call and a standard deviation of times across each call across all active sessions of a desired target. The processor compares the cadence data to predefined background cadence data to identify whether the desired target is a new threat target or a background traffic; generates an internet protocol (IP) address of the new threat target; inputs the IP address of the new threat target into a machine learning behavior model that implements an algorithm to generate a fingerprint of all known places that the new threat target is operating; and applies a mitigation algorithm to all active sessions of the new threat target.

Abstract: This disclosure provides systems, methods and apparatuses for classifying traffic flow using a plurality of learning machines arranged in multiple hierarchical levels. A first learning machine may classify a first portion of the input stream as malicious based on a match with first classification rules, and a second learning machine may classify at least part of the first portion of the input stream as malicious based on a match with second classification rules. The at least part of the first portion of the input stream may be classified as malicious based on the matches in the first and second learning machines.

Abstract: A method, system, and medium used in unauthorized communication detection in an onboard network system having electronic control units connected to a network include: identifying, from information relating to an attack message on the onboard network system, a communication pattern indicating features of the attack message; determining whether a candidate reference message matches the communication pattern; and determining a reference message used as a reference in determining whether or not a message sent out onto the network is an attack message, using results of the determining of whether or not the candidate reference message matches the communication pattern identified in the identifying operation.

Abstract: Techniques for providing a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a large scale high-interaction honeypot farm includes sending traffic detected at a sensor to a smart proxy for a honeypot farm that is executed in a honeypot cloud, wherein the traffic is forwarded attack traffic that is sent using a tunneling protocol, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; forwarding the traffic to an instance of the matching type of vulnerable service; and executing a security agent associated with the instance of the matching type of vulnerable service to identify a threat by monitoring behaviors and detecting anomalies or post exploitation activities.

Abstract: Techniques for providing a smart proxy for a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a smart proxy for a large scale high-interaction honeypot farm includes receiving tunneled traffic at a smart proxy from a sensor for a honeypot farm that is executed in a honeypot cloud, wherein the tunneled traffic is forwarded attack traffic, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; and forwarding the tunneled traffic to an instance of the matching type of vulnerable service.

Abstract: A method comprises analyzing, by a machine-learning model, a first network communication with a first set of inputs. The method also comprises inferring, by the machine-learning model and based on the analyzing, that a first device that is a party to the first network communication exhibits a device property. The method also comprises extracting, from the machine-learning model, a first set of significant inputs that had a significant impact on the determining. The method also comprises creating, using the first set of inputs, a rule for identifying the device property. The rule establishes a condition that, when present in a network communication, implies that a party to the network communication exhibits the device property.

Abstract: In one embodiment, a storage device that is installable in an electronic apparatus includes a first communication interface for connecting the electronic apparatus to the storage device, a nonvolatile memory for storing data and data management table storing a data size and address information for the data stored in the nonvolatile memory, and a processor configured to change at least one piece of data stored in the nonvolatile memory without changing file management information stored in the data management table. The processor is configured to change the stored data without receiving an instruction to do so from the electronic apparatus through the first interface.

Abstract: Upon receiving malware detection rules that are to be identified with respect to an input traffic stream, a rule database that requires less storage capacity than the malware detection rules is generated by substituting tokens for selected symbol strings within the malware detection rules. A compressed traffic stream is generated by substituting the tokens for instances of the selected symbol strings within the input traffic stream, and then compared with the rule database to determine whether the input traffic stream contains one or more symbol sequences that correspond to any of the malware detection rules.

Abstract: Aspects of the disclosure relate to real-time detection of anomalous content in a transmission of textual data. A computing platform may monitor, in real-time and via a computing device, a transmission of textual data from a user device. Then, the computing platform may scan, via the computing device, a content of the textual data. The computing platform may then perform, via the computing device and based on the scanning, textual analysis of the scanned content. Subsequently, the computing platform may detect, in real-time and based on the textual analysis, an anomalous pattern indicative of secure enterprise information. Then, the computing platform may trigger, via the computing device, one or more security actions to prevent the transmission of the secure enterprise information.

Abstract: A method for detecting anomalies during operation of an asset to improve performance of the asset includes collecting, via a server, data relating to operation of the asset or a group of assets containing the asset. The data includes normal and abnormal asset behavior of the asset or the group of assets containing the asset. Further, the method includes automatically removing, via an iterative algorithm programmed in the server that utilizes one or more inputs or outputs of an anomaly detection analytic, portions of the data containing the abnormal asset behavior to form a dataset containing only the normal asset behavior. The method also includes training, via a computer-based model programmed in the server, the anomaly detection analytic using, at least, the dataset containing only the normal asset behavior. Moreover, the method includes applying, via the server, the anomaly detection analytic to the asset so as to monitor for anomalies during operation thereof.

Abstract: A printed circuit (PC) card apparatus can, in an absence of external power provided to a Peripheral Component Interconnect Express (PCIe) PC card, prevent and detect unauthorized access to secure data stored on a memory device mounted on the PCIe PC card. The PCIe card includes a primary battery to supply, when external power is disconnected from the PCIe card, power to an electronic security device mounted on the PCIe card. The PC card apparatus also includes a PCIe edge connector protector enclosing electrically conductive fingers of a PCIe edge card connector. The PCIe edge connector protector includes a hidden supplemental charge storage device integrated into the PCIe edge connector protector. The PCIe edge connector protector also includes electrically conductive contacts to transfer supplemental power from the supplemental charge storage device to the electronic security device.

Abstract: An attack path detection method, attack path detection system and non-transitory computer-readable medium are provided in this disclosure. The attack path detection method includes the following operations: establishing a connecting relationship among a plurality of hosts according to a host log set to generate a host association graph; labeling at least one host with an abnormal condition on the host association graph; calculating a risk value corresponding to each of the plurality of hosts; in a host without the abnormal condition, determining whether the risk value corresponding to the host without the abnormal condition is greater than a first threshold, and utilizing a host with the risk value greater than the first threshold as a high-risk host; and searching at least one host attach path from the high-risk host and the at least one host with the abnormal condition according to the connecting relationship of the host association graph.

Abstract: In several aspects of the present invention, a processor receives, from a rule-based intrusion detection system, an intercepted request sent by a hacker. A processor analyzes the intercepted request to determine, in part, a type of service and a type of hacker. A processor builds a first layer of a honeypot maze based on the analyzed intercepted request. A processor simulates the first layer of the honeypot maze to the hacker. A processor iteratively builds additional layers of the honeypot maze based on additional intercepted requests from the hacker.

Abstract: A system, method, and computer-readable medium are disclosed for management of a distributed web application firewall (WAF) cluster that supports one or more protected applications. A WAF cluster infrastructure is configured for the protected applications. The WAF cluster includes one or more WAFs that are used to route traffic directed to the protected applications. The WAF cluster infrastructure is validated as to be current and updated. The validated WAF cluster infrastructure is then used as routing service.