Abstract: A computer-implemented method, a computer program product, and a computer system for creating malware domain sinkholes by domain clustering. The computer system clusters malware domains into domain clusters. The computer system collects domain metrics in the domain clusters. The computer system sorts clustered malware domains in the respective ones of the domain clusters, based on the domain metrics. The computer system selects, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, wherein the respective domain sinkholes are created for the respective ones of the domain clusters.

Abstract: Systems, apparatuses, and methods to accelerate classification of malicious activity by an intrusion detection system are provided. An intrusion detection system can speculate on classification of labels in a random forest model based on temporary and incomplete set of features. Additionally, an intrusion detection system can classify malicious context based on a set of committed nodes in the random forest model.

Abstract: In a relay device, a transmitting/receiving unit of an ECU relay receives data. A first counter value is incremented if an amount of data received by the transmitting/receiving unit per unit time exceeds a first threshold. A second counter value is incremented if the amount of data received by the transmitting/receiving unit per unit time exceeds a second threshold. The second threshold is greater than the first threshold. A control unit of a bus relay repeatedly monitors the first counter value. If the first counter value is incremented, the control unit shortens a cycle with which the second counter value is monitored.

Abstract: The present invention relates to an improved method of providing identification of a user or authentication of a user's identity. More particularly, the present invention relates to an improved method of providing identification of a user or authentication of a user's identity using conditional behavioural biometrics. The present invention seeks to provide an enhanced method of authenticating and/or identifying a user identity using conditional behavioural biometrics.

Abstract: Systems and methods are disclosed for accessing protected data. A computing device may have a secured stared storage accessible by two or more applications operating on the mobile device. The computing device may obtain a first token from an authorization service to verify user identity for a first application. The first token may be stored in the shared storage area, and be accessible to one or more applications sharing the storage space. In response to a user attempt to access a web service using a second application, the user identity may be verified using the first token. The authorization service may verify user credentials, and send a second token to the computing device. The second token may be a proxy ticket authorizing access and exchange of protected data between the second application and a web service. The second token may also be stored in the secure storage area.

Abstract: In one embodiment, a sender node in a serial network identifies a message identifier for a packet to be sent by the sender node. The sender node selects a cyclical redundancy check (CRC) initialization vector associated with the message identifier. The sender node generates a CRC value for the packet, based on the selected initialization vector. The sender node sends the packet via the serial network. The sent packet includes the message identifier and the generated CRC value. In turn, a receiver node that receives the packet uses the generated CRC value to authenticate the sender node.

Abstract: A game engine sensor of a computing device executing an operating system receives first data from the operating system that represents occurrence of a monitored event. The game engine sensor sends second data corresponding to the monitored event to a game engine logic controller. A first logic block of the game engine logic controller determines, based on the second data and third data representing a system state of the computing device, that a first predicate condition is satisfied. A second logic block of the game engine logic controller determines, based on the second data and the third data, that a second predicate condition is satisfied. A computer security threat is detected based on the first and second predicate conditions being satisfied, and at least one game engine actuator is instructed to perform at least one action responsive to the computer security threat.

Abstract: The embodiment of the disclosure provides an unlocking control method and related products. The method includes: acquiring an environmental parameter; acquiring first biometric information; determining a first biometric control parameter and second biometric control information corresponding to the environmental parameter; performing a first biometric recognition on the first biometric information according to the first biometric control parameter; when the first biometric information is recognized, acquiring second biometric information and performing a second biometric recognition on the second biometric information according to the second biometric control information; performing a next unlocking process when the second biometric information is recognized. Thus, control parameters of recognition processes can be set suitable for the environment, and recognition processes are controlled based on these control parameters, thereby improving the pass rate and the efficiency of the multi-biometric recognition.

Abstract: A method for use in a network communication system including a plurality of electronic controllers that communicate with each other via a bus in accordance with a Controller Area Network (CAN) protocol determines whether or not content of a predetermined field in a frame which has started to be transmitted meets a predetermined condition indicating fraud. In a case where the content of the predetermined field meets the predetermined condition, a frame including predetermined consecutive dominant bits for notifying an anomaly is transmitted before an end of the frame is transmitted. A number of times the frame including the predetermined consecutive dominant bits is transmitted is recorded for each identifier (ID) represented by content of an ID field included in a plurality of frames which has been transmitted. A malicious electronic controller is determined in accordance with the number of times recorded for each ID.

Abstract: Systems, methods, and computer-readable storage media for improved data comparison, particularly when scanning large amounts of data for particular conditions or configurations. With respect to cyber-security, this improvement takes the form of receiving a plurality of threat conditions for cyber threats against a networked computer device; identifying commonalities among the plurality of threat conditions by comparing each threat condition in the plurality of threat conditions against the plurality of threat conditions; generating, based on the commonalities, a hierarchy for scanning of the cyber threats; and scanning for the cyber threats according to the hierarchy.

Abstract: A system for simultaneously testing whether a plurality of electronic devices connected via a communication network correctly handle exceptions. The system includes a communication network, and a plurality of electronic devices and a testing device connected via the communication network. The testing device includes an electronic processor. The electronic processor is configured to send a first status query message to the plurality of electronic devices, send fuzzed data to one or more of the plurality of electronic devices, and send a second status query message to the plurality of the electronic devices. The electronic processor is also configured to, for each electronic device that responds to the first status query message with a valid response and responds to the second status query message with an invalid response or fails to respond to the second status query message, record the electronic device in a failure log.

Abstract: Methods, systems, and apparatus for a threat detection system. The threat detection system includes a threat forensics platform. The threat forensics platform includes a memory. The memory is configured to store a baseline model of controller area network (CAN) data. The threat forensics platform includes a processor coupled to the memory. The processor is configured to obtain CAN data including multiple messages. The processor is configured to compare the CAN data including the multiple messages with the baseline model. The processor is configured to determine a threat score for the CAN data based on the comparison and determine that there is a threat within the CAN data based on the threat score. The processor is configured to provide an indication that there is the threat to a driver of a vehicle or to a service provider.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting network attacks. One of the methods includes obtaining input data associated with a plurality of accounts associated with a particular entity; extracting features from the input data; performing unsupervised attack ring detection using the extracted features, wherein the unsupervised attack ring detection identifies suspicious clusters of accounts that have strong similarity or correlations in the high dimensional feature space; and generating an output for the detected attack rings.

Abstract: Provided is a CAN communication based abnormal message detection method including obtaining reception times of reception messages; a reception filtering operation for performing a period calculation for comparing a difference between reception times of reception messages having the same message ID and a reference period of the corresponding message ID; an abnormal message detecting operation for determining the reception messages as abnormal messages when, as a result of the period calculation, the difference between the reception times is smaller than the reference period and determining the reception messages as normal messages when the difference between the reception times is greater than the reference period; and a blocking operation for blocking the abnormal messages.

Abstract: A method and system for security flow analysis of application code comprising: detecting data flows in a code base; and extracting an information flow, comprising determining a primary data flow by identifying a data flow that contains exposed data, and extending the primary data flow through descriptor data flows, wherein the descriptor data flows are associated with the set of data tracked by the primary data flow; wherein the information flow is a high level flow description that exposes the application code vulnerabilities based on the primary data flow and all associated descriptor data flows.

Abstract: At least one machine readable medium comprising a plurality of instructions that in response to being executed by a system cause the system to send a unique identifier to a license server, establish a secure channel based on the unique identifier, request a license for activating an appliance from a license server over the secure channel, receive license data from the license server over the secure channel; determine whether the license is valid, and activate the appliance in response to a determination that the license data is valid.

Abstract: Methods for provisioning and managing Internet-of-Things (IoT) devices over a network using device based tunneled nodes are provided. In one aspect, a method includes receiving, by a first network device in a network, data originated from an Internet-of-Things (IoT) device; identifying a device type of the IoT device by analyzing data packets of the received data; obtaining, by the first network device, a device profile for the IoT device, wherein the device profile is used for provisioning the IoT device to access the network; and provisioning the IoT device using the device profile, wherein the provisioning includes at least one of (1) identifying a tunneling attribute in the device profile; and (2) identifying a constrained application protocol (CoAP) parameter in the device profile, wherein the CoAP parameter is used to zero touch provision one or more device attributes of the IoT device. Systems and machine-readable media are also provided.

Abstract: A cyber-physical system may have monitoring nodes that generate a series of current monitoring node values over time that represent current operation of the system. A hierarchical abnormality localization computer platform accesses a multi-level hierarchy of elements, and elements in a first level of the hierarchy are associated with elements in at least one lower level of the hierarchy and at least some elements may be associated with monitoring nodes. The computer platform may then determine, based on feature vectors and a decision boundary, an abnormality status for a first element in the highest level of the hierarchy. If the abnormality status indicates an abnormality, the computer platform may determine an abnormality status for elements, associated with the first element, in at least one level of the hierarchy lower than the level of the first element. These determinations may be repeated until an abnormality is localized to a monitoring node.

Abstract: Systems and methods for implementing dynamic graph analysis (DGA) to detect anomalous network traffic are provided. The method includes processing communications and profile data associated with multiple devices to determine dynamic graphs. The method includes generating features to model temporal behaviors of network traffic generated by the multiple devices based on the dynamic graphs. The method also includes formulating a list of prediction results for sources of the anomalous network traffic from the multiple devices based on the temporal behaviors.

Abstract: A fraud detecting method for use in an in-vehicle network system including a plurality of electronic control units that communicate with each other via a network includes detecting whether a state of a vehicle satisfies a first condition or a second condition, and switching, upon detecting that the state of the vehicle satisfies the first condition or the second condition, an operation mode of a fraud-sensing electronic control unit connected to the network between a first mode in which a first type of detecting process for detecting a fraudulent message in the network is performed and a second mode in which the first type of detecting process is not performed.