Abstract: A method includes identifying a potentially malicious node using a rating assigned to nodes within the network and decrementing the rating based on detected dropped messages to identify a potentially malicious node. The malicious node is identified based on location information obtained from the nodes within the network and comparable distances from the potentially malicious node. The method further includes ending communications with the malicious node and selecting a new parent node based on a presumption that any of the plurality of nodes other than the malicious node are non-malicious.

Abstract: Methods and systems are provided for user authentication in communication systems. An identification token may be generated in response to a user terminal loading a web page from a web server, with the identification token associated with a time stamp indicating when a network address is used by the user terminal, and with generating the identification token being triggered in response to a request from the user terminal to load the web page. User authentication information, associated with the network address and the time stamp, may be obtained and sent to one or both of the user terminal and the web server for authenticating the user of the communication network. Triggering the generating of the identification token may include instructing the user terminal to request the identification token and/or identifying the network address in response to the request from the user terminal to load the web page.

Abstract: Techniques and mechanisms are disclosed for configuring actions to be performed by a network security application in response to the detection of potential security incidents, and for causing a network security application to report on the performance of those actions. For example, users may use such a network security application to configure one or more “modular alerts.” As used herein, a modular alert generally represents a component of a network security application which enables users to specify security modular alert actions to be performed in response to the detection of defined triggering conditions, and which further enables tracking information related to the performance of modular alert actions and reporting on the performance of those actions.

Abstract: Mechanisms, which can include systems, method, and media, for protecting network devices from malicious rich text format (RTF) files are provided, the mechanisms comprising: intercepting an RTF file destined for a network device; parsing the RTF file to identify a plurality of objects in the RTF file; checking a first object of the plurality of objects for a first heuristic; based upon an outcome of the checking of the first object for the first heuristic, increasing a cumulative weight by a first weight value; comparing the cumulative weight against at least one threshold to classify the RTF file; and based on the classification of the RTF file, taking a protective action on the RTF file.

Abstract: A system has at least one machine, including at least one device for exchanging data with another device of the at least one machine or of another machine for a joint solution of a task or with a higher-level device. The system further including a certification device configured to identify the at least one machine with a root certificate and configured to grant a sub-certificate to the at least one device of the machine. The certification device is further configured to sign the sub-certificate with the root certificate of the at least one machine in order to identify the at least one device as belonging to the at least one machine, and the sub-certificate is issued biuniquely for the at least one device.

Abstract: Provided herein are systems and methods for determining a likelihood that an executable comprises malware. A learning engine may determine a plurality of attributes of an executable identified in a computing environment, and a corresponding weight to assign to each of the plurality of attributes. Each of the plurality of attributes may be indicative of a level of risk for the computing environment. The learning engine may generate, according to the determined plurality of attributes and the corresponding weights, one or more scores indicative of a likelihood that the executable comprises malware. A rule engine may perform an action to manage operation of the executable, according to the generated one or more scores.

Abstract: Described herein are systems and methods for improving incident response in an information technology (IT) environment. In one implementation, an incident service initiates execution of a course of action and identifies a step in the first course of action that determines data in a first format. The incident service further determines a format requirement for a second step in the course of action and translates the data from the first format to the second format in accordance with the format requirement.

Abstract: A method in a first node of a wireless communications network comprises: inspecting a data packet or message to determine a characteristic of the data packet or message; and selectively activating integrity protection for onward transmission of the data packet or message to a second node of the wireless communications network based on the determined characteristic.

Abstract: Embodiments of the invention provide for malware collusion detection in a mobile computing device. In one embodiment, a method for malicious inter-application interaction detection in a mobile computing device includes filtering applications installed in a mobile device to a set of related applications and then monitoring in the mobile device execution of the related applications in the set. The method additionally includes computing resource utilization of one of the related applications executing in a background of the mobile device while also computing execution performance of a different one of the related applications. Finally, the method includes responding to a determination that the computed resource utilization is high while the computed execution performance is poor by generating a notification in the display of the mobile device that the one of the related applications is suspected of malware collusion with the different one of the related applications.

Abstract: A system, method, and computer program product are provided for dynamically configuring a virtual environment for identifying unwanted data. In use, a virtual environment located on a first device is dynamically configured based on at least one property of a second device. Further, unwanted data is identified, utilizing the virtual environment.

Abstract: A target device stores secure information and one or more security tools configured to protect against unauthorized access of the secure information. A first database stores profiles for each of a set of predefined attack groups. Each profile includes a set of attack techniques used by the corresponding attack group and, for each attack technique, a corresponding set of mitigations. A second database stores control policies. Each control policy is associated with a set of security tools that protect against unauthorized access of the secure information stored by the target device. A controls monitor determines an attack controls superset based on the profiles and control policies. A controls health dashboard receives a user query and provides a representation of a portion of the attack controls superset that is associated with the received query.

Abstract: Embodiments are described for a pattern-based control system that learns and applies device usage patterns for identifying and disabling devices exhibiting abnormal usage patterns. The system can learn a user's normal usage pattern or can learn abnormal usage patterns, such as a typical usage pattern for a stolen device. This learning can include human or algorithmic identification of particular sets of usage conditions (e.g., locations, changes in settings, personal data access events, application events, IMU data, etc.) or training a machine learning model to identify usage condition combinations or sequences. Constraints (e.g., particular times or locations) can specify circumstances where abnormal pattern matching is enabled or disabled. Upon identifying an abnormal usage pattern, the system can disable the device, e.g., by permanently destroying a physical component, semi-permanently disabling a component, or through a software lock or data encryption.

Abstract: Systems and methods for connecting devices via a virtual global network across network fabrics using a network tapestry are disclosed. The network system comprises a first access point server in communication with a first backbone exchange server, a second access point server in communication with a second backbone exchange server, and a network tapestry comprising a first communication path connecting the first and second access point servers and a second communication path connecting the first and second backbone exchange servers.

Abstract: The present invention relates to methods, processes, and systems for monitoring security policy violations in a computer network. Details of such monitoring include creating a rule according to a security policy, determining if the rule is violated by a value of a variable, and recording security events and comparing the number of events to a threshold.

Abstract: Utilities (e.g., methods, systems, apparatuses, etc.) for use in generating and making use of priority scores for data generated by one or more data systems that more accurately prioritize those events and other pieces of data to be addressed by analysts and troubleshooters before others (e.g., collectively taking into account threats posed by origin host components and risks to impacted host components) to work the highest risk events and alarms first and to effectively and efficiently spend their alarm monitoring time.

Abstract: Various embodiments provide for the consolidation of policies across multiple identities that are respectively associated with multiple active directory (AD) groups to which a user belongs. Present embodiments provide for dynamically generating a new identity in the resource provider environment that includes permissions to all of the resources that may otherwise be distributed across multiple identities. Specifically, in accordance with various embodiments, when a user login is detected, the active directory is queried to determine the AD groups to which the user belongs. As mentioned, the user's AD groups are mapped to respective identities in the resource provider environment, in which each identity includes policy defining access to one or more resources. The policies of all the respective identities are consolidated and assigned to a new identity. The user may assume the new identity and access all the resources in tandem.

Abstract: A secure device operating with a secure tamper-resistant platform including a tamper-resistant hardware platform and a virtual primary platform operating with a low level operating system performing an abstraction of resources of the hardware platform, and a secondary platform with a high level operating system providing a further abstraction of resources to applications in which respective internal hosts are embedded, the secure device including an internal host domain including the internal hosts, the secure device including a plurality of physical and/or logical input/output interfaces through which external hosts can access the internal hosts, the virtual primary platform being configured to set interactions between the external hosts and the internal hosts, wherein the internal host domain includes a further set of virtual hosts each configured to operate as a proxy between an input/output interface and an application, each input/output interface being configured to address only one among the virtual hos

Abstract: Techniques are described for managing internet-of-things (IoT) devices, such as managing the storage of data generated by the IoT devices, managing the access, to the data, by users, processes, and/or other entities, managing command and control of the devices, and so forth. In some implementations, an IoT platform is provided for IoT device management, and the IoT platform can be agnostic with respect to providers. For example, the IoT platform may provide one or more common interfaces that enable communications with IoT devices that are manufactured by different device providers. In some implementations, a distributed ledger system (DLS) is employed to facilitate IoT device management. For example, the DLS can act as a gateway and/or overall interface to control access of users, processes, devices, IoT device providers, and/or other entities to the IoT devices and/or to an IoT platform.

Abstract: Described herein are methods, systems, and software to handle verification information in a content node. In one example, a method of operating a content node includes receiving a secure content request from an end user device and determining the availability of verification information stored on the content node to service the secure content request. The method further provides, if the verification information is available, verifying the end user device based on the verification information. The method also includes, if the verification information is unavailable, querying an origin server to verify the end user device.

Abstract: An apparatus may include a processor that may be caused to access a distribution of a plurality of values, each value of the plurality of values quantifying an event of an event type in a computer network. The processor may determine a mean of the plurality of values and a second highest value of the plurality of values, generate an expected maximum of the distribution based on the mean and the second highest value, and access a first value quantifying a first event of the event type in the computer network. The processor may further determine that the first event is an anomalous event based on the first value and the expected maximum.