Abstract: A method comprises obtaining at least a first software module not classified as benign or potentially malicious, extracting a set of features associated with the first software module, the set of features comprising static features, behavior features and context features, identifying a first cluster comprising one or more known software modules previously classified as benign, computing distance metrics between the extracted feature set of the first software module and feature sets of respective ones of the known software modules in the first cluster, classifying the first software module as one of benign and potentially malicious based on a comparison between the computed distance metrics and a neighborhood distance metric based on distances between feature sets of the known software modules in the first cluster, and modifying access by a given client device to the first software module responsive to classifying the first software module as potentially malicious.

Abstract: A method comprises obtaining at least a first software module not classified as benign or potentially malicious, extracting a set of features associated with the first software module including static, behavior and context features, computing distance metrics between the extracted feature set and feature sets of a plurality of clusters including one or more clusters of software modules previously classified as benign and exhibiting a first threshold level of similarity relative to one another and one or more clusters of software modules previously classified as potentially malicious and exhibiting a second threshold level of similarity relative to one another, classifying the first software module as belonging to a given cluster based at least in part on the computed distance metrics, and modifying access by a given client device to the first software module responsive to the given cluster being a cluster of software modules previously classified as potentially malicious.

Abstract: A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain internal log data of a computer network of an enterprise, to extract values of a plurality of designated internal features from the log data, to obtain additional data from one or more external data sources, and to extract values of a plurality of designated external features from the additional data. The extracted values are applied to a regression model based on the internal and external features to generate malicious activity risk scores for respective ones of a plurality of domains, illustratively external domains having fully-qualified domain names (FQDNs). A subset of the domains are identified based on their respective malicious activity risk scores, and one or more proactive security measures are taken against the identified subset of domains. The processing device may be implemented in the computer network or an associated network security system.

Abstract: A processing device comprises a processor coupled to a memory and is configured to obtain data characterizing host devices of a computer network of an enterprise. The data is applied to a logistic regression model to generate malware infection risk scores for respective ones of the host devices. The malware infection risk scores indicate likelihoods that the respective host devices will become infected with malware. The logistic regression model incorporates features of the host devices including at least user demographic features, virtual private network (VPN) activity features and web activity features of the host devices, and the data characterizing the host devices comprises data for the incorporated features. Proactive measures are taken to prevent malware infection in a subset of the host devices based at least in part on the malware infection risk scores. The processing device may be implemented in the computer network or an associated network security system.

Abstract: A processing device comprises a processor coupled to a memory and is configured to obtain data relating to communications initiated by host devices of a computer network of an enterprise, and to process the data to identify external domains contacted by the host devices. A graph inference algorithm is applied to analyze contacts of the host devices with the external domains in order to characterize one or more of the external domains as suspicious domains. The host devices are configured to counteract malware infection from the suspicious domains. The graph inference algorithm in some embodiments comprises a belief propagation algorithm, which may be initiated with one or more seeds corresponding to respective known suspicious domains or to respective ones of the external domains determined to be associated with command and control behavior. The processing device may be implemented in the computer network or an associated network security system.

Abstract: A processing device is configured to identify a plurality of defensive security actions to be taken to address a persistent security threat to a system comprising information technology infrastructure, and to determine a schedule for performance of the defensive security actions based at least in part on a selected distribution derived from a game-theoretic model, such as a delayed exponential distribution or other type of modified exponential distribution. The system subject to the persistent security threat is configured to perform the defensive security actions in accordance with the schedule in order to deter the persistent security threat. The distribution may be selected so as to optimize defender benefit in the context of the game-theoretic model, where the game-theoretic model may comprise a stealthy takeover game in which attacker and defender entities can take actions at any time but cannot determine current game state without taking an action.

Abstract: Example embodiments of the present invention provide authenticated file system that provides integrity and freshness of both data and metadata more efficiently than existing systems. The architecture of example embodiments of the present invention is natural to cloud settings involving a cloud service provider and enterprise-class tenants, thereby addressing key practical considerations, including garbage collection, multiple storage tiers, multi-layer caching, and checkpointing. Example embodiments of the present invention support a combination of strong integrity protection and practicality for large (e.g., petabyte-scale), high-throughput file systems. Further, example embodiments of the present invention support proofs of retrievability (PoRs) that let the cloud prove to the tenant efficiently at any time and for arbitrary workloads that the full file system (i.e.

Abstract: A client device or other processing device comprises a file processing module, with the file processing module being operative to provide a file to a file system for encoding, to receive from the file system a proof of correct encoding of the file, and to verify the proof of correct encoding. The file system may comprise one or more servers associated with a cloud storage provider. Advantageously, one or more illustrative embodiments allow a client device to verify that its files are stored by a cloud storage provider in encrypted form or with other appropriate protections.

Abstract: At least one virtual machine implemented on a given physical machine in an information processing system is able to detect the presence of one or more other virtual machines that are also co-resident on that same physical machine. More particularly, at least one virtual machine is configured to avoid usage of a selected portion of a memory resource of the physical machine for a period of time, and to monitor the selected portion of the memory resource for activity during the period of time. Detection of a sufficient level of such activity indicates that the physical machine is also being shared by at least one other virtual machine. The memory resource of the physical machine may comprise, for example, a cache memory, and the selected portion of the memory resource may comprise one or more randomly selected sets of the cache memory.

Abstract: A proof of retrievability (POR) mechanism is applicable to a data object for providing assurances of data object possession to a requesting client by transmitting only a portion of the entire data object. The client compares or examines validation values returned from predetermined validation segments of the data object with previously computed validation attributes for assessing the existence of the data object. Since the archive server does not have access to the validation function prior to the request, or challenge, from the client, the archive server cannot anticipate the validation values expected from the validation function. Further, since the validation segments from which the validation attributes, and hence the validation values were derived, are also unknown to the server, the server cannot anticipate which portions of the data object will be employed for validation.

Abstract: Access control systems are provided that mediate access to derivatives of sensitive data. A method is provided for processing a data request from a client, the data request comprising a client identifier and an indication of the intended use of the data, by receiving the data request from the client; providing the client identifier and indicated use to an access manager, wherein the access manager assesses a risk of providing access to the data for the indicated use; if the access manager grants access for the indicated use, receiving one or more keys with corresponding computing restrictions from the access manager; computing a result; and providing the result to the client, wherein the provided result comprises the derivative of sensitive data. The access manager grants the access for the indicated use, for example, based on a risk score.

Abstract: A processing device comprises a processor coupled to a memory and implements a graph-based approach to protection of a system comprising information technology infrastructure from a persistent security threat. Attack-escalation states of the persistent security threat are assigned to respective nodes in a graph, and defensive costs for preventing transitions between pairs of the nodes are assigned to respective edges in the graph. A minimum cut of the graph is computed, and a defensive strategy is determined based on the minimum cut. The system comprising information technology infrastructure subject to the persistent security threat is configured in accordance with the defensive strategy in order to deter the persistent security threat.

Abstract: A client device or other processing device comprises a file processing module, with the file processing module being operative to provide a file to a file system for encoding, to receive from the file system a corresponding encoded file, and to verify that the file system stores at least a designated portion of an encapsulation of the encoded file. In an illustrative embodiment, the file processing module receives, in addition to or in place of the encoded file, a proof of correct encoding. The file system may comprise one or more servers associated with a cloud storage provider. Advantageously, one or more illustrative embodiments allow a client device to verify that its files are stored by a cloud storage provider in encrypted form or with other appropriate protections.

Abstract: Example embodiments of the present invention provide authenticated file system that provides integrity and freshness of both data and metadata more efficiently than existing systems. The architecture of example embodiments of the present invention is natural to cloud settings involving a cloud service provider and enterprise-class tenants, thereby addressing key practical considerations, including garbage collection, multiple storage tiers, multi-layer caching, and checkpointing. Example embodiments of the present invention support a combination of strong integrity protection and practicality for large (e.g., petabyte-scale), high-throughput file systems. Further, example embodiments of the present invention support proofs of retrievability (PoRs) that let the cloud prove to the tenant efficiently at any time and for arbitrary workloads that the full file system (i.e.

Abstract: Cloud infrastructure of a cloud service provider comprises a processing platform implementing a security policy enforcement framework. The security policy enforcement framework comprises a policy analyzer that is configured to identify at least one security policy associated with at least one tenant of the cloud service provider, to analyze the security policy against configuration information characterizing the cloud infrastructure of the cloud service provider, and to control execution of one or more applications of said at least one tenant within the cloud infrastructure in accordance with the security policy, based at least in part on one or more results of the analysis of the security policy. The security policy enforcement framework may be implemented in a platform-as-a-service (PaaS) layer of the cloud infrastructure, and may comprise a runtime controller, an operating system controller, a hypervisor controller and a PaaS controller.

Abstract: A processing device is configured to maintain counters for respective stored data blocks, and to encrypt a given one of the data blocks utilizing a value of the data block in combination with a value of its associated counter. The encryption may comprise a homomorphic encryption operation performed on the given data block as a function of the value of that data block and the value of its associated counter, with the homomorphic encryption operation comprising an operation such as addition or multiplication performed over a designated field. A given one of the counters is incremented each time the corresponding data block is subject to an update operation. The data block can be encrypted, for example, by combining a value of that data block with an additional value determined using the associated counter value, such as a one-time pad value determined as a function of the counter value.

Abstract: A proof of retrievability (POR) mechanism is applicable to a file for providing assurances of file possession to a requesting client by transmitting only a portion of the entire file. The client compares or examines validation values returned from predetermined validation segments of the file with previously computed validation attributes for assessing the existence of the file. Since the archive server does not have access to the validation function prior to the request, or challenge, from the client, the archive server cannot anticipate the validation values expected from the validation function. Further, since the validation segments from which the validation attributes, and hence the validation values were derived, are also unknown to the server, the server cannot anticipate which portions of the file will be employed for validation.