Abstract: IPRID reputation assessment enhances cybersecurity. IPRIDs include IP addresses, domain names, and other network resource identities. A convolutional neural network or other machine learning model is trained with data including aggregate features or rollup features or both. Aggregate features may include aggregated submission counts, classification counts, HTTP code counts, detonation statistics, and redirect counts, for instance. Rollup features reflect hierarchical rollups of data using <unknown> value placeholders specified in IPRID templates. The trained model can predictively infer a label, or produce a rapid lookup table of IPRIDs and maliciousness probabilities. Training data may be organized in grids with rows, columns, planes, branches, and slots. Training data may include whois data, geolocation data, and tenant data. Training data tuple sets may be expanded by date or by original IPRID.

Abstract: Cybersecurity enhancements help avoid malicious Uniform Resource Locators (URLs). Embodiments may reduce or eliminate reliance on subjective analysis or detonation virtual machines. URL substrings are automatically analyzed for maliciousness using malice patterns. Patterns may test counts, lengths, rarity, encodings, and other inherent aspects of URLs. URLs may be analyzed individually, or in groups to detect shared portions, or both. URL analysis may use or avoid machine learning, and may use or avoid lookups. Malice patterns may be used individually or in combinations to detect malicious URLs. Analysis results may enhance security through blocking use of suspect URLs, flagging them for further analysis, or allowing their validated use, for instance. Analysis results may also be fed back to further train a machine learning model or a statistical model.

Abstract: IPRID reputation assessment enhances cybersecurity. IPRIDs include IP addresses, domain names, and other network resource identities. A convolutional neural network or other machine learning model is trained with data including aggregate features or rollup features or both. Aggregate features may include aggregated submission counts, classification counts, HTTP code counts, detonation statistics, and redirect counts, for instance. Rollup features reflect hierarchical rollups of data using <unknown> value placeholders specified in IPRID templates. The trained model can predictively infer a label, or produce a rapid lookup table of IPRIDs and maliciousness probabilities. Training data may be organized in grids with rows, columns, planes, branches, and slots. Training data may include whois data, geolocation data, and tenant data. Training data tuple sets may be expanded by date or by original IPRID.

Abstract: Cybersecurity enhancements help avoid malicious Uniform Resource Locators (URLs). Embodiments may reduce or eliminate reliance on subjective analysis or detonation virtual machines. URL substrings are automatically analyzed for maliciousness using malice patterns. Patterns may test counts, lengths, rarity, encodings, and other inherent aspects of URLs. URLs may be analyzed individually, or in groups to detect shared portions, or both. URL analysis may use or avoid machine learning, and may use or avoid lookups. Malice patterns may be used individually or in combinations to detect malicious URLs. Analysis results may enhance security through blocking use of suspect URLs, flagging them for further analysis, or allowing their validated use, for instance. Analysis results may also be fed back to further train a machine learning model or a statistical model.

Abstract: Providing safe access of a data item accessed through one of a plurality of access channels while concurrently providing a policy check of the data item. An indication associated with accessing a data item through one access channel of a plurality of access channels may be received. In response to receiving the indication associated with accessing the data item, the data item may be automatically analyzed to determine whether the data item satisfies a policy. Also in response to receiving the indication associated with accessing the data item and while determining whether the data item satisfies the policy, safe access of the data item may be provided. Regardless of the access channel through which the data item was accessed, any of the policy check, the safe access, and the analysis of the data item may be the same.

Abstract: Providing safe access of a data item accessed through one of a plurality of access channels while concurrently providing a policy check of the data item. An indication associated with accessing a data item through one access channel of a plurality of access channels may be received. In response to receiving the indication associated with accessing the data item, the data item may be automatically analyzed to determine whether the data item satisfies a policy. Also in response to receiving the indication associated with accessing the data item and while determining whether the data item satisfies the policy, safe access of the data item may be provided. Regardless of the access channel through which the data item was accessed, any of the policy check, the safe access, and the analysis of the data item may be the same.