Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for service oriented software-defined security framework are disclosed. In one aspect, a system includes a security control device, one or more assets, and a security controller that communicates with the security control device and the one or more assets. The security controller includes a processing engine configured to register the security control device by creating a physical-logical attribute mapping for the security control device, and generating a security service description associated with the security control device. The processing engine is further configured to register the one or more assets by creating a physical-logical attribute mapping for each of the one or more assets, and generating security service requirements for each of the one or more assets. The processing engine is further configured to generate a security service binding based on a request for service.

Abstract: Examples of malware detection are provided. In an example, to detect malwares, a first subset of features may be determined from a binary file. The binary file may be analyzed based on machine learning model to determine a category of malware, which is based on a degree of detectability of the category. A first category may have a lower detectability of malware in the binary file and a second category may have a higher detectability than the first. A model may then be created to analyze the first category of malware and an analysis of the binary may be performed. The analysis may be performed using the model. Thereafter, a confidence score may be generated for the binary file. The confidence score may be indicative of certainty of determining whether the binary file is goodware or includes malware. Malware may be detected upon the confidence score exceeding a threshold value.

Abstract: A computer-implemented method that includes a computing system receiving a plurality of data items that include content data. The system then generates a first inference model based on the received content data. The system also receives metadata associated with respective data items and then generates a second inference model based on the received metadata data. The system further determines, based on the first inference model, a first weight parameter associated with the content data, and determines, based on the second inference model, a second weight parameter associated with the metadata. The system then generates a classification model for determining a classification of at least one data item of the plurality of data items. The classification model is generated based on at least one of the first weight parameter or the second weight parameter.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for service oriented software-defined security framework are disclosed. In one aspect, a system includes a security control device, one or more assets, and a security controller that communicates with the security control device and the one or more assets. The security controller includes a processing engine configured to register the security control device by creating a physical-logical attribute mapping for the security control device, and generating a security service description associated with the security control device. The processing engine is further configured to register the one or more assets by creating a physical-logical attribute mapping for each of the one or more assets, and generating security service requirements for each of the one or more assets. The processing engine is further configured to generate a security service binding based on a request for service.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for analyzing telemetry data from physical process sensors to detect anomalies within the physical process. A telemetry analytics system is disclosed as a process level anomaly detection system based on operational telemetrics and domain-specific knowledge that protects cyber physical system (CPS) devices against zero-day exploits not detectable through traditional system log or network packet inspection. The telemetry analytics system operates as a security component comparable to intrusion detection or anti-virus/anti-malware that generates alerts upon detecting anomalies in the sensor and/or activity data ingested from system or network data sources.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for service oriented software-defined security framework are disclosed. In one aspect, a system includes a security control device, one or more assets, and a security controller that communicates with the security control device and the one or more assets. The security controller includes a processing engine configured to register the security control device by creating a physical-logical attribute mapping for the security control device, and generating a security service description associated with the security control device. The processing engine is further configured to register the one or more assets by creating a physical-logical attribute mapping for each of the one or more assets, and generating security service requirements for each of the one or more assets. The processing engine is further configured to generate a security service binding based on a request for service.

Abstract: A computer-implemented method that includes a computing system receiving a plurality of data items that include content data. The system then generates a first inference model based on the received content data. The system also receives metadata associated with respective data items and then generates a second inference model based on the received metadata data. The system further determines, based on the first inference model, a first weight parameter associated with the content data, and determines, based on the second inference model, a second weight parameter associated with the metadata. The system then generates a classification model for determining a classification of at least one data item of the plurality of data items. The classification model is generated based on at least one of the first weight parameter or the second weight parameter.

Abstract: A computer-implemented method that includes a computing system generating a first classification model for determining a classification of a data item. The first classification model is generated using at least baseline content data or baseline metadata. The system receives modified content data indicating a change to the baseline content data and modified metadata indicating a change to the baseline metadata. The system generates an impact metric based on at least the modified content data or the modified metadata and compares the impact metric to a threshold metric to determine whether the impact metric exceeds the threshold metric. In response to the impact metric exceeding the threshold impact metric, the system generates a second classification model for determining a classification of the data item.

Abstract: A system may include first sensor to monitor first information relating a volume of information searched by a user, a second sensor to monitor second information relating to a number of requests, made by the user, to access a resource, a third sensor to monitor third information relating to a number of requests, made by the user, from different geographic locations, and a device to receive the first information, the second information, and the third information, and process the first information, the second information, and the third information in connection with the resource.

Abstract: Systems, methods, and apparatus, including computer programs encoded on computer storage media, for analyzing telemetry data from physical process sensors to detect anomalies within the physical process. A telemetry analytics system is disclosed as a process level anomaly detection system based on operational telemetrics and domain-specific knowledge that protects cyber physical system (CPS) devices against zero-day exploits not detectable through traditional system log or network packet inspection. The telemetry analytics system operates as a security component comparable to intrusion detection or anti-virus/anti-malware that generates alerts upon detecting anomalies in the sensor and/or activity data ingested from system or network data sources.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for service oriented software-defined security framework are disclosed. In one aspect, a system includes a security control device, one or more assets, and a security controller that communicates with the security control device and the one or more assets. The security controller includes a processing engine configured to register the security control device by creating a physical-logical attribute mapping for the security control device, and generating a security service description associated with the security control device. The processing engine is further configured to register the one or more assets by creating a physical-logical attribute mapping for each of the one or more assets, and generating security service requirements for each of the one or more assets. The processing engine is further configured to generate a security service binding based on a request for service.

Abstract: Methods, systems, and media for providing trap-based defenses are provided. In accordance with some embodiments, a method for providing trap-based defenses is provided, the method comprising: generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties; embedding a beacon into the decoy information; and inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.

Abstract: Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided.

Abstract: Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided.

Abstract: Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided.

Abstract: Methods, systems, and media for providing trap-based defenses are provided. In accordance with some embodiments, a method for providing trap-based defenses is provided, the method comprising: generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties; embedding a beacon into the decoy information; and inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.

Abstract: A system may include first sensor to monitor first information relating a volume of information searched by a user, a second sensor to monitor second information relating to a number of requests, made by the user, to access a resource, a third sensor to monitor third information relating to a number of requests, made by the user, from different geographic locations, and a device to receive the first information, the second information, and the third information, and process the first information, the second information, and the third information in connection with the resource.

Abstract: Methods, systems, and media for providing trap-based defenses are provided. In accordance with some embodiments, a method for providing trap-based defenses is provided, the method comprising: generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties; embedding a beacon into the decoy information; and inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.

Abstract: Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.

Abstract: A method of sampling semiconductor wafers includes passing a lot of semiconductor wafers into a semiconductor processing tool, processing a first portion of the lot in one process chamber of the semiconductor processing tool and a second portion of the lot in another process chamber of the semiconductor processing tool to produce processed semiconductor wafers, and initiating a wafer sampling engine to select at least one of the processed semiconductor wafers for sampling. The wafer sampling engine computes a long term process capability index for the processing tool and a short term process performance index for at least one of the processing tool and process chamber, identifies at least one desired sampling measurement type, selects the at least one of the processed semiconductor wafers for sampling, and collects the desired measurement types from the at least one of the processed semiconductor wafers selected for sampling.