Abstract: A model checking system detects violations and conflicts in security and verification policies by running model checking processes. The system detects privilege escalation attacks in misconfigured identification and access management (“IAM”) policies by modeling security policy documents and IAM actions as logical formulas and then running model checking on the model. The system translates non-Boolean variables, such as string variables, into Boolean variables in order to apply an SAT model checker. The model checker also determines whether a policy violation can be achieved in a finite number of steps by elevating privileges of some compromised principal over multiple iterations of the model checking process, or proves absence thereof.

Abstract: Systems and methods provide a platform for threat information sharing. A method comprises transmitting an access permission request to a blockchain network. The request asks for access to cyber threat information stored in at least one cyber threat information storage system. The information may come from a plurality of organizations. The blockchain network may include a blockchain ledger storing access control information from the plurality of organizations. Upon receipt of a reference to an access permission token generated by the blockchain network using at least one smart contract, a transaction request to the cyber threat information server may be sent. In response to the transaction request including the reference to the access permission token, the requested cyber threat information may be retrieved from the cyber threat information server.

Abstract: An example system includes a processor to monitor a user interface to generate activity logs including step-flows. The processor is to extract features and common variables from unstructured data in the activity logs and generate structured log events based on the extracted features and the common variables. The processor is to generate a workflow model based on the structured log events. The processor is to automate or assist workflow based on the generated workflow model.

Abstract: A method for training thresholds controlling data flow in a plurality of cascaded classifiers for classifying malicious software, comprising: in each of a plurality of iterations: computing a set of scores, each for one of a set of threshold sequences, each threshold sequence is a sequence of sets of classifier output thresholds, each set of classifier output thresholds used to control a flow of data from a first cascaded classifier of the plurality of cascaded classifiers to a second cascaded classifier of the plurality of cascaded classifiers, each score computed when classifying, using the respective threshold sequence, each of a plurality of software objects as one of a set of maliciousness classes; computing a set of new threshold sequences by applying a genetic algorithm to the set of threshold sequences and the set of scores; and using the set of new threshold sequences in a consecutive iteration.

Abstract: A method, computer system, and a computer program product for assessing anonymity of a dataset is provided. The present invention may include receiving an original dataset and an anonymized dataset. The present invention may also include preparing a testing dataset and a training dataset for a machine learning algorithm based on the received original dataset and anonymized dataset. The present invention may then include training a machine learning model based on the prepared training dataset. The present invention may further include generating an evaluation score based on the trained machine learning model and the prepared testing dataset. The present invention may also include presenting the generated evaluation score to a user.

Abstract: Incremental generation of models with dynamic clustering. A first set of data is received. A first set of clusters based on the first set of data is generated. A respective first set of models for the first set of clusters is created. A second set of data is received. A second set of clusters, based on the second set of data and based on a subset of the first set of data, is generated. A respective second set of models for the second set of clusters, based on a subset of the first set of models and based on the second set of data, is created.

Abstract: An example system includes a processor to monitor a user interface to generate activity logs including step-flows. The processor is to extract features and common variables from unstructured data in the activity logs and generate structured log events based on the extracted features and the common variables. The processor is to generate a workflow model based on the structured log events. The processor is to automate or assist workflow based on the generated workflow model.

Abstract: Embodiments may provide Digital Rights Management techniques, not to make the reverse engineering process harder, but rather to provide detection of reverse engineering of PCBs, such as by copying of layers of trace layout, so as to enable pursuing legal remedies against the violators. For example, in an embodiment, a method of information encoding may be implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise receiving, at the computer system, information to be encoded in a printed circuit board wiring trace layout and laying out, at the computer system, a plurality of printed circuit board wiring traces so as to encode the received information.

Abstract: A method, computer system, and a computer program product for assessing anonymity of a dataset is provided. The present invention may include receiving an original dataset and an anonymized dataset. The present invention may also include preparing a testing dataset and a training dataset for a machine learning algorithm based on the received original dataset and anonymized dataset. The present invention may then include training a machine learning model based on the prepared training dataset. The present invention may further include generating an evaluation score based on the trained machine learning model and the prepared testing dataset. The present invention may also include presenting the generated evaluation score to a user.

Abstract: A method for defending a computing system against ransomware attacks is disclosed. In one embodiment, such a method includes identifying, on a computing system, files to be protected against ransomware attacks. The method appends a public key to each of the files. Upon receiving a request to modify a specific file, the method reads the public key appended to the file, requests an authentication token from a user, and computes a private key associated with the files. The method combines the public key, authentication token, and private key to generate an unlock key. This unlock key is compared to a validation key. The method authorizes modification of the file in the event the unlock key matches the validation key. A corresponding system and computer program product are also disclosed.

Abstract: Embodiments of the present systems and methods may provide a platform for threat information sharing.

Abstract: Embodiments of the present invention may provide the capability to identify security breaches in computer systems from clustering properties of clusters generated based on monitored behavior of users of the computer systems by using techniques that provide improved performance and reduced resource requirements. For example, behavior of users or resources may be monitored and analyzed to generate clusters and train clustering models. Labeling information relating to some user or resource may be received. When users or resources are clustered and when a cluster contains some labeled users/resources then an anomaly score can be determined for a user/resource belonging to the cluster. A user or resource may be detected to be an outlier of at least one cluster to which the user or resource has been assigned, and an alert indicating detection of the outlier may be generated.

Abstract: A method for training thresholds controlling data flow in a plurality of cascaded classifiers for classifying malicious software, comprising: in each of a plurality of iterations: computing a set of scores, each for one of a set of threshold sequences, each threshold sequence is a sequence of sets of classifier output thresholds, each set of classifier output thresholds used to control a flow of data from a first cascaded classifier of the plurality of cascaded classifiers to a second cascaded classifier of the plurality of cascaded classifiers, each score computed when classifying, using the respective threshold sequence, each of a plurality of software objects as one of a set of maliciousness classes; computing a set of new threshold sequences by applying a genetic algorithm to the set of threshold sequences and the set of scores; and using the set of new threshold sequences in a consecutive iteration.

Abstract: A method, computer system, and a computer program product for identifying a hacked database is provided. The present invention may include generating a marked account using a plurality of data. The present invention may then include initiating a first transaction using the generated marked account. The present invention may also include determining that a second transaction has occurred using the generated marked account. The present invention may further include receiving notification of the second transaction based on determining that the second transaction occurred.

Abstract: A computerized method comprising, on a mobile computing device, processing a vehicle integration request made by one or more of (i) the mobile computing device and (ii) a transportation vehicle. The mobile computing device computes a risk assessment value that quantifies a security risk to the transportation vehicle as a result of connecting the mobile computing device to the transportation vehicle, where the computing is based on one or more of a hardware and a software of the mobile computing device. The mobile computing device transmits the risk assessment value to a vehicle computer integrated in the transportation vehicle. The mobile computing device completes a digital data connection with the vehicle computer when the risk assessment value complies with a vehicle access security policy of the vehicle computer.

Abstract: A method for defending a computing system against ransomware attacks is disclosed. In one embodiment, such a method includes identifying, on a computing system, files to be protected against ransomware attacks. The method appends a public key to each of the files. Upon receiving a request to modify a specific file, the method reads the public key appended to the file, requests an authentication token from a user, and computes a private key associated with the files. The method combines the public key, authentication token, and private key to generate an unlock key. This unlock key is compared to a validation key. The method authorizes modification of the file in the event the unlock key matches the validation key. A corresponding system and computer program product are also disclosed.

Abstract: A method, computer system, and a computer program product for identifying a hacked database is provided. The present invention may include generating a marked account using a plurality of data. The present invention may then include initiating a first transaction using the generated marked account. The present invention may also include determining that a second transaction has occurred using the generated marked account. The present invention may further include receiving notification of the second transaction based on determining that the second transaction occurred.

Abstract: There is provided, in accordance with some embodiments, a method comprising using one or more hardware processors for receiving a behavioral biometric model that characterizes a human user according to pointing device data of the human user, where the pointing device data comprises screen coordinate and time stamp pairs. The method comprises an action of monitoring an input data stream from a pointing device in real time, wherein the input data stream covers two or more spatial regions of a display screen, and an action of segregating the input data stream into one or more subset streams that is restricted to one of the plurality of spatial regions. The method comprises an action of computing a similarity score based on one or more comparisons of the behavioral biometric model and the one or more subset streams, and an action of sending the similarity score to a user authorization system.

Abstract: A method, computer system, and a computer program product for assessing anonymity of a dataset is provided. The present invention may include receiving an original dataset and an anonymized dataset. The present invention may also include preparing a testing dataset and a training dataset for a machine learning algorithm based on the received original dataset and anonymized dataset. The present invention may then include training a machine learning model based on the prepared training dataset. The present invention may further include generating an evaluation score based on the trained machine learning model and the prepared testing dataset. The present invention may also include presenting the generated evaluation score to a user.

Abstract: A method, computer system, and a computer program product for identifying a hacked database is provided. The present invention may include generating a marked account using a plurality of data. The present invention may then include initiating a first transaction using the generated marked account. The present invention may also include determining that a second transaction has occurred using the generated marked account. The present invention may further include receiving notification of the second transaction based on determining that the second transaction occurred.