Abstract: In some examples, a system for decorating network traffic flows with outlier scores includes a processor and a memory device to store traffic flows received from a network. The processor is configured to receive a set of traffic flows from the memory device and generate a tree model to split the traffic flows into clusters of traffic flows. Each cluster corresponds with a leaf of the tree model. The processor is further configured to generate machine learning models for each of the clusters of traffic flows separately. For a new traffic flow, the processor is configured to identify a specific one of the machine learning models that corresponds with the new traffic flow, compute an outlier score for the new traffic flow using the identified specific one of the machine learning models, and decorate the new traffic flow with the outlier score.

Abstract: Described are techniques for automated generation of labeled datasets for training an AI model to identify a cyberattack. The techniques include receiving configuration information for simulating a cyberattack against a target computer network. The techniques further include executing a cyberattack simulation, based on the configuration information, against the target computer network, where one or more attack log files containing information related to the cyberattack simulation are generated by resources of the target computer network in response to the cyberattack simulation. The techniques further include generating labeled training data from the one or more attack log files to correspond to specifications of the target computer network, and training an artificial intelligence (AI) model to identify the cyberattack in the target computer network using the labeled training data.

Abstract: In some examples, a system for decorating network traffic flows with outlier scores includes a processor and a memory device to store traffic flows received from a network. The processor is configured to receive a set of traffic flows from the memory device and generate a tree model to split the traffic flows into clusters of traffic flows. Each cluster corresponds with a leaf of the tree model. The processor is further configured to generate machine learning models for each of the clusters of traffic flows separately. For a new traffic flow, the processor is configured to identify a specific one of the machine learning models that corresponds with the new traffic flow, compute an outlier score for the new traffic flow using the identified specific one of the machine learning models, and decorate the new traffic flow with the outlier score.

Abstract: Systems and methods provide a platform for threat information sharing. A method comprises transmitting an access permission request to a blockchain network. The request asks for access to cyber threat information stored in at least one cyber threat information storage system. The information may come from a plurality of organizations. The blockchain network may include a blockchain ledger storing access control information from the plurality of organizations. Upon receipt of a reference to an access permission token generated by the blockchain network using at least one smart contract, a transaction request to the cyber threat information server may be sent. In response to the transaction request including the reference to the access permission token, the requested cyber threat information may be retrieved from the cyber threat information server.

Abstract: Embodiments of the present systems and methods may provide a platform for threat information sharing.

Abstract: A blockchain of transactions may be referenced for various purposes and may be later accessed by interested parties for ledger verification or information retrieval. One example method of operation may include one or more of receiving an access request from a requesting device for access to an encryption key associated with a user device, broadcasting the request to peer nodes for approval or disapproval, storing a transaction to a blockchain indicating the approval or disapproval of the request for access to the encryption key, and providing access to the encryption key when the approval is indicated.

Abstract: A vehicle system, comprising multiple electronic control units (ECUs) configured to manage operation of multiple vehicle components, a controller area network (CAN) bus that provides communication pathways between the multiple ECUs, and a threat validation module configured to receive a message from an electronic control unit (ECU) of the multiple ECUs, wherein the message comprises data of a suspicious message flagged by the ECU, generate a query to determine authenticity of the message, broadcast the query to at least one ECU of the multiple ECUs, listen for responses from the at least one ECU, and determine whether the suspicious message is an actual threat based at least on a count of received responses.

Abstract: A method, computer system, and a computer program product for identifying a hacked database is provided. The present invention may include generating a marked account using a plurality of data. The present invention may then include initiating a first transaction using the generated marked account. The present invention may also include determining that a second transaction has occurred using the generated marked account. The present invention may further include receiving notification of the second transaction based on determining that the second transaction occurred.

Abstract: A method, computer system, and a computer program product for identifying a hacked database is provided. The present invention may include generating a marked account using a plurality of data. The present invention may then include initiating a first transaction using the generated marked account. The present invention may also include determining that a second transaction has occurred using the generated marked account. The present invention may further include receiving notification of the second transaction based on determining that the second transaction occurred.

Abstract: A system comprising: a software agent stored on a non-transient computer-readable storage medium in a motor vehicle, the software agent comprising instructions that cause a processor in the motor vehicle to: monitor, in real time (i) events occurring in an operating system of the motor vehicle and any application running thereon, (ii) messages transmitted by Electronic Control Units (ECUs) of the motor vehicle over an in-vehicle network of the motor vehicle, and (iii) network activity between the motor vehicle and external network resources; detect suspicious events, messages, and network activity, in the monitored events, messages, and network activity, respectively; repeatedly execute Stateful Event Processing (SEP) on a combination of the detected suspicious events, messages, and network activity; and infer potential computer security threats based on results of the SEP.

Abstract: A method, computer system, and a computer program product for identifying a hacked database is provided. The present invention may include generating a marked account using a plurality of data. The present invention may then include initiating a first transaction using the generated marked account. The present invention may also include determining that a second transaction has occurred using the generated marked account. The present invention may further include receiving notification of the second transaction based on determining that the second transaction occurred.

Abstract: A vehicle system, comprising multiple electronic control units (ECUs) configured to manage operation of multiple vehicle components, a controller area network (CAN) bus that provides communication pathways between the multiple ECUs, and a threat validation module configured to receive a message from an electronic control unit (ECU) of the multiple ECUs, wherein the message comprises data of a suspicious message flagged by the ECU, generate a query to determine authenticity of the message, broadcast the query to at least one ECU of the multiple ECUs, listen for responses from the at least one ECU, and determine whether the suspicious message is an actual threat based at least on a count of received responses.

Abstract: A blockchain of transactions may be referenced for various purposes and may be later accessed by interested parties for ledger verification or information retrieval. One example method of operation may include one or more of receiving an access request from a requesting device for access to an encryption key associated with a user device, broadcasting the request to peer nodes for approval or disapproval, storing a transaction to a blockchain indicating the approval or disapproval of the request for access to the encryption key, and providing access to the encryption key when the approval is indicated.

Abstract: A method, computer system, and a computer program product for identifying a hacked database is provided. The present invention may include generating a marked account using a plurality of data. The present invention may then include initiating a first transaction using the generated marked account. The present invention may also include determining that a second transaction has occurred using the generated marked account. The present invention may further include receiving notification of the second transaction based on determining that the second transaction occurred.

Abstract: A method, computer system, and a computer program product for identifying a hacked database is provided. The present invention may include generating a marked account using a plurality of data. The present invention may then include initiating a first transaction using the generated marked account. The present invention may also include determining that a second transaction has occurred using the generated marked account. The present invention may further include receiving notification of the second transaction based on determining that the second transaction occurred.

Abstract: A method obtains a first data item signature for a first data item, the first data item signature comprising an association between a plurality of synch points in the first data item and a corresponding plurality of block signatures. The process attempts to find one of the synch points in a second data item; and, if such a synch point is found, then a block signature of a corresponding block of bits in the second data item is determined. The process ascertains whether the synch point and corresponding block signature from the second data item correspond to a synch point and block signature in the first data item. If a predetermined number of synch points and corresponding block signatures match, the first and second data items are considered to match. In response to said determining, one or more actions associated with the first data item are performed.

Abstract: Embodiments of the present invention disclose a method, computer system, and a computer program product for vehicle software security associated with a vehicle. The present invention may include collecting vehicle data from the vehicle. The present invention may also include collecting mobile device data from an authorized mobile device associated with an authorized operator. The present invention may then include comparing the collected vehicle data with the collected mobile device data. The present invention may further include determining that the collected vehicle data does not match the collected mobile device data. The present invention may include also sending an alert message to a security control application based on determining that the collected vehicle data does not match the collected mobile device data.

Abstract: Embodiments of the present invention disclose a method, computer system, and a computer program product for vehicle software security associated with a vehicle. The present invention may include collecting vehicle data from the vehicle. The present invention may also include collecting mobile device data from an authorized mobile device associated with an authorized operator. The present invention may then include comparing the collected vehicle data with the collected mobile device data. The present invention may further include determining that the collected vehicle data does not match the collected mobile device data. The present invention may include also sending an alert message to a security control application based on determining that the collected vehicle data does not match the collected mobile device data.

Abstract: A method, system and computer-usable medium for performing an authorization operation on an Internet of Things (IoT) type device, comprising: providing each of a plurality of IoT type devices with a respective authorization system; receiving a request to share resources at one of the plurality of IoT type devices; determining via the respective authorization system whether the one of the plurality of IoT devices has an IoT resource available for sharing; and, enabling sharing of the IoT resource when the respective authorization system determines that the IoT resource is available for sharing.

Abstract: A method obtains a first data item signature for a first data item, the first data item signature comprising an association between a plurality of synch points in the first data item and a corresponding plurality of block signatures. The process attempts to find one of the plurality of synch points in a second data item; and, if such a synch point is found, then a block signature of a corresponding block of bits in the second data item is determined by applying a hash function to the corresponding block of bits in the second data item. The process ascertains whether the synch point and corresponding block signature from the second data item correspond to a synch point and block signature in the first data item signature. If a predetermined number of synch points and corresponding block signatures match, the first and second data items are considered to match.