Abstract: An example system includes a processor to receive a stream of records. The processor can generate an unbiased outlier score for each sample in the stream of records via a trained histogram-based outlier score model. The unbiased outlier score is unbiased for samples including dependent features using feature grouping. The processor can then detect an anomaly in response to detecting that an associated unbiased outlier score of the sample is higher than a predefined threshold.

Abstract: A method including: receiving a set of data representing usage by entities of objects in a computing resource; extracting, from the initial set of data, one or more feature vectors representing the usage by one of the entities with respect to the objects; generating, from the feature vectors, a feature matrix; with respect to each entry in the feature matrix: (i) assigning a binary value to the entry, based on a predefined usage threshold, (ii) identifying, among the one or more entities, k nearest neighbor entities with respect to the one of the entities, based on a predefined distance threshold, and (iii) modifying the usage value of the entry, based on usage values associated with each of the k nearest neighbor entities with respect to the one of the objects; and updating the feature matrix with the modified usage values, to obtain a manipulated feature matrix.

Abstract: In some examples, a system for decorating network traffic flows with outlier scores includes a processor and a memory device to store traffic flows received from a network. The processor is configured to receive a set of traffic flows from the memory device and generate a tree model to split the traffic flows into clusters of traffic flows. Each cluster corresponds with a leaf of the tree model. The processor is further configured to generate machine learning models for each of the clusters of traffic flows separately. For a new traffic flow, the processor is configured to identify a specific one of the machine learning models that corresponds with the new traffic flow, compute an outlier score for the new traffic flow using the identified specific one of the machine learning models, and decorate the new traffic flow with the outlier score.

Abstract: Described are techniques for automated generation of labeled datasets for training an AI model to identify a cyberattack. The techniques include receiving configuration information for simulating a cyberattack against a target computer network. The techniques further include executing a cyberattack simulation, based on the configuration information, against the target computer network, where one or more attack log files containing information related to the cyberattack simulation are generated by resources of the target computer network in response to the cyberattack simulation. The techniques further include generating labeled training data from the one or more attack log files to correspond to specifications of the target computer network, and training an artificial intelligence (AI) model to identify the cyberattack in the target computer network using the labeled training data.

Abstract: In some examples, a system for decorating network traffic flows with outlier scores includes a processor and a memory device to store traffic flows received from a network. The processor is configured to receive a set of traffic flows from the memory device and generate a tree model to split the traffic flows into clusters of traffic flows. Each cluster corresponds with a leaf of the tree model. The processor is further configured to generate machine learning models for each of the clusters of traffic flows separately. For a new traffic flow, the processor is configured to identify a specific one of the machine learning models that corresponds with the new traffic flow, compute an outlier score for the new traffic flow using the identified specific one of the machine learning models, and decorate the new traffic flow with the outlier score.

Abstract: Systems and methods provide a platform for threat information sharing. A method comprises transmitting an access permission request to a blockchain network. The request asks for access to cyber threat information stored in at least one cyber threat information storage system. The information may come from a plurality of organizations. The blockchain network may include a blockchain ledger storing access control information from the plurality of organizations. Upon receipt of a reference to an access permission token generated by the blockchain network using at least one smart contract, a transaction request to the cyber threat information server may be sent. In response to the transaction request including the reference to the access permission token, the requested cyber threat information may be retrieved from the cyber threat information server.

Abstract: An example system includes a processor to monitor a user interface to generate activity logs including step-flows. The processor is to extract features and common variables from unstructured data in the activity logs and generate structured log events based on the extracted features and the common variables. The processor is to generate a workflow model based on the structured log events. The processor is to automate or assist workflow based on the generated workflow model.

Abstract: An example system includes a processor to monitor a user interface to generate activity logs including step-flows. The processor is to extract features and common variables from unstructured data in the activity logs and generate structured log events based on the extracted features and the common variables. The processor is to generate a workflow model based on the structured log events. The processor is to automate or assist workflow based on the generated workflow model.

Abstract: Embodiments of the present systems and methods may provide a platform for threat information sharing.

Abstract: A vehicle system, comprising multiple electronic control units (ECUs) configured to manage operation of multiple vehicle components, a controller area network (CAN) bus that provides communication pathways between the multiple ECUs, and a threat validation module configured to receive a message from an electronic control unit (ECU) of the multiple ECUs, wherein the message comprises data of a suspicious message flagged by the ECU, generate a query to determine authenticity of the message, broadcast the query to at least one ECU of the multiple ECUs, listen for responses from the at least one ECU, and determine whether the suspicious message is an actual threat based at least on a count of received responses.

Abstract: A computerized method comprising, on a mobile computing device, processing a vehicle integration request made by one or more of (i) the mobile computing device and (ii) a transportation vehicle. The mobile computing device computes a risk assessment value that quantifies a security risk to the transportation vehicle as a result of connecting the mobile computing device to the transportation vehicle, where the computing is based on one or more of a hardware and a software of the mobile computing device. The mobile computing device transmits the risk assessment value to a vehicle computer integrated in the transportation vehicle. The mobile computing device completes a digital data connection with the vehicle computer when the risk assessment value complies with a vehicle access security policy of the vehicle computer.

Abstract: A method comprising using at least one hardware processor for receiving a plurality of media files captured in real-time by a sensor of a client terminal, wherein each of the plurality of media files comprises data captured from the environment surrounding the client terminal. The method comprises extracting a plurality of captured media fragments from the plurality of media files. The method comprises retrieving a plurality of random media fragments from a database. The method comprises sending the plurality of captured media fragments and the plurality of random media fragments to the client terminal or to a different client terminal, for presentation to a user in an arbitrary order. The method comprises receiving from the client terminal or the different client terminal a selection of the plurality of captured media fragments. The method comprises sending a user authentication to a secure server module based on the selection.

Abstract: A system comprising: a software agent stored on a non-transient computer-readable storage medium in a motor vehicle, the software agent comprising instructions that cause a processor in the motor vehicle to: monitor, in real time (i) events occurring in an operating system of the motor vehicle and any application running thereon, (ii) messages transmitted by Electronic Control Units (ECUs) of the motor vehicle over an in-vehicle network of the motor vehicle, and (iii) network activity between the motor vehicle and external network resources; detect suspicious events, messages, and network activity, in the monitored events, messages, and network activity, respectively; repeatedly execute Stateful Event Processing (SEP) on a combination of the detected suspicious events, messages, and network activity; and infer potential computer security threats based on results of the SEP.

Abstract: A vehicle system, comprising multiple electronic control units (ECUs) configured to manage operation of multiple vehicle components, a controller area network (CAN) bus that provides communication pathways between the multiple ECUs, and a threat validation module configured to receive a message from an electronic control unit (ECU) of the multiple ECUs, wherein the message comprises data of a suspicious message flagged by the ECU, generate a query to determine authenticity of the message, broadcast the query to at least one ECU of the multiple ECUs, listen for responses from the at least one ECU, and determine whether the suspicious message is an actual threat based at least on a count of received responses.

Abstract: A method comprising using at least one hardware processor for receiving a plurality of media files captured in real-time by a sensor of a client terminal, wherein each of the plurality of media files comprises data captured from the environment surrounding the client terminal. The method comprises extracting a plurality of captured media fragments from the plurality of media files. The method comprises retrieving a plurality of random media fragments from a database. The method comprises sending the plurality of captured media fragments and the plurality of random media fragments to the client terminal or to a different client terminal, for presentation to a user in an arbitrary order. The method comprises receiving from the client terminal or the different client terminal a selection of the plurality of captured media fragments. The method comprises sending a user authentication to a secure server module based on the selection.

Abstract: Embodiments of the present invention disclose a method, computer system, and a computer program product for vehicle software security associated with a vehicle. The present invention may include collecting vehicle data from the vehicle. The present invention may also include collecting mobile device data from an authorized mobile device associated with an authorized operator. The present invention may then include comparing the collected vehicle data with the collected mobile device data. The present invention may further include determining that the collected vehicle data does not match the collected mobile device data. The present invention may include also sending an alert message to a security control application based on determining that the collected vehicle data does not match the collected mobile device data.

Abstract: Embodiments of the present invention disclose a method, computer system, and a computer program product for vehicle software security associated with a vehicle. The present invention may include collecting vehicle data from the vehicle. The present invention may also include collecting mobile device data from an authorized mobile device associated with an authorized operator. The present invention may then include comparing the collected vehicle data with the collected mobile device data. The present invention may further include determining that the collected vehicle data does not match the collected mobile device data. The present invention may include also sending an alert message to a security control application based on determining that the collected vehicle data does not match the collected mobile device data.

Abstract: A cooperative vehicle monitoring method including, at an intravehicular monitor configured with each of a plurality of vehicles, gathering any in-vehicle data associated with the vehicle, detecting any intravehicular anomaly associated with the vehicle by analyzing the in-vehicle data, and reporting intravehicular information including any of the detected intravehicular anomaly and the in-vehicle data, and, at an extravehicular monitor, detecting any anomaly by analyzing the reported intravehicular information in combination with extravehicular data that are external to the plurality of vehicles, and reporting any of the intravehicular information, the extravehicular data, and any anomaly detected at the extravehicular monitor.

Abstract: Techniques for monitoring a controller area network bus are described herein. In one example, a system comprises a processor that is to detect a message from a source electronic control unit in a vehicle and calculate a location of the source electronic control unit based on at least two arrival times, the arrival times indicating a distance between a first monitor and the source electronic control unit. The processor can also detect that the message corresponds to a function controlled by a second electronic control unit and generate a warning that the message from the source electronic control unit is malicious.

Abstract: A cooperative vehicle monitoring method including, at an intravehicular monitor configured with each of a plurality of vehicles, gathering any in-vehicle data associated with the vehicle, detecting any intravehicular anomaly associated with the vehicle by analyzing the in-vehicle data, and reporting intravehicular information including any of the detected intravehicular anomaly and the in-vehicle data, and, at an extravehicular monitor, detecting any anomaly by analyzing the reported intravehicular information in combination with extravehicular data that are external to the plurality of vehicles, and reporting any of the intravehicular information, the extravehicular data, and any anomaly detected at the extravehicular monitor.