Abstract: Embodiments of the present invention provide an innovative system, method, and computer program product for automated device activity analysis in both a forward and reverse fashion. A collaborative system for receiving data and continuously analyzing the data to determine emerging patterns associated with particular user devices is provided. The system is also designed to generate a historical query of user device touch points or interaction points with entity systems across multiple data vectors, and generate system alerts as patterns or potential issues are identified. Common characteristics of data may be used to detect patterns that are broadened in scope and used in a generative neural network approach.

Abstract: A network device obtains information, associated with blacklisted domains, that includes blacklisted domain identifiers, and sinkhole server identifiers associated with the blacklisted domain identifiers. The network device obtains a set of rules that specify match criteria, associated with the blacklisted domains, that include source network addresses and/or destination network addresses for comparison to packet source network addresses and/or packet destination network addresses associated with incoming packets. The set of rules specify actions to perform based on a result of comparing the match criteria and the packet source network addresses and/or the packet destination network addresses for the incoming packets.

Abstract: One or more event logs are received. The one or more event logs are analyzed using a plurality of models to detect one or more anomalous events. A graphical representation of risk entities associated with at least one of the one or more detected anomalous events is provided. A visual representation of automatically detected relationships between the risk entities associated with the at least one of the one or more detected anomalous events is provided in the graphical representation. Indications of measures of anomaly associated with detected anomalous events are provided for the associated risk entities.

Abstract: Application-initiated network traffic is intercepted and analyzed by an application firewall in order to identify streams of traffic for a target application. An application signature generator preprocesses the raw data packets from the intercepted network traffic by tokenizing the data packets and then weighting each token according to its importance for application identification. The weighted features for each data packet are clustered using an unsupervised learning model, and the resulting clusters are iteratively refined and re-clustered using a proximity score between the clusters and feature vectors for key tokens for the target application. The application signature generator generates a signature for the clusters corresponding to the target application which the application firewall implements for filtering network traffic.

Abstract: Methods and systems to identify the domain names that can potentially be used for delivering instructions to a bot, before bots on a computer network succeed in obtaining the instructions. The system maintains a device rating for each device that reflects a likelihood that the device is infected by malware. The system also maintains a domain-name rating for each device that reflects a likelihood that the domain name is malicious. When a device attempts to access a particular domain name, the domain-name rating of the domain name is updated in light of the device rating of the device, and/or update the device rating of the device in light of the domain-name rating.

Abstract: A computing system including a processor and a memory, which includes a first memory region operating as a kernel space and a second memory region operating as a user space. Maintained within the kernel space, a first logic unit receives a notification identifying a newly created thread and extracts at least meta-information associated with the newly created thread. Maintained within the user space, a second logic unit receives at least the meta-information associated with the newly created thread and conducts analytics on at least the meta-information to attempt to classify the newly created thread. An alert is generated by the second logic unit upon classifying the newly created thread as a cyberattack associated with a malicious position independent code execution based at least on results of the analytics associated with the meta-information associated with the newly created thread.

Abstract: A method for creating a heuristic rule to identify Business Email Compromise (BEC) attacks includes filtering text of received email messages, using a first classifier, to extract one or more terms indicative of a BEC attack from the text of the received email messages. One or more n-grams are generated, using the first classifier, based on the extracted terms. A vector representation of the extracted terms is generated, using a second classifier, based on the generated one or more n-grams. The second classifier includes a logit model. A weight coefficient is assigned to each of the one or more extracted terms based on an output of the trained logit model. A higher weight coefficient indicates higher relevancy to BEC attack of the corresponding term. A heuristic rule associated with the BEC attack is generated by combining the weight coefficients of a combination of the one or more extracted terms.

Abstract: A system manages resources based on a hardware transactional memory unit. The system stores a system profile map comprising system profiles of applications. The system profile of an application stores information describing system resource utilization of the application. If a request for resources for executing a new application is received, a hardware transactional memory unit determines an amount of memory to be allocated for executing the new application and allocates memory partitions for executing the new application. The system profile of the new application is compared with system profiles in the system profile map. If there are any indicators of compromise representing potential compromise of the new application the request for resources for the new application is denied. The system generates and uses true random numbers.

Abstract: Data relating to attacks is collected in honeypots, including network address of attacks and time of attacks. The attack data is analyzed to generate a predicted likelihood of future attacks from network addresses in the activity data, and a network address blacklist is constructed including network addresses predicted likely to be a source of a future attack. The process is repeated over time, such that network addresses with no recent honeypot activity are removed from the blacklist.

Abstract: An apparatus, a method, and computer program product are provided that tracks data for, and generated by, machine learning for accurate and precise deletion. The method includes receiving a dataset for use in training a machine learning model and registering a file from the dataset into a reference table, wherein the file is designated for monitoring. The file designation can indicate that the file is confidential and requires deletion upon completion of training of the machine learning model and project. The method also includes monitoring the file for an event that accesses the file, detecting a read access event occurring on the file, and determining a creation of a derivative file generated as a result of the read access event. The method further includes registering the derivative file into the reference table and indicating an association between the derivative file and the file in the reference table.

Abstract: A device may receive a file that has been downloaded, or is to be downloaded, to a user device, and that is to be subject to a malware detection procedure. The device may obtain, based on one or more file identification properties of the file, metadata identifying user interactions associated with the file. The metadata may include a first group of user interactions performed when the file was accessed on the user device or a second group of user interactions performed when the file was accessed on one or more other user devices. The device may test the file in a sandbox environment to obtain a result by performing the user interactions identified by the metadata and executing the malware detection procedure to determine whether the file is malware. The device may provide a notification to cause the user device to perform actions when the file is malware.

Abstract: A DDoS handling device configured to handle communication directed to a target of a DDoS attack flowing in from an adjacent autonomous system in an autonomous system provided with a plurality of mitigating locations includes: a load distribution determination unit configured to determine whether or not to execute load distribution processing on the basis of an amount of available resources at mitigating locations corresponding to a gateway device into which the communication directed to the target flows and an amount of the communication directed to the target in a case in which at least one attack has been detected; a load distribution processing unit configured to decide mitigating locations to be used to handle the communication directed to the target from among the plurality of mitigating locations to solve shortage of resources at the mitigating locations for each attack, in a case in which the load distribution determination unit determines to execute the load distribution processing; and an attack hand

Abstract: The disclosure is directed towards proxy services for the secure uploading of file-system tree structures. A method includes receiving, at a web security service, an indication that client device to upload content to a storage cloud provider. The proxy service performs a security scan of the content while the content is stored on the client device. A security and/or a privacy concern is identified in the content stored on the client device. A security and/or privacy mitigation action is performed in response to identifying the security and/or privacy concern.

Abstract: In some aspects, a computing system can control access of a user computing device to a resource. The computing system can obtain an access request submitted by a user computing device. The computing system can verify permission information in the access request to determine that the access request is valid. If the access request is valid, the computing system submits an authentication request to request an authentication system to authenticate the user and obtains authentication results generated by the authentication system. The computing system further provides, based on the authentication results, an access control decision for the access request.

Abstract: Detection of malicious JavaScript based on automated user interaction emulation is disclosed. A malware sample is executed in an instrumented virtual environment. Dynamic behavior is triggered based on emulated user interactions.

Abstract: A method includes receiving, by a server computer, data of a communication device; training, by the server computer, a neural network model based on the data of the communication device and communication device metadata from one or more additional communication devices, to generate a machine learning model configured to determine, based on a metadata associated with an application, a security value related to an indication of a security threat; and transmitting the machine learning model to the communication device. The communication device can use the machine learning model to determine the security value, by inputting the metadata associated with the application, as a vectorized data into the machine learning model. The communication device can determine whether to run or install the application based upon the security value.

Abstract: A mobile virtual network operator is provided. The operator includes a server that is communicatively coupled to a mobile device. The mobile device includes application software provided by the virtual network operator for allowing phone call and data connectivity.

Abstract: A system for processing data within a Trusted Execution Environment (TEE) of a processor is provided. The system may include: a trust manager unit for verifying identity of a partner and issuing a communication key to the partner upon said verification of identity; at least one interface for receiving encrypted data from the partner encrypted using the communication key; a secure database within the TEE for storing the encrypted data with a storage key and for preventing unauthorized access of the encrypted data within the TEE; and a recommendation engine for decrypting and analyzing the encrypted data to generate recommendations based on the decrypted data.

Abstract: Methods and systems for managing operation of data processing systems are disclosed. To manage operation of the data processing systems, the data processing systems may collect and use diagnostic data to manage various devices. The diagnostic data may be collected using different processes depending on the state of operable connections between components of the data processing systems, and the capabilities of the devices from which the diagnostic data is collected. The diagnostic data may be collected by invoking collection functionality of the devices, or through management of diagnostic data collection processes by other devices.

Abstract: A system includes receiving data associated with an account, the data having a plurality of members; generating based on an ensemble teacher model, a deep learning model having a number of layers; inputting a plurality of members determined to be daily inputs into the deep learning model; extracting a daily pattern from the daily inputs and aggregating a deep learning model output; inputting the global inputs and an aggregated deep learning model output into a classifier; outputting from the classifier, a number of scores combined into a single score for the account. Further, the device may include alerting a user if the single score falls outside of a predetermined threshold.

Abstract: A computer includes a memory and a processor programmed to execute instructions stored in the memory. The instructions include identifying a function in a binary file, assigning one of a plurality of classifications to the function, and determining that the function requires stack cookie protection based at least in part on the classification assigned to the function.

Abstract: Methods, systems, and apparatus for detecting and mitigating anomalous network traffic. With at least one processor in a network, information regarding network traffic flows is obtained and a classification model is generated based on the obtained information, the classification model comprising one or more classification rules for classifying network traffic as normal or anomalous. With the at least one processor in the network, the network traffic is classified as anomalous or normal based on the generated classification model and at least one mitigation action is initiated based on the network traffic being classified as anomalous.

Abstract: A system and method for defense against cache timing channel attacks using cache management hardware is provided. Sensitive information leakage is a growing security concern exacerbated by shared hardware structures in computer processors. Recent studies have shown how adversaries can exploit cache timing channel attacks to exfiltrate secret information. To effectively guard computing systems against such attacks, embodiments disclosed herein provide practical defense techniques that are readily deployable and introduce only minimal performance overhead. In this regard, a new protection framework against cache timing channel attacks is provided herein by leveraging commercial off-the-shelf (COTS) hardware support in processor caches, including last level caches (LLC), for cache monitoring and partitioning. This framework applies signal processing techniques on per-domain cache occupancy data to identify suspicious application contexts.

Abstract: One or more computing devices, systems, and/or methods are provided. Event information associated with a plurality of events may be identified. The plurality of events may be associated with first entities corresponding to a first entity type and second entities associated with a second entity type. A first network profile associated with the first entities and the second entities may be generated based upon the event information. An iterative process may be performed to identify a coalition network associated with fraudulent activity. The iterative process may include analyzing the first network profile to identify a first set of entities, of the first entities, that are related to an entity of the second entities, and/or analyzing the first network profile to identify a second set of entities, of the second entities, that are related to the first set of entities. Multiple iterations may be performed to identify the coalition network.

Abstract: A blockchain-based network security system is a decentralized anti-attack network constructed by means of blockchain. The anti-attack network includes a blockchain network system and a server system wherein both system are disposed independently and the data link between them is connected via a switch. A plurality of block nodes in the blockchain network system are provided with anti-attack servers, and each anti-attack server is provided with at least one sub-server. When the sub-server of the anti-attack server encounters an abnormal access event, the path information in the access event is loaded into the blockchain network system via the switch connected to the anti-attack server. In one example, the path information in the abnormal access event is loaded into the blockchain network system for distributed processing so as to prevent the resource depletion of the anti-attack server in which the attacked sub-server is located.

Abstract: A method for evaluating security of third-party application is disclosed. The method includes: receiving, from a first application, a request to obtain first account data for a user account associated with a protected data resource; generating fake data for at least a portion of the requested first account data; providing, to the first application, a first data set in response to the request, the first data set including at least the generated fake data; monitoring use of the first data set by the first application; detecting a trigger condition indicating misuse of account data based on monitoring use of the first data set by the first application; in response to detecting the trigger condition, generating a notification identifying the misuse of account data; and transmitting the notification to a computing device associated with an application user.

Abstract: Techniques are disclosed relating to dynamically routing network traffic between defense layers. For example, in various embodiments, a server system may implement a traffic distribution module that is operable to distribute a particular type of network traffic across multiple different defense layers. The traffic distribution module may receive a first set of requests that have been identified as being indicative of that particular type of network traffic and then route this first set of requests across the different defense layers based on a set of distribution weightage values. In various embodiments, the disclosed techniques include determining an updated set of distribution weightage values based on an effectiveness of the defense layers in mitigating the particular type of network traffic. In such embodiments, the traffic distribution module may then use this updated set of distribution weightage values to route a second set of network traffic across the various defense layers.

Abstract: A method for detecting a security vulnerability in code may include obtaining (i) a permitted information flow graph for a permitted query and (ii) a target information flow graph for a target query in the code, determining, by traversing the permitted information flow graph, a permitted information flow including permitted disclosed columns, permitted accessed columns, and a permitted predicate, determining, by traversing the target information flow graph, a target information flow including target disclosed columns, target accessed columns, and a target predicate, comparing the permitted information flow and the target information flow to obtain a comparison result, and determining, based on the comparison result, that the target query includes the security vulnerability.

Abstract: An adaptive fifth generation (5G) communications system includes an adaptive 5G tower; a first adaptive 5G site coupled by a dedicated link with the adaptive 5G tower; and a second adaptive 5G site coupled by a direct link with the first adaptive 5G site. The direct link may be established by the first adaptive 5G site and couples the second adaptive 5G site with the adaptive 5G tower. Data signals may be communicated between the adaptive 5G tower and the second adaptive 5G site via the direct link and the dedicated link. Usage of the direct link is accounted for in a blockchain master ledger. The blockchain master ledger corresponds to an adaptive 5G model and may be separately maintained by each of the adaptive 5G tower, the first adaptive 5G site, and the second adaptive 5G site. The master ledger may include relay, processing, path, power, and transaction layers.

Abstract: Embodiments relate to keeping databases compliant with data protection regulations by sensing the presence of sensitive data and transferring the data to compliant geographies. A request including information is received, the request being intended for processing on a local database. A model is used to process the information of the request. Responsive to the model determining that information relates to sensitive data, the request is transferred to a remote database associated with a geography meeting a requirement for the sensitive data in order to execute the request.

Abstract: Assessing risk of a cyber security failure in a computer network of an entity includes: assessing risk of an entity, using a computer agent configured to collect information from at least publicly accessible Internet elements, and automatically recommending, based at least in part on the assessed risk, changes to reduce the assessed risk to mitigate the theoretical damage. The assessed risk comprises a cyber security failure risk in a computer network of the entity; and the assessing of risk comprises: generating a disaster scenario that comprises elements of a disaster event; modeling the disaster scenario against a profile of the entity; and determining theoretical damage based at least in part on the modeling.

Abstract: Techniques are described for enabling analysts and other users of an IT operations platform to identify certain data objects managed by the platform (for example, events, files, notes, actions results, etc.) as “evidence” when such data objects are believed to be of particular significance to an investigation or other matter. For example, an event generated based on data ingested from an anti-virus service and representing a security-related incident might include artifacts indicating an asset identifier, a hash value of a suspected malicious file, a file path on the infected endpoint, and so forth. An analyst can use various interfaces and interface elements of an IT operations platform to indicate which of such events and/or artifacts, if any, represent evidence in the context of the investigation that the analyst is conducting. In response, the IT operations platform can perform various automated actions.

Abstract: A system and method for detecting and preventing cyberintrusion of a protected system incorporates neural networks having a training mode and a host-accessible (e.g., non-training) mode. When in training mode, the neural networks observe data exchanges with a protected system via interfaces (based on test inputs) and generate system templates corresponding to observed normal behaviors of the interfaces (including “gold standard” behavior indicative of optimal performance behaviors and/or minimal threat of cyberintrusion). When in host-accessible mode, the neural networks observe operating behaviors of the interfaces for each exchange via the interfaces and apply stored system templates to the system data to most closely approximate the optimal behavior set.

Abstract: Malware uses various techniques to detect a sandbox environment so that malicious code can avoid execution in closely monitored contexts that might otherwise trigger detection and remediation. A security system is dynamically updated to exploit these anti-sandbox techniques, e.g., by causing endpoints to mimic sandbox environments in a manner that discourages malware execution on the endpoint, and by updating sandboxes to alter or hide sandbox detection triggers.

Abstract: The technology disclosed includes a system to reduce clutter during graph presentation for security incident analysis. The system includes logic to score nodes potentially collapsed by equivalence, of indicated interest for security incident analysis, to prevent aggregation. The system includes logic to aggregate and hide equivalent nodes that have matching degrees, that are connected to matching nodes by matching edge types, and that have scores below a first selected threshold. The system does not collapse nodes that are interesting for security analysis and keeps them visible. The technology disclosed identifies chains of at least three nodes having degrees of 1 or 2, without branching from any node in the chain. The identified chains are collapsed into chain-collapsed single nodes. Two different cases of chains including whisker chains ending in a leaf node and chains connected at both ends to two other nodes are presented.

Abstract: The present disclosure provides a communication network node for providing data to a distributed ledger, wherein the node has circuitry configured to: provide a user data management part for separating sensitive user data and non-sensitive user data, and provide the non-sensitive user data to the distributed ledger.

Abstract: To perform pattern-based detection of malicious URLs, patterns are first generated from known URLs to build a pattern repository. A URL is first normalized and parsed, and keywords are extracted and stored in an additional repository of keywords. Tokens are then determined from the parsed URL and tags are associated with the parsed substrings. Substring text may also be replaced with general identifying information. Patterns generated from known malicious and benign URLs satisfying certain criteria are published to a pattern repository of which can be accessed during subsequent detection operations. During detection, upon identifying a request which indicates an unknown URL, the URL is parsed and tokenized to generate a pattern. The repository of malicious URL patterns is queried to determine if a matching malicious URL pattern can be identified. If a matching malicious URL pattern is identified, the URL is detected as malicious.

Abstract: A method of generating relevant security rules for a user includes the steps of: building a first tree data structure from paths within a pool of security rules; collecting process paths for the user; and compiling the relevant security rules for the user by traversing the first tree data structure according to the process paths of the user.

Abstract: A method including configuring, by an infrastructure device, a user device to receive harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; configuring the user device to receive a first portion of given data; configuring the user device to determine a pattern associated with traits included in the first portion of the given data; configuring the user device to determine whether the first portion of the given data includes the malicious content based on comparing the determined pattern with the harmful patterns and the clean patterns; and configuring the user device to selectively receive a second portion of the given data based determining whether the first portion of the given data includes the malicious content is disclosed. Various other aspects are contemplated.

Abstract: Methods are described for protecting a cyber-physical system against a potential attacker of the system. The methods include a method of generating a plurality of examples for a training data set and training a system model using the training data set to generate a decoy configured to generate a synthetic output that mimics historical outputs generated by the system for a given historical system context. Also described is a method including receiving a system context of a cyber-physical system; receiving an inquiry into the system by a potential attacker; applying a system model to the system context and the inquiry; obtaining from the system model a synthetic output that mimics how a component of the system would respond to the inquiry given the system context; and providing the synthetic output to the potential attacker.

Abstract: A method for preventing spam comments from populating a web site is provided. The method includes intercepting a HTTP (Hypertext Transfer Protocol) response, which includes a web page with a form for enabling a client's general comments to be published on the web site. The method also includes modifying the web page with the form to create a modified web page with a randomized form. The modifying includes randomly adding a set of randomized variable names to the web page with the form. The set of randomized variable names is a set of randomly generated character strings. The method further includes forwarding the modified web page with the randomized form to the client. The method yet also includes adding the set of randomized variable name to a form database, which is configured for storing data about the modified web page with the randomized form.

Abstract: Some aspects of the invention may include a computer-implemented method for enrolling voice prints generated from audio streams, in a database. The method may include receiving an audio stream of a communication session and creating a preliminary association between the audio stream and an identity of a customer that has engaged in the communication session based on identification information. The method may further include determining a confidence level of the preliminary association based on authentication information related to the customer and if the confidence level is higher than a threshold, sending a request to compare the audio stream to a database of voice prints of known fraudsters. If the audio stream does not match any known fraudsters, sending a request to generate from the audio stream a current voice print associated with the customer and enrolling the voice print in a customer voice print database.

Abstract: Techniques are disclosed for secure collaboration messaging. An example methodology implementing the techniques includes, by a computing device of a first user, receiving a notification of arrival of a message addressed to the first user from a second user and determining that the message is a secure message. The method also includes, by the computing device of the first user, associating a security tag icon to the message, the security tag icon providing an indication that the message is a secure message, and causing a display of the associated security tag icon with a displayed indication of the arrival of the message.

Abstract: Various embodiments include an industrial control system security analysis method. The method may include: collecting a communication data packet of interactive data transmitted between control devices in a first industrial control system; extracting network identifiable information; and determining whether it matches a pre-created event database. If the information matches: determining that the communication data packet is a malicious data packet; acquiring security policies of the first industrial control system and a second industrial control system; and determining a threat coefficient of the communication data packet for the second industrial control system based on the network identifiable information and each of the security policies, wherein the threat coefficient represents a degree of threat of the communication data packet to the second industrial control system.

Abstract: Computer systems and methods are provided for storing a first path profile. A computing device receives a first request to access a first location of a website, transmits the first request to a server, and receives a first cookie that includes identifying information for the first location. In response to receiving the first cookie, the device stores the identifying information. The device receives a second request to access a second location of the website that is distinct from the first location. The second request includes the identifying information for the first location. The device transmits the second request to the server and receives a second cookie that includes the identifying information for the first location and for the second location. In response to receiving the second cookie, the device stores the first path profile that includes the identifying information for the first location and the second location.

Abstract: Embodiments are directed to protection of communications between a trusted execution environment and a hardware accelerator utilizing enhanced end-to-end encryption and inter-context security. An embodiment of an apparatus includes one or more processors having one or more trusted execution environments (TEEs) including a first TEE to include a first trusted application; an interface with a hardware accelerator, the hardware accelerator including trusted embedded software or firmware; and a computer memory to store an untrusted kernel mode driver for the hardware accelerator, the one or more processors to establish an encrypted tunnel between the first trusted application in the first TEE and the trusted software or firmware, generate a call for a first command from the first trusted application, generate an integrity tag for the first command, and transfer command parameters for the first command and the integrity tag to the kernel mode driver to generate the first command.

Abstract: Implementations are directed to receiving analytical attack graph (AAG) data representative of one or more AAGs, each AAG representing one or more lateral paths between configuration items within an enterprise network, calculating, for each configuration item in a set of configuration items, a process risk value for each impact in a set of impacts achievable within the configuration item, for a first impact, a first process risk value being calculated based on a multi-path formula in response to determining that multiple paths in the AAG lead to the first impact, and, for a second impact, a second process risk value being calculated based on a single-path formula in response to determining that a single path in the AAG leads to the second impact, and determining that at least one process risk value exceeds a threshold process risk value, and in response, adjusting one or more security controls within the enterprise network.

Abstract: Described herein are techniques and technologies to identify an encrypted content within a field of view of a user of a VR/AR system and process the encrypted content appropriately. The user of the VR/AR technology may have protected content in a field of view of the user. Encrypted content is mapped to one or more protected surfaces on a display device. Contents mapped to a protected surface may be rendered on the display device but prevented from being replicated from the display device.

Abstract: Policy-based routing of internet protocol (IP) packets using flow context. A system intercepts an event associated with creation of a network connection by an operating system (OS). The system identifies a flow context, including a flow tuple, associated with the network connection. Based on the flow context, and based on a flow-based routing policy, the system determines a provider associated with the network connection. The system records, in a state database, an association between the flow tuple and the provider, and instructs the OS to initiate the network connection. After the creation of the network connection, the system intercepts an IP packet associated with the network connection. Based on a header of the IP packet, the system identifies the flow tuple and, based on a result of querying the state database for the flow tuple, and initiates a provider-based action for the IP packet.

Abstract: An apparatus, method, and system for curtailing and investigating software piracy is provided. The method includes spawning user applications on a computer without use of a file on the file system. A protected application data source is retrieved by an operating system of the computer from a server and placed into a portion of memory not accessible by at least one application. The operating system also prevents the protected application data source from being written to the file system. In this manner there is no file subject to unauthorized distribution. The protected application data may also be watermarked by ordering at least one of executable functions, function call parameters, and program data according to a license identifier so that any two versions execute the same, but carry an identifier which can be used to trace piracy to the source.