Abstract: Methods and apparatus to manage a dynamic deployment environment including one or more virtual machines is provided herein. A disclosed example includes involves: scanning, by executing a computer readable instruction with a processor, the virtual machines in the deployment environment to identify a service installed on any of the virtual machines; determining, by executing a computer readable instruction with the processor, the identified service corresponds to a service monitoring rule; determining, by executing a computer readable instruction with the processor, that a monitoring agent identified by the service monitoring rule is installed on the one or more virtual machines on which the service is installed; and configuring the monitoring agent, by executing a computer readable instruction with the processor, to monitor the service in accordance with the service monitoring rule on the at least one of the virtual machines on which the service is installed.

Abstract: Arrangements for providing API failure detection and processing are provided. In some aspects, call logs including calls made to one or more APIs as well as a response code for each call may be received and a severity for each API may be determined. For instance, an API having a third severity may be detached from an associated application to disable functionality associated with that API. If an API is assigned a second severity, additional calls may be made to the API to confirm that the API is actually failing. The results of the additional calls may be analyzed and if a sufficient number of failures are detected, an instruction to detach the API may be generated and transmitted. In some arrangements, the error causing the failure may be remedied and the API may be reattached to the application.

Abstract: An encoding apparatus is provided. The apparatus comprises an input unit operable to obtain a plurality of training images, said training images being for use in training a machine learning model. The apparatus also comprises a label unit operable to obtain a class label associated with the training images; and a key unit operable to obtain a secret key for use in encoding the training images. The apparatus further comprises an image noise generator operable to generate, based on the obtained secret key, noise for introducing into the training images. The image noise generator is configured to generate noise that correlates with the class label associated with the training images such that a machine learning model subsequently trained with the modified training images learns to associate the introduced noise with the class label for those images. A corresponding decoding apparatus is also provided.

Abstract: A network apparatus maintains a data repository comprising network traffic data related to a plurality of user devices, the network traffic data being collected from a plurality of Network Service Providers (NSPs). A subset of the plurality of user devices are detected to be communicating with one or more same endpoint devices based on analysing the network traffic data. A number of historical connections between each user device of the subset of the plurality of user devices and the one or more endpoint devices is determined based on analysing historical connection data maintained in the data repository, and in response to detecting that the number of historical connections between the subset of the plurality of user devices and the one or more endpoint devices exceeds a predetermined threshold, the one or more endpoint devices are identified as a suspected botnet.

Abstract: There are provided systems and methods for a dynamic pixel display in electronic communications to enhance data security. Electronic network communications by a service provider, such as an electronic transaction processor for digital transactions, may be compromised by malicious computing attacks or other actions that compromise the security of the communications and corresponding data within the communications. To increase security of the data within a communication, such as text or images in an email, the service provider may utilize a pixel arrangement within a field of the communication that has corresponding identifiers and weblinks to backend pixel data that have randomized so that each pixel's location is variable between different communications. When the email is opened, code for the email may request the backend pixel data using the weblinks. A malicious party listening to the communication does not receive the data without having to reconstruct the randomized layout.

Abstract: Example methods and systems for application security enforcement are described. In one example, a computer system may detect, from a client device, a packet requiring processing by a first server pool; and determine whether the packet is associated with a security attack. In response to determination that the packet is not associated with the security attack, the packet may be steered towards the first server pool to cause processing of the packet by one of multiple first application servers. Otherwise, the packet may be steered towards a second server pool to cause processing of the packet by one of multiple second application servers and to learn attack information associated with the security attack. The multiple second application servers in the second server pool may be capable of mimicking behavior of the multiple first application servers in the first server pool.

Abstract: Disclosed herein are systems and method for anti-malware scanning, including identifying a plurality of objects in a backup archive that is connected to a first network comprising a plurality of computing devices; scanning the plurality of objects in the backup archive to generate a whitelist indicating a subset of the plurality of objects that do not need to be scanned at a subsequent time; performing, using the whitelist, a first malware scan in a computing device of the plurality of computing devices; detecting that the computing device has left the first network to join a second network; and performing a second malware scan on the computing device, wherein the second malware scan uses a different whitelist of the second network, and wherein the second malware scan comprises scanning a first object that is not in the different whitelist and was not scanned in the first malware scan.

Abstract: A method, computer program product, and computer system for identifying social engineering activity associated with at least one of a first communication and a second communication based upon, at least in part, correlation to a predetermined rule. Characteristics of the communications are compared to the predetermined rule to determine if there is a correlation.

Abstract: A computer-implemented method for building a software application is disclosed. The method includes: generating a plurality of application resources; creating a plurality of tags; applying one of the tags on each of the plurality of application resources; grouping the application resources by their tags to form at least two asset packs, each identifiable by at least one tag shared by all application resources in the asset pack; and creating an asset pack manifest comprising a location of each of the asset packs and an order in which the asset packs are to be downloaded.

Abstract: Systems, methods, and related technologies for determining an issue based on a plurality of events. The determining of an issue may include accessing network traffic from a network and accessing a plurality of events associated with the network traffic. An issue can be determined based on a correlation of a portion of the plurality of events, where the issue represents an incident associated with the portion of the plurality of events. The correlation of the portion of the plurality of events is based on network specific information. Information associated with the issue including the portion of the plurality of events may then be stored.

Abstract: An automated technique for security monitoring leverages a labeled semi-directed temporal graph derived from system-generated events. The temporal graph is mined to derive process-centric subgraphs, with each subgraph consisting of events related to a process. The subgraphs are then processed to identify atomic operations shared by the processes, wherein an atomic operation comprises a sequence of system-generated events that provide an objective context of interest. The temporal graph is then reconstructed by substituting the identified atomic operations derived from the subgraphs for the edges in the original temporal graph, thereby generating a reconstructed temporal graph. Using graph embedding, the reconstructed graph is converted into a representation suitable for further machine learning, e.g., using a deep neural network. The network is then trained to learn the intention underlying the temporal graph.

Abstract: Synthetic training sets for machine learning are created by identifying and modifying functional features of code in an existing malware training set. By filtering the resulting synthetic code to measure malware impact and novelty, training sets can be created that predict novel malware and to seek to preemptively exhaust the space of new malware. These synthesized training sets can be used in turn to improve training of machine learning models. Furthermore, by repeating the process of new code generation, filtering and training, an iterative machine learning process may be created that continuously narrows the window of vulnerabilities to new malicious actions.

Abstract: The technology presented herein enables the use of a clustering algorithm to identify additional malicious domains based on known malicious domains. A domain identifier system identifies a first plurality of domain names associated with a malicious domain campaign and seeding a first clustering algorithm with the first plurality of domain names. After seeding the first clustering algorithm, the domain identifier system uses the first clustering algorithm to process passive domain name system (DNS) records to identify and group a second plurality of domain names associated with the malicious domain campaign.

Abstract: Systems and methods for detecting and handling attacks on processes executing within a trusted execution environment (TEE) are disclosed. In one implementation, a processing device may detect by a first process an event indicating that a first process executing in a TEE of a host computer system is under attack from a second process executing on the host computer system. the processing device may set a flag within a memory region of the TEE indicating that the first process is under attack. The processing device may further perform, in view of an attack response policy associated with the first process, an action responsive to detecting the event.

Abstract: A method and system for detecting anomalous network activity in a cloud-based compute environment. The method comprises receiving configuration data and network activity observations for a set of virtual entities in the cloud-based compute environment; creating a profile for each virtual entity in the set of virtual entities, when the virtual entity does not already have an associated profile; dynamically updating the virtual entity of a profile with the respective network activity observations of the virtual entity; and determining whether anomalies have been detected.

Abstract: Methods and systems for connecting data with non-standardized schemas in connected graph data exchanges. For example, the system generates a custom data structure corresponding to a user identifier for a user profile that includes pointers between user profile attributes (e.g., individual fields/categories within the user profile) and existing assets in a connected graph (e.g., an existing application, software profile for an application, data set, connections, etc.). The system then connects the custom data structure corresponding to the user identifier to the existing assets in the connected graph.

Abstract: In an example there is provided a method for receiving notification of an intrusion event in relation to an application from an intrusion detection system, accessing state data in relation to a state of the application prior to the intrusion event, the state data having been stored on the basis of a change of state of the application, accessing a policy to be applied to the state data in response to the intrusion event, modifying the state data on the basis of the policy, and restoring the application on the basis of the modified state data.

Abstract: There is provided a method comprising: detecting a new process start at a network node of a computer network; determining that said process requires external code modules; observing the times at which one or more external code modules required by the new process are loaded relative to the process starting time; determining that the usage of an external code module required by the new process is anomalous when the time elapsed between the start of the process and loading of said external code module lies outside predetermined expected boundaries; and taking further action to protect the network node and/or the computer network based on determining that the usage of the external code module required by the detected new process is anomalous.

Abstract: A computer-implemented method for building trusted executable software using trusted building units, wherein a path between the building units is untrusted, is disclosed. The method comprises generating, by each of the trusted building units, an identifier for identifying an output of the respective trusted building unit, wherein the respective trusted building unit also generates a signed confirmative certificate comprising the identifier. The method comprise as well utilizing, by each of the distributed trusted building units, output results of at least one of a predecessor build unit of the trusted building unit as input, validating that each of the signed confirmative certificates conforms to a predefined set of policy rules, and upon a failed validating of the signed confirmative certificate of one of the trusted building units, terminating the building of the trusted executable software.

Abstract: Some embodiments described herein include a system that collects and learns reference side-channel normal activity, process it to reveal key features, compares subsequent collected data and processed data for anomalous behavior, and reports such behavior to a management center where this information is displayed and predefine actions can be executed when anomalous behavior is observed. In some instances, a physical side channel (e.g. and indirect measure of program execution such as power consumption or electromagnetic emissions and other physical signals) can be used to assess the execution status in a processor or digital circuit using an external monitor and detect, with extreme accuracy, when an unauthorized execution has managed to disrupt the normal operation of a target system (e.g., a computer system, etc.).

Abstract: Systems, and methods are provided to provide cloud-based coordination of customer premise service appliances. A system can include a cloud-based service platform, which includes a coordination server and a cloud-based service appliance, and an on-premise service appliance. The coordination server is configured to establish a service session, select a service appliance, and control a sequence of operations on the selected service appliance. Establishing the service session can include establishing a service session with a first client in response to a service request received from the first client, the first client associated with an account including a service policy. Selecting the service appliance can include selecting the cloud-based service appliance or the on-premise service appliance, based on the service policy, to handle the service request.

Abstract: A system and method for automated verification of a cybersecurity event includes identifying a cybersecurity event of a subscriber; automatically constructing a response-enabled verification communication based on one or more features of the cybersecurity event satisfying verification-initiating criteria of an automated verification-initiation workflow, and transmitting the response-enabled verification communication to the subscriber associated with the cybersecurity event, wherein the response-enabled verification communication includes: one or more pieces of event-descriptive content; a first selectable interface object that, when selected by the subscriber, automatically increases a threat severity level of the cybersecurity event; and a second selectable interface object that, when selected by the subscriber, automatically de-escalates the threat severity level of the cybersecurity event causing a disposal of the cybersecurity event; and automatically routing the cybersecurity event to one of a cybersecu

Abstract: A framework for security information and event management (SIEM), the framework includes a first data store; a data router; one or more parsing mechanisms; one or more correlation machines; and one or more workflow engines, wherein said framework performs SIEM on behalf of multiple subscribers to said framework.

Abstract: Computer systems and methods for verifying a route taken by a communication are disclosed. In one implementation, a device for verifying a route taken by a communication may include one or more processors configured to obtain a communication transmitted by a source entity. The communication may include data and digital signatures, and each of the digital signatures may be generated based on at least the data. Further, the digital signatures may include a digital signature associated with the source entity, and a set of digital signatures associated with at least a subset of intermediate entities on a route taken by the communication. The one or more processors may be further configured to verify the digital signatures included in the communication, verify whether the entities associated with the digital signatures form an expected route for the communication, and process the data.

Abstract: By analyzing the apps on a portable computing device, the communication modes used by the portable computing devices and the communication requirements of the apps at a given time, an ideal communication mode given a certain mix of apps operating on a portable computing device at a given point in time may be determined.

Abstract: Embodiments of the present disclosure provide a first set of methods, computer-readable media, and system configured for: receiving a configuration for a domain name system (DNS) to log all queries; publishing a customized sender policy framework (SPF) policy to the DNS, the customized SPF policy comprising a macro-endowed mechanism; logging a plurality of received SPF customized queries; accessing a log comprising the plurality of received SPF customized queries; extracting data from each of the received SPF customized queries, the data being populated by the macro mechanism associated with the SPF customized query; populating a datastore with extracted data comprising at least one of the following: a username, a IP address, and a domain, as extracted from each received SPF customized query; and providing, based on the extracted data, an indication of outbound emails sent from the domain. In various embodiments, email authorizations and restrictions may be based thereon.

Abstract: An example apparatus includes a scan manager to add a portion of a page of physical memory from a first sequence of mappings to a second sequence of mappings in response to determining the second sequence includes an address corresponding to the portion of the page of physical memory, and a scanner to scan the first sequence and the second sequence to determine whether at least one of first data in the first sequence or second data in the second sequence includes a pattern indicative of malware.

Abstract: The present disclosure discloses a method, apparatus, device, and storage medium for defending against attacks, which relate to the technical field of information security, and can be used in intelligent traffic or an autonomous driving scenario. The specific implementation solution is: acquiring an instruction set including at least one instruction for controlling vehicle state; comparing each instruction in the instruction set with at least one attack instruction in an attack behavior knowledge base respectively to determine a maximum similarity value corresponding to each instruction; and determining the type of the instruction and of the processing tactics for the instruction according to the maximum similarity value corresponding to each instruction and a preset similarity range.

Abstract: A method performed by a cybersecurity system includes monitoring multiple network functions (NFs) of a service-based architecture (SBA) of a 5G network. The NFs are communicatively interconnected over an HTTP/2 interface. The cybersecurity system detects potentially malicious network traffic communicated over the HTTP/2 interface, identifies a NFs or associated services that are susceptible to a cyberattack based on the potentially malicious network traffic and deploys resources to secure the NFs or associated services. In one example, the resources are prioritized for a most frequently used (MFU) or most recently used (MRU) NF or associated service.

Abstract: Various techniques are disclosed for providing dynamic, real-time pattern detection and linking between newly created user accounts and existing user accounts. Certain solutions include assessing matches of a new user account to nodes in a graphical representation of a machine learning algorithm based on predefined patterns in the properties of the new user account. The nodes in the graphical representation may each have different predefined patterns that have been determined based on patterns in previous information for user accounts, which can also be updated in real-time as needed. Accordingly, when a new user account is matched (e.g., assigned) to a node that has accounts with known issues associated with the node, the new user account may be flagged for increased scrutiny or other solutions.

Abstract: The present disclosure distributes processing capabilities throughout different nodes in a wireless network. Methods and apparatus consistent with the present disclosure increase the efficiency of communications in a wireless network because they help minimize the need to forward communications to other nodes in the network. Apparatus and methods consistent with the present disclosure perform a function of elastic content filtering because rating information may be stored in different memories of different mesh nodes according to rules or profiles associated with a wireless mesh network as responses to requests are sent back along a route in a wireless mesh network in a manner that may not increase an amount of network traffic. When, however, network traffic dips below a threshold level, additional messages may be sent to certain mesh nodes that update rating information stored at those certain mesh nodes.

Abstract: Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive image data of a graphical rendering of a resource available at a uniform resource locator (URL). The computing platform may compute a computer vision vector representation of the image data. The computing platform may compare the computer vision vector representation of the image data to stored numeric vectors representing page elements, resulting in a feature indicating whether the computer vision vector representation of the image data is visually similar to a known page element, and may input the feature to a classifier. The computing platform may receive, from the classifier, a phish classification score indicating a likelihood that the URL is malicious. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.

Abstract: Systems and methods include receiving a list of web sites; anonymously browsing to each web site in the list; receiving a response based on the browsing; and analyzing the response to classify each web site as malicious or not based on a plurality of techniques including JavaScript (JS) obfuscation detection based on de-obfuscation. The systems and methods can further include providing a blacklist of web sites classified as malicious. The systems and methods can further include determining the list of web sites periodically based on a plurality of factors. The JS obfuscation detection can be performed by de-obfuscating JS content and utilizing heuristics to determine if the de-obfuscated JS content is malicious, and the heuristics can include a presence of any of a new JS function and a domain in the de-obfuscated JS content.

Abstract: An anomaly detecting device includes a flow collector that collects an amount of flow communication traffic in each of two or more networks in an in-vehicle network system that including the two or more networks, the amount of flow communication traffic being information obtained by tallying an amount of communication traffic of one or more frames classified according to a predetermined rule that is based on header information of a network protocol; and an anomaly detector that calculates, based on the amount of flow communication traffic, an observed ratio indicating a ratio of respective amounts of communication traffic in the two or more networks and determines whether the two or more networks are anomalous based on the observed ratio calculated and a normal ratio indicating a ratio of respective amounts of communication traffic in the two or more networks in a normal state.

Abstract: A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination.

Abstract: A machine learning (ML) based web application firewall (WAF) is described. Transformation(s) are applied to raw data including normalizing and generating a signature over the normalized data. The signature and the normalized data are vectorized to create a first and second vector of integers that are input into an ML model that includes a first stage that operates on the first vector of integers to identify candidate signature tokens that are commonly associated with different classes of attack, and a second stage that operates on the candidate signature tokens and the second vector of integers and conditions attention on the second vector of integers on the candidate signature tokens. The ML model outputs a score that indicates a probability of the raw data being of a type that is malicious. A traffic processing rule is enforced that instructs a WAF to block traffic when the score is above a threshold.

Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: transmitting, during a media streaming session, streaming media to a user equipment (UE) device of a user, the transmitting streaming media including simultaneously transmitting a first media stream and a second media stream to the UE device; subjecting the first media stream to processing by natural language processing to provide a topic extracted from the first media stream; subjecting the second media stream to processing by natural language processing to provide an extracted topic extracted from the second media stream; identifying a match between the topic and the extracted topic; and providing one or more output in response to the identifying the match between the topic and the extracted topic.

Abstract: Systems and methods are provided for monitoring information-security coverage to identify a vulnerability or risk in the information-security coverage. An information-security system can include computing systems, databases, a security server, etc. that can communicate data via a network. The server can be used to obtain data indicating a process for managing or monitoring information-security in the system and data indicating activity on the network, computing systems, server, or databases. The server then determines a metric based on the obtained data and the metric can indicate a risk or vulnerability in information-security coverage in the system. The server can then aggregate the data and transmit the aggregated data to a computing device. The computing device can generate an interface for outputting data for monitoring information-security coverage or identifying a vulnerability or risk in information-security coverage, which can improve the security of the information-security system.

Abstract: Systems, methods, and software for providing collection and curation of real-time data and submission to a technical resource upon an indication of an issue in a computing device from an end user. The computing device is monitored and computer usage data and system diagnostic data collected from the device during use by an end user. Upon receiving an indication from the user of an occurrence of an issue, additional information regarding the issue is collected from the end user while additional system diagnostic data about the computing device at a time of occurrence of the issue is collected. The collected information and data are then curated by the computing device in regard to the issue and transmitted to a remote server for access by a technical resource.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for normalizing, compressing, and correlating vulnerabilities are disclosed. In one aspect, a method includes the actions of generating a first and second copy of a software target. The actions further include providing the first copy to a first scanning tool and the second copy to a second scanning tool. The actions further include receiving a first scanning tool output that identifies a first issue of the software target. The actions further include receiving a second scanning tool output that identifies a second issue of the software target. The actions further include determining that the first issue and the second issue are a same issue. The actions further include generating a combined issue of the first issue and the second issue. The actions further include outputting a notification that includes the combined issue.

Abstract: An information processing device 10 comprises a data reception unit 13 that accepts transmission information of an email received by each of a plurality of mail servers 12, the transmission information being extracted from the emails; a transmission information determination unit 14 that determines whether the transmission source of the email is appropriate based on the transmission information; and a whitelist distribution unit 16 that distributes the transmission source determined to be appropriate to each of the plurality of mail servers.

Abstract: A method including receiving, by a user device, harmful patterns indicating characteristics of harmful traits included in affected data known to include malicious content and clean patterns indicating characteristics of clean traits included in clean data known to be free of the malicious content; receiving, by the user device, a first portion of given data; determining, by the user device, a pattern associated with traits included in the first portion of the given data; determining, by the user device, whether the first portion of the given data includes the malicious content based at least in part on comparing the determined pattern with the harmful patterns and the clean patterns; and selectively receiving, by the user device, a second portion of the given data based at least in part on determining whether the first portion of the given data includes the malicious content is disclosed. Various other aspects are contemplated.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: Disclosed herein are an apparatus and method for detecting a malicious script. The apparatus includes one or more processors and executable memory for storing at least one program executed by the one or more processors. The at least one program is configured to extract token-type features, each of which corresponds to a lexical unit, and tree-node-type features of an abstract syntax tree from an input script, to train two learning models to respectively learn two pieces of learning data that are generated in consideration of features extracted respectively from the token-type features and the node-type features as having the highest frequency, and to detect whether the script is a malicious script based on the result of ensemble-based malicious script detection performed for the script, which is acquired using an ensemble detection model generated from the two learning models.

Abstract: Phishing attacks cause financial frauds and credential thefts. The conventional blacklist, whitelist and Machine Learning (ML) based methods fail to provide an accurate detection of phishing attacks. The present disclosure provides a layered approach wherein a URL domain name is compared with blacklist domains and whitelist domains. Further, the URL undergoes Internet Protocol (IP) address checking followed by context checking. A clicked context is verified based on the number of search results from a popular search engine. Otherwise, the typed context is checked for non-ASCII characters in the domain name. Further, the URL is checked for any brand name. Further, the domain is checked for any misspelling. Further, the URL is examined using a Machine Learning (ML) model. Finally, the URL is classified as phishing if a number hits in a popular search engine is less. Here a phishing alert is generated in each layer based on the corresponding decision.

Abstract: The disclosed technology relates to a process for optimizing data flow within a computer network. The technology utilizes shared memory and machine learning logic to improve the efficiency of how computing resources are used during a transmission of data packets in the computer network. The shared memory is implemented during the transmission of data packets between the data plane and the service plane so that the copying of data packets after the data packets have been received and processed by an application is not necessary. The machine learning logic is implemented during the processing of the data packets in order to adjust a frequency or extent that the data packets (and corresponding source of the data packets) need to be evaluated to ensure that malicious content is not being transmitted across the computer network.

Abstract: Computing platform security methods and apparatus are disclosed. An example apparatus includes a graphics processor; and a graphics driver to facilitate access to the graphics processor, the graphics driver including: an authenticator to establish a trusted channel between the graphics driver and an application driver via mutual authentication of the graphics driver and the application driver; an offloader to offload a computing task to the graphics processor via the trusted channel, the computing task associated with the application driver; and a hypervisor to monitor memory associated with the offloaded computing task for an unauthorized access attempt.

Abstract: In one embodiment, a method includes collecting DNS (Domain Name System) communications, analyzing the DNS communications, and identifying DNS tunneling or exfiltration based analysis of the DNS communications. Analyzing the DNS communications includes identifying a distinct query count for each of a plurality of clients over a specified time period and a data transfer direction between the clients and one or more servers, and categorizing the DNS communications based on session features associated with at least one of query type, transfer capability, and server response. An apparatus and logic are also disclosed herein.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for lateral movement. In embodiments, the system uses network data from a computer network to build a baseline of connection behaviors for the network. Connection graphs are generated from new network data that indicate groups of nodes that made connections with one another during a last time interval. The graphs are analyzed for connection behavior anomalies and ranked to determine a subset of graphs with suspected lateral movement. Graphs with suspected lateral movement may be further analyzed to determine a set of possible attack paths in the lateral movements. The suspected attack paths are reported to network administrators via a notification interface. Advantageously, the disclosed system is able to detect potential lateral movements in localized portions of a network by monitoring for connection behavior anomalies in network data gathered from the network.

Abstract: A system to facilitate communication of a critical signal between functional circuitries of a system-on-chip utilizes a dynamic pattern to securely communicate the critical signal. The system includes selection and comparison circuits. The selection circuit is configured to select and output a set of dynamic pattern bits or a set of fixed reference bits, based on a logic state of the critical signal that is received from one functional circuitry. The comparison circuit is configured to output an output signal based on the set of dynamic pattern bits, and a set of intermediate bits that is derived from the set of dynamic pattern bits or the set of fixed reference bits. The output signal is provided to the other functional circuitry when a logic state of the output signal matches the logic state of the critical signal, thereby securely communicating the critical signal to the other functional circuitry.