Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for processing large datasets using a computationally-efficient representation are disclosed. A request to apply a coverage algorithm to a large input dataset is received. The large dataset includes sets of elements. A computationally-efficient representation of the large dataset is generated by generating a reduced set of elements that contains fewer elements based on a defined probability. For each element in the reduced set, a determination is made regarding whether the element appears in more than a threshold number of sets. When the element appears in more than the threshold number, the element is removed from sets until the element appears in only the threshold number. The coverage algorithm is then applied to the computationally-efficient representation to identify a subset of the sets. The system provides data identifying the subset of the sets in response to the received request.

Abstract: A system and method for automatically adjusting a learning mode duration on a virtual computing instance for an application security system extends a minimum duration of time for the learning mode duration for a guest agent running in the virtual computing instance based on a condition with respect to suspicious activities and deviations from normal behaviors detected during a fixed time interval. The guest agent is switched to a protected mode when the condition with respect to the suspicious activities and the deviations from the normal behaviors is satisfied for any fixed time interval after the minimum duration of time.

Abstract: In some examples, an alert relating to an issue in a computing arrangement is received. It is determined that the received alert is similar to a given alert in an information repository containing information of past processes performed to address respective issues, the determining comprising comparing a property associated with the received alert to a property of alerts associated with the past processes, and the information contained in the information repository comprising actions taken in the past processes to address the respective issues. Performance of a remediation action is triggered that comprises an action, identified by the information in the information repository, taken to respond to the given alert.

Abstract: Novel tools and techniques might provide for implementing Internet of Things (“IoT”) functionality, and, in particular embodiments, implementing added services for OBD2 connection for IoT-capable vehicles. In various embodiments, a portable device (when connected to an OBD2 DLC port of a vehicle) might monitor wireless communications between a vehicle computing system(s) and an external device(s), might monitor vehicle sensor data from vehicular sensors tracking operational conditions of the vehicle, and might monitor operator input sensor data from operator input sensors tracking input by a vehicle operator. The portable device (or a server) might analyze either the monitored wireless communications or a combination of the monitored vehicle sensor data and the monitored operator input sensor data, to determine whether vehicle operation has been compromised.

Abstract: A computer system includes an ensemble moving target defense architecture that protects the computer system against attack using a plurality of composable protection layers that change each churn cycle, thereby requiring an attacker to acquire information needed for an attack (e.g., code and pointers) and successfully deploy the attack, before the layers have changed state. Each layer may deploy a different attack information asset protection providing multiple different attack protections each churn cycle.

Abstract: A method that automatically generates blacklists for a sandbox application. The method first obtains a set of disassembled operating system (OS) dynamic-link libraries (DLLs) and then identifies application programming interfaces (API) functions that have respective kernel interruptions. The identified API functions that have kernel instructions are saved to an interrupt list. Based on the interrupt list, a processor generates a blacklist that includes for each of the DLLs, the identified API functions in the interrupt list, all API functions that directly or indirectly invoke one of the identified API functions in the interrupt list via one or more nested API functions. The method outputs the blacklist to the sandbox application that operates on a sample file to emulate API functions of the sample file that match the blacklist. All other APIs not identified as being blacklisted, are then considered whitelisted and are allowed to run natively.

Abstract: A method for producing a set of indicators of unwanted activity in a computer system, comprising: receiving a plurality of input data sets, each describing system activity and comprising an infection label and system activity information collected from a computer system; producing a plurality of training sets each comprising: 1) a plurality of activity values, each indicative of execution of an instruction, extracted from one of the plurality of input data sets, and 2) a respective infection label; producing for each training set one of a plurality of sets of relevant activity values by: training a model to output, in response to the respective training set, an infection classification equal to respective infection label; and analyzing the model to identify a set of relevant activity values, of the plurality of activity values, effecting the infection classification; and analyzing the plurality of sets of relevant activity values to produce the indicators.

Abstract: A device processes a communication between a source and user equipment. The user equipment is one of a plurality of user equipment connected to a network and the user equipment is associated with an entity. The device determines that the communication is associated with an anomalous traffic pattern. The device implements a provisional blocking of traffic between the source and the plurality of user equipment connected to the network and generates a filtering rule based on determining the anomalous traffic pattern, where the filtering rule prescribes that traffic between the source and the second user equipment is to be blocked. The device transmits a notification to the entity associated with the user equipment that requests that the entity affirm the filtering rule, and the device blocks traffic between the source and the user equipment based on the entity affirming the filtering rule.

Abstract: A method, apparatus and computer program product for managing security threats to a distributed network. A set of events are aggregated from a plurality of event sources in the network for each of a set of security threats to the network. A magnitude of a characteristic of each of the set of security threats is determined. Each of the set of security threats is represented as a three dimensional graphical object in a three dimensional (3D) representation of the network according to the respective magnitude of the characteristic. A security action is taken based on the determined magnitude of one of the set of security threats.

Abstract: Identifying cyber adversary behavior on a computer network is provided. Individual security events are received from multiple threat intelligence data sources. A security incident corresponding to an attack on at least one element of the computer network, the security incident being described by the individual security events received from the multiple threat intelligence data sources, is matched to a defined cyber adversary objective in a structured framework of a plurality of defined cyber adversary objectives and a related technique associated with the defined cyber adversary objective used by a cyber adversary in the attack. A set of mitigation actions is performed on the computer network based on matching the security incident corresponding to the attack on the computer network to the defined cyber adversary objective and the related technique.

Abstract: Techniques described herein relate to a method for forecasting backup failures. Such techniques may include: obtaining data items associated with backup jobs; writing entries in a time series database, the entries comprising successful backup jobs and failed backup jobs; performing a first analysis to predict future failed backup jobs based on the entries in the time series database to obtain a future backup job failure predictions; performing a second analysis to determine a confidence prediction for each of the future backup job failure predictions; ranking the future backup job failure predictions based on the second analysis; performing a third analysis to determine at least one variable leading to each of the future backup job failure predictions; and sending results of the second analysis and the third analysis to an administrator of a data domain.

Abstract: Techniques are disclosed for providing dynamic threat treatment for a software defined networking (SDN) environment. In one example, a software defined networking controller comprises one or more processors, wherein the one or more processors are configured to: determine that a security device of a network has detected a threat; apply the threat to a threat treatment model, wherein the threat treatment model is generated based on threat treatment information that includes one or more steps used to resolve previous instances of the threat or previous instances of similar threats; and generate one or more treatment processes to resolve the threat based on the threat treatment model.

Abstract: In one aspect, a computer-implemented method of detecting network security threats comprises the following steps: receiving at an analysis engine events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the identified at least one event; assigning a threat score to the created case based on the event data; matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.

Abstract: Systems, methods, and articles of manufacture provide for rolling long-term data storage. Optimized or enhanced rolling long-term data storage may, for example, increase processing performance and reduce operational burdens on memory resources associated with execution of analytical models.

Abstract: A system and method is provided for providing a set of convolutions to a computing device for detecting anomalous events occurring in an operating system of the computing device. An exemplary method includes launching an agent in an operating system of a client device, registering, by the agent, events occurring in the operating system, for each registered event, determining a context of the event, wherein the context comprises a call stack at a moment of occurrence of the event, selecting a set of features based on the call stack of the event, generating a convolution based on the selected set of features of the event and the context of the event, and adding the generated convolution to a set of convolutions of events occurring on client devices, and providing, to a client device from which a request is received, the set of convolutions of events occurring on client devices.

Abstract: Described herein are systems, methods, and software to enhance incident response for an information technology (IT) environment. In one implementation, an incident service identifies an incident in the IT environment and determines a correlation between the incident and other incidents in the IT environment. Once correlated, the incident service aggregates incident data of the incident with incident data of the other incidents and generates a summary using the aggregated incident data.

Abstract: A method of processing malicious events in a network infrastructure determines features of malicious events detected by a firewall of an attack analyzer. Example features may indicate an origin of an attack, a target of the attack, or a type of a malicious event. The attack analyzer determines distances, e.g., using a non-Euclidean distance function, between features of a given malicious event and features of statistical distribution objects (SDOs). The SDOs describe clusters of previously detected malicious events. The attack analyzer may select one of the SDOs that has features similar to those of the given malicious event. The attack analyzer can update the SDOs by including an alert of the given malicious event with an existing cluster or generating a new cluster including the alert. The attack analyzer may transmit information describing the clusters of the SDOs to a management console.

Abstract: In some variants computing systems and methods are described in regard to establish a version of an operating system in a first computing environment monitored by a support interface (e.g. a hypervisor) and a version of a second operating system in a second environment also monitored by the support interface(s) so that the version of the first operating system supports a resource (e.g. a process) in the first computing environment; allowing the support interface to advance the first application function to and then pause the first application function in an operational state characterized by one or more operating parameters; and establishing polymorphed or other aliased second support interface to which to migrate the paused resource when appropriate.

Abstract: In various embodiments, a wireless device processor may determine a threat score for a first cell, determine whether the first cell threat score is below a first threat score threshold, update a good neighbor cell data structure using neighbor cell information from the first cell in response to determining that the first cell threat score is below the first threat score threshold, performing cell reselection to a second cell, determine whether the second cell transmits a system information block message indicating fake neighbor cell information, and increase a threat score for the second cell in response to determining that the second cell provides the SIB message indicating fake neighbor cell information and that a good neighbor cell data structure includes an indication of one or more good neighbor cells that are within the time threshold and the location threshold and doing countermeasures in a response to the determination.

Abstract: A system and method is provided for improving data movement perimeter monitoring, and detecting non-compliant data movement within a computing environment. The perimeter monitoring process includes generating a forwarding configuration associated with activity logs, such as activity logs associated with a test environment. The forwarding configuration may include specific fields and file types or the contents of those specific fields and files that facilitate, or are necessary for, perimeter monitoring or otherwise determining which activity log data elements are needed by the “operational intel tool” to reduce, or even substantially reduce, the amount of data input or analyzed by the operational intel tool, and thus, to reduce its processing load. The forwarding configuration is input into an “operational intel tool”. Mainframe data is normalized and analyzed to identify abnormal data flows and generate electronic alerts to facilitate perimeter monitoring.

Abstract: A cybersecurity platform is described that processes collected data using a data model to identify and link anomalies and in order to identify generate security events and intrusions. The platform generates graph data structures using the security anomalies extended using additional data. The graph data structures represent links between nodes, the links being events, the nodes being machines and user accounts. The platform processes the graph data structures by combining similar nodes or grouping security events with common features to behaviour indicative of a single or multiple security events to identify chains of events which together represent an attack.

Abstract: A method, system, and computer-usable medium are disclosed for performing packet processing of network traffic on a master security device of a plurality of security devices, such packet processing including connection tracking for the network traffic, and offloading packet inspection of the network traffic to one or more slave security devices of the plurality of security devices.

Abstract: The invention proposes a method for an object (1) to communicate with a server (2) of a connected objects network to report that a clone may be impersonating the object in the network, which method comprises the following steps implemented by the object (1): transmitting (106) to the server (2) a request from the object (1) to join the connected objects network; after transmitting the join-request, detecting (110) whether a reference message (uplink) transmitted by the object (1) to the server (2) was rejected or ignored; in response to the detection, transmitting (114) to the server (2) an alert message indicating the rejection or ignoring.

Abstract: A system for predicting and interpreting driving behavior of a vehicle includes a first edge computing device that can acquire spatial-temporal data for the vehicle from one or more sensors that are part of traffic infrastructure. The first edge computing device includes a processor and instructions executable by the processor that execute unsupervised deep learning methods on the data from the sensors to cluster the data into segments and integrate a language model with the deep learning method to output driving behavior in a natural language. The instructions further include normalizing the data, processing the data with a first artificial neural network (ANN) to output a first vector, processing the clustered data segments with a second ANN to output a second vector, concatenating the vectors into a single vector, and processing the single vector with a third ANN to output a predicted driving behavior of the vehicle.

Abstract: The disclosed technology includes a method and system for preventing or reducing cyber-attacks in a 5G network. The system can register, by a computing device associated with the 5G network, a connected device with the 5G network and request a personalized signature from the connected device. The system can create a schedule for the personalized signature to be sent from the connected device to the 5G network and send the connected device the schedule. The 5G network can monitor for the personalized signature at the times in the schedule. In response to not receiving the personalized signature from the connected device at a scheduled time in the schedule, the system can determine that the connected device is at risk of a cyber-attack. In response to determining that the connected device is at risk of the cyber-attack, the system can deauthorize the connected device.

Abstract: Disclosed is a computer security device configured to monitor data traffic between computing devices on a local area network and an external network in order to protect the local area network against unauthorized access and data exfiltration. Such computer security device includes each of a data transport module, a management information module, and a data storage module, each of which are operable independently of the other modules, but which modules together form the single computer security device. The computer security device is configured for connection between a router on a local network that is to be protected and a wide area network, such as the Internet, which such local network communicates with.

Abstract: Disclosed herein are methods, systems, and processes for validating vulnerabilities using lightweight offensive payloads. An attack payload limited by an execution scope that includes pre-defined exploit features for validating code execution associated with a vulnerability is generated. The attack payload is transmitted to a target computing system and a confirmation of the code execution based on at least one pre-defined exploit feature is received, permitting a determination that the vulnerability has been validated.

Abstract: Examples associated with ransomware attack monitoring are described. One example includes a monitor module to monitor files stored on the system for sequences of file accesses that match a predefined pattern of file accesses. An investigation module is activated when a number of sequences of file accesses that match the predefined pattern exceeds a first threshold. The investigation module logs actions taken by processes to modify files. A reaction module pauses a set of processes operating on the system when the number of sequences of file accesses that match the predefined pattern exceeds a second threshold. The reaction module then identifies processes associated with a suspected ransomware attack based on the logging performed by the investigation module, and resumes legitimate processes.

Abstract: A computer implemented method to identify malicious software in a computer system includes receiving an indication of a detection of malicious network traffic communicated via a computer network accessed by the computer system; identifying a software component involved in the malicious network traffic at the computer system; evaluating a measure of a correlation fractal dimension (CFD) for at least a portion of the software component; and storing the measure of CFD for subsequent comparison with a second measure of CFD for a corresponding portion of a second software component in the computer system to identify the second software component as a software component involved in malicious network communication.

Abstract: An apparatus includes multiple interfaces configured to be coupled to multiple communication buses, where the interfaces are configured to receive bus traffic transmitted over the communication buses. The apparatus also includes one or more processing devices configured to implement an intrusion detection system. The intrusion detection system is configured to analyze the bus traffic received via one or more of the interfaces to identify anomalous bus traffic. The one or more processing devices are configured to execute multiple processes to concurrently analyze the bus traffic, and the multiple processes are configured to perform different analyses of the bus traffic.

Abstract: An infrastructure metrics measuring process provides relevant infrastructure metrics for components of a monitored system. The process retrieves and stores application user data for a plurality of applications running on a network system and operating system statistics for at least one operating system running at least one of the plurality of application running on a network system. The data is aggregated into at least one of a transactional data stream and a non-transactional data stream and correlated onto a common time scale. The correlated aggregated data stream is then graphically displayed to a user to further analysis by a user.

Abstract: An AI-based malware detection method is provided. The method includes inputting malware binary data, extracting metadata from the inputted malware binary data, converting the extracted metadata into image data, and training a neural network on the converted image data to classify malware. Malware binary data can be effectively classified by converting the binary data to image data and analyzed through deep learning-based image models. In addition, results from the AI detection algorithm technology can be displayed visually for easy interpretation.

Abstract: A computing device can install and execute a security agent that interacts with a remote security system as part of a detection loop aimed at detecting malicious attacks. The remote security system can receive observed activity patterns from the security agents associated with the computing devices. The remote security system can filter the observed activity patterns to identify “interesting” activity patterns, or activity patterns presenting indications of an attack, including any cross-machine activity. If a first host device is flagged for further threat analysis based on its filtered activity patterns, and at least one of the filtered activity patterns includes remotely accessing a second host device, then the second host device may also be flagged for further threat analysis.

Abstract: Provided herein are methods, systems, and computer program products for intelligent detection of multistage attacks which may arise in computer environments. Embodiments herein leverage adaptive graph-based machine-learning solutions that can incorporate rules as well as supervised learning for detecting multistage attacks. Multistage attacks and attack chains may be detected or identified by collecting data representing events, detections, and behaviors, determining relationships among various data, and analyzing the data and associated relationships. A graph of events, detections, and behaviors which are connected by edges representing relationships between nodes of the graph may be constructed and then subgraphs of the possibly enormous initial graph may be identified which represent likely attacks.

Abstract: An object may be received by a serverless computing system, such as a distributed object storage system, to be processed using serverless functions of the distributed object storage system. The object includes object metadata indicating an attribute of the object. The content of the object, such as the object's header is analyzed and the attribute indicated in the object metadata is validated based on the content of the object. The object analysis is performed using one or more scripts at an object-based storage level of the distributed object storage. A validation event is published indicating a validation status of the attribute. Serverless computing functions of the distributed object storage system may determine whether to process the object based on the validation status indicated in the validation event.

Abstract: A network-accessible cyber-threat security analytics service is configured to characterize and respond to a description that includes threat indicators (e.g., IOCs), and an initial severity. Enterprises register with the service by providing identifying information, such as industry, geographies, and the like. For each threat indicator, a query is sent to each of a set of one or more security knowledge bases, and at least some of the queries are scoped by the enterprise industry/geo information specified. The knowledge bases may vary but typically include: a managed security service, a cyber threat intelligence service, and a federated search engine that searches across one or more enterprise-connected data sources. Responses to the queries are collected. A response provides an indication whether the threat indicator identified in the query has been sighted in the knowledge base and the frequency.

Abstract: Methods an systems to classify a training dataset of network data as a poisoned training dataset based on a first dataset-level classifier, identify and remove poison samples of the poisoned training dataset based on a sample-level classifier to produce a non-poisoned dataset, training a machine-based model to analyze network traffic based on the modified non-poisoned dataset, and analyze network traffic with the machine-based model.

Abstract: Trampoline and return-oriented programming attacks employ a variety of techniques to maliciously execute instructions on a device in a manner different from a legitimate programmer's original intent. By instrumenting a device to detect deviations from predicted behavior, these exploits can be identified and mitigated.

Abstract: A computer-implemented method for anomaly detection based on deep learning includes acquiring a plurality of records, each record having a corresponding number of attributes, identifying outliers in the plurality of records using labels generated from processing the plurality of records through an ensemble of different deep learning models, wherein an output of at least one model is used as an input to at least one other model and detecting anomalies in the plurality of records using a probabilistic classifier based on plurality of records and labels.

Abstract: Latency can be reduced within a network associated with a wireless service provider when detecting threats to the network. Instead of detecting threats before delivering data, data can be delivered to a computing device while threats to the network are detected. When data is received, as received data, at the network, a copy of the data can be provided to a threat detection component, while the received data can further be provided to the target computing device based on the current policies. The time it takes the threat detection component to examine the data and detect a possible threat to the mobile network does not impact the delivery of the data. Instead, the received data is provided to the target computing device while the threat detection component examines the data to identify any possible threats. The threat detection component signals a node within the network when a threat is detected.

Abstract: The present disclosure is directed to systems and methods of detecting a side-channel attack using hardware counter anomaly detection circuitry to select a subset of HPCs demonstrating anomalous behavior in response to a side-channel attack. The hardware counter anomaly detection circuitry includes data collection circuitry to collect data from a plurality of HPCs, time/frequency domain transform circuitry to transform the collected data to the frequency domain, one-class support vector anomaly detection circuitry to detect anomalous or aberrant behavior by the HPCs. The hardware counter anomaly detection circuitry selects the HPCs having reliable and consistent anomalous activity or behavior in response to a side-channel attack and groups those HPCs into a side-channel attack detection HPC sub-set that may be communicated to one or more external devices.

Abstract: Adaptive security filtering on a client device. A method may include applying a data filter to a client device to obtain a first set of data associated with the client device, determining a risk level of a datum of the first set of data, determining a resource level associated with obtaining the first set of data, adjusting the data filter to an adjusted filter based on the determined risk level of the datum and the determined resource level, and applying the adjusted filter to the client device.

Abstract: Methods, apparatus, systems and articles of manufacture for detecting a side channel attack using hardware performance counters are disclosed. An example apparatus includes a hardware performance counter data organizer to collect a first value of a hardware performance counter at a first time and a second value of the hardware performance counter at a second time. A machine learning model processor is to apply a machine learning model to predict a third value corresponding to the second time. An error vector generator is to generate an error vector representing a difference between the second value and the third value. An error vector analyzer is to determine a probability of the error vector indicating an anomaly. An anomaly detection orchestrator is to, in response to the probability satisfying a threshold, cause the performance of a responsive action to mitigate the side channel anomaly.

Abstract: Provided are a computer program product, system, and method for detecting a security breach in a system managing access to a storage. Process Input/Output (I/O) activity by a process accessing data in a storage is monitored. A determination is made of a characteristic of the data subject to the I/O activity from the process. A determination is made as to whether a characteristic of the process I/O activity as compared to the characteristic of the data satisfies a condition. The process initiating the I/O activity is characterized as a suspicious process in response to determining that the condition is satisfied. A security breach is indicated in response to characterizing the process as the suspicious process.

Abstract: Methods and systems are described in the present disclosure for classifying malicious objects. In an exemplary aspect, a method includes: collecting data describing a state of an object of the computer system, forming a vector of features, calculating a degree of similarity based on the vector, calculating a limit degree of difference that is a numerical value characterizing the probability that the object being classified will certainly belong to another class, forming a criterion for determination of class of the object based on the degree of similarity and the limit degree of difference, determining that the object belongs to the determined class when the data satisfies the criterion, wherein the data is collected over a period of time defined by a data collection rule and pronouncing the object as malicious when it is determined that the object belongs to the specified class.

Abstract: A first application being presented for installation on a processing system can be detected. The first application can be scanned, via a static analysis, to determine whether a user interface layout of the first application is suspiciously similar to a user interface layout of a second application installed on the processing system. If the static analysis is indeterminate, a runtime analysis of the first application can determine whether the interface layout implemented by the first application is suspiciously similar to the user interface layout of the second application. If the user interface layout implemented by the first application is suspiciously similar to the user interface layout of the second application installed on the processing system, the first application can be identified as being unsafe.

Abstract: An apparatus and method for cyber risk quantification calculated from the likelihood of a cyber-attack on the target enterprise and/or cyber ecosystem based on its security posture. The cyber-attack likelihood can be derived as a probability-based time-to-event (TTE) measure using survivor function analysis. The likelihood probability measure can also be passed to cyber risk frameworks to determine financial impacts of the cyber-attacks. Embodiments of the present invention also relate to an apparatus and method (1) to identify and validate application attack surfaces and protect web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks; and/or (2) that protects web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks. This can include implementing an intelligent learning loop using artificial intelligence that creates an ontology-based knowledge base from application request and response sequences.

Abstract: A method of providing an alert of an occurrence of a hacker intrusion, the method comprising: detecting a hacker intrusion; and transmitting a concealed or camouflaged report of the hacker intrusion to provide an alert of the occurrence of the intrusion.

Abstract: A method, including identifying, in network traffic during multiple periods, scans, each scan including an access of multiple ports on a given destination node by a given source node, and computing, for each given source in the scans, an average of destinations whose ports were accessed by the given source during any scan by the given source, and a fraction of periods when the given source accessed at least one of the destinations in at least one scan performed by the given source node. A whitelist is assembled sources for which one or more of the following conditions applies: the average of destinations accessed in the scans was greater than a first threshold, and the fraction of periods during which at least one destination was accessed in at least one scan was greater than a second threshold. Upon detecting a scan by any non-whitelisted node, a preventive action is initiated.

Abstract: A way to track data from an untrusted source as it moves through memory in original or modified form. A probe is placed on a data reception call of a program. When the probe is triggered by execution of the data reception call for a piece of data, a location where the piece of data is to be stored is marked. When a program instruction requests access to the marked location, instrumentation code is injected subsequent to the program instruction to track the flow of the piece of data. When the instrumentation code is executed, the next location where the piece of data will be stored is determined and marked as well. A threat analyzer is invoked to analyze the marked locations for threats.