Abstract: A method for machine learning-based detection of an automated fraud or abuse attack includes: identifying, via a computer network, a digital event associated with a suspected automated fraud or abuse attack; composing, via one or more computers, a digital activity signature of the suspected automated fraud or abuse attack based on digital activity associated with the suspected automated fraud or abuse attack; computing, via a machine learning model, an encoded representation of the digital activity signature; searching, via the one or more computers, an automated fraud or abuse signature registry based on the encoded representation of the digital activity signature; determining a likely origin of the digital event based on the searching of the automated fraud or abuse signature registry; and selectively implementing one or more automated threat mitigation actions based on the likely origin of the digital event.

Abstract: Techniques for providing Internet of Things (IoT) security are disclosed. An applicable system includes profiling IoT devices to limit the number of network signatures applicable to the IoT devices and performing pattern matching using a pattern that is appropriate for the profile of a given IoT device.

Abstract: A guided anomaly detection framework, including: gathering data describing activity associated with an anomaly detection framework monitoring a cloud deployment; generating, based on the data, a prompt describing one or more natural language inputs for a security workflow, wherein each of the one or more natural language inputs corresponds to a query for information related to the cloud deployment; and providing a selected natural language input to a natural language interface.

Abstract: Methods, systems, and computing platforms for data communication are disclosed. A computer-data communication based network, including receiving a set of virtual nodes each with a data payload may include an originating node attribute, an infosec data attribute, an behavioral data attribute, a biometric enterprise attribute and at least one data element associated with the originating node attribute. A machine learning module may learn from across multiple of collection points to determine control triggers and control durations. A user anomaly collector/module may be configured to identify an unusual or anomalous usage of an application.

Abstract: An iterative method and device for detecting an approximate area occupied by computer code of a core of an operating system in a memory, the area including one or more ranges. The method includes: detecting at least one target address in the memory; determining a first area delimited by two of these target addresses; disassembling these areas at least into a part determined during the previous iteration; detecting target addresses pointed to in the disassembled areas; and searching for an additional memory range starting after the second target address obtained on the last iteration and including only computer code.

Abstract: A system continuously stores metadata results associated with a plurality of ransomware attacks, a plurality of inspection class policy definitions, a plurality of data protection operations, and operational forensics data as machine learning training data, continuously monitors for one of a new security condition and event, detects one of the new security condition and event, determines an appropriate inspection class policy based on the one of the new security condition and event, based on the inspection class policy, determines one to implement of a class of inspection operation, a cyber security analysis, and a data protection operation, and executes one of the class of inspection operation, the cyber security analysis, and the data protection operation based on the machine learning training data.

Abstract: The present disclosure belongs to the technical field of intrusion detection, specifically provides an intrusion detection method based on an improved immune network algorithm, and an application thereof The method includes: S1, initializing an antibody group; S2, calculating affinities between antigens and antibodies; S3, searching for a pair of inhomogeneous antigens which have the highest affinities and referred to as a duality antigen; S4, determining a boundary antibody set C; S5, determining a neighbor antibody set; S6, cloning and mutating, according to the affinities, obsolete antibodies to update a subnetwork to which the antigens belong; S7, calculating an average affinity between the antibodies in the boundary antibody set C and the antigens in the duality antigen; and S8, inhibiting the network, and simplifying the network to output a result network subset. The solution has relatively high detection accuracy and relatively low false alarm rate.

Abstract: Disclosed is a neural network enabled interface server and blockchain interface establishing a blockchain network implementing event detection, tracking and management for rule based compliance, with significant implications for anomaly detection, resolution and safety and compliance reporting.

Abstract: The present disclosure relates to methods, systems, and computer program products for generating an attack kill chain for threat analysis. The method comprises receiving a first security event captured by a first security operation associated with a computing device, and receiving a second security event captured by a second security operation associated with the computing device. The first security event and the second security event are associated with an attack campaign. The method further comprises mapping the first security event to first security data in an attack repository, and mapping the second security event to second security data in the attack repository. The method also comprises determining based on the mapping, one or more attack execution operations for executing the attack campaign associated with the first security event and the second security event. Additionally, the method sequences the one or more attack execution operations to form an attack kill chain.

Abstract: Disclosed herein are systems and method for protecting files indirectly related to user activity. In one exemplary aspect, a method may comprise identifying, on a computing device, a file that is directly accessed by a user of the computing device. The method may comprise determining an application that provides access to the file. The method may comprise identifying a plurality of program files that the application utilizes during execution. For each respective program file of the plurality of program files, the method may comprise determining whether the respective program file is required by the application to provide access to the file and in response to determining that the respective program file is required, determining a type of threat that can target the respective program file. The method may further comprise performing a data protection action on the respective program file based on the type of threat.

Abstract: Methods, systems, and computer readable media for rogue device detection are described. A method may include identifying a device type of a device transmitting data over a network and obtaining one or more uniform resource locators (URLs) from the data, where the one or more URLs form a portion of a request transmitted over the network by the device. The method can also include programmatically analyzing the data to determine a pattern of network data within a given time period. The method can further include determining that the device is a rogue device if the pattern of network data deviates from a baseline pattern of the device type, or at least one of the one or more URLs matches one or more rogue URL criteria. The method can also include taking an action in response to determining the device is a rogue device to improve security of the network.

Abstract: Malicious homoglyphic domain name (MHDN) detection and associated cyber security applications are described. A domain name may be received that may be a potential MHDN. Homoglyphic domain name detection may be performed by, for example, generating a normalized character string corresponding to the input domain name by applying one or more normalization operations to the input domain name, wherein the one or more normalization operations may be configured to reduce homoglyphic characteristics in the input domain name; and generating a plurality of segmentations of the normalized character string, wherein generating each segmentation, of the plurality of segmentations, may comprise segmenting the normalized character string into a respective plurality of segments, and wherein each segmentation may comprise a different plurality of segments. A segmentation may be selected based on cost values corresponding to each respective segmentation determined using a cost function.

Abstract: A system and method for network cybersecurity analysis that uses user and entity behavioral analysis combined with network topology information to provide improved cybersecurity. The system and method involve gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network. Risks and vulnerabilities associated with user entities may be represented, in part or in whole, by the behavioral analyses and monitoring of those user entities.

Abstract: Artificial Intelligence (“AI”) apparatus and method are provided that correlate and consolidate operation of discrete vendor tools for detecting cyberthreats on a network. An AI engine may filter false positives and eliminate duplicates within cyberthreats detected by multiple vendor tools. The AI engine provides machine learning solutions to complexities associated with translating vendor-specific cyberthreats to known cyberthreats. The AI engine may ingest data generated by the multiple vendor tools. The AI engine may classify hardware devices or software applications scanned by each vendor tool. The AI engine may decommission vendor tools that provide redundant cyberthreat detection. The AI engine may display operational results on a dashboard directing cyberthreat defense teams to corroborated cyberthreats and away from false positives.

Abstract: A computing device detects that another computing device has connected to a network. The computing device determines whether the other computing device is valid and whether the computing device is being utilized for one or more suspicious activities. Based on determining that the other computing device is being utilized for one or more suspicious activities, the computing device determines a location of the other computing device, determines whether a user associated with the other computing device can be identified, and based on determining that the user associated with the other computing device cannot be identified, disables the other computing device, and transmits an alert to security personnel.

Abstract: Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Abstract: The techniques described in this disclosure provide resilient and reactive on-demand Distributed Denial-of-Service (DDoS) mitigation services using an exchange. For example, an exchange comprises a first virtual network for switching mixed traffic (including dirty (DDoS) traffic and clean (non-DDoS) traffic)) from one or more networks to one or more DDoS scrubbing centers; and a second virtual network for switching the clean traffic from the one or more DDoS scrubbing centers to the one or more networks, wherein the exchange is configured to receive the mixed traffic from the one or more networks and switch, using the first virtual network, the mixed traffic to a selected DDoS scrubbing center of the one or more DDoS scrubbing centers, and wherein the exchange is configured to receive the clean traffic from the selected DDoS scrubbing center and switch, using the second virtual network, the clean traffic to the one or more networks.

Abstract: An extended browser provides additional protection against lateral propagation of ransomware to an endpoint device. The extended browser may monitor for inbound connection requests having access protocols vulnerable to ransomware attacks. The extended browser may select a certificate provided to an identity provider based on the ransomware threat level based at least in part on the detection of connection requests having access protocols vulnerable to ransomware attacks. Access to SaaS or private enterprise application may be limited or denied in response to detecting connection requests having the vulnerable access protocols. The endpoint device may also be part of a VLAN with endpoint device deployed under a default gateway with point-to-point links.

Abstract: Anomalous control and data flow paths in a program are determined by machine learning the program's normal control flow paths and data flow paths. A subset of those paths also may be determined to involve sensitive data and/or computation. Learning involves collecting events as the program executes, and associating those event with metadata related to the flows. This information is used to train the system about normal paths versus anomalous paths, and sensitive paths versus non-sensitive paths. Training leads to development of a baseline “provenance” graph, which is evaluated to determine “sensitive” control or data flows in the “normal” operation. This process is enhanced by analyzing log data collected during runtime execution of the program against a policy to assign confidence values to the control and data flows. Using these confidence values, anomalous edges and/or paths with respect to the policy are identified to generate a “program execution” provenance graph associated with the policy.

Abstract: Some embodiments of the invention provide a forwarding element that has a data-plane circuit (data plane) that can be configured to implement a DDoS (distributed denial of service) attack detector. The data plane has several stages of configurable data processing circuits, which are typically configured to process data tuples associated with data messages received by the forwarding element in order to forward the data messages within a network. In some embodiments, the configurable data processing circuits of the data plane can also be configured to implement a DDoS attack detector (DDoS detector) in the data plane. In some embodiments, the forwarding element has a control-plane circuit (control plane) that configures the configurable data processing circuits of the data plane, while in other embodiments, a remote controller configures these data processing circuits.

Abstract: A method for assessing a regular expression for vulnerability to ReDoS attacks includes receiving a regular expression for evaluating a string defined by ordered set of characters from an alphanumeric input device, and evaluating the regular expression for determining if a parsing operation of the string according to the regular expression results in a disproportionate resource consumption. The evaluation determines if the resource consumption constitutes a Regular expression Denial of Service (ReDoS) attack by providing a vulnerability indication of a single valid attack string, rather than attempting to find all possible attack strings. The valid attack string is defined by an input string for which evaluation based on the regular expression would result in disproportionate resource consumption.

Abstract: Techniques for providing flow meta data exchanges between network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing flow meta data exchanges between network and security functions for a security service includes receiving a flow at a network gateway of a security service from a software-defined wide area network (SD-WAN) device; inspecting the flow to determine meta information associated with the flow; and communicating the meta information associated with the flow to the SD-WAN device.

Abstract: Implementations include receiving an AAG that at least partially defines a digital twin of an enterprise network and includes rule nodes each representing an attack tactic that can be used to move along a path, determining security controls each mitigating at least one rule node, executing an iteration of a simulation of a sub-set of security controls in the enterprise network, the iteration including: for each security control in the set of security controls, determining, an influence score that represents a change in a security risk from implementing the security control and a rule distribution, defining the sub-set of security controls based on the first influence scores, and reducing the AAG based on the sub-set of security controls to provide a residual AAG, determining a decrease in a graph risk value and the first AAG, and selectively implementing the sub-set of security controls in the enterprise network.

Abstract: A system and method to identify and prevent cybersecurity attacks on modern, highly-interconnected networks, to identify attacks before data loss occurs, using a combination of human level, device level, system level, and organizational level monitoring.

Abstract: Systems and methods for fraud management are provided. A fraud management system can include a data gatherer operable with a plurality of agent computers for collecting agent activity data from the plurality of agent computers. System can include a fraud rules database containing fraud rules and a fraud management computing system. The fraud management computing system can be in communication with the data gatherer and the fraud rules database. The fraud management computing system can also include, processors and memory devices. The memory devices store instructions that when executed by the processors cause the processors to perform operations. The operations include obtaining the agent activity data using the data gatherer pursuant to collection rules, comparing the agent activity data to the fraud rules, determining whether agent fraud event(s) have occurred based on the comparison and providing fraud alert data based upon the agent fraud event(s).

Abstract: Dynamically generating monitoring tools for software applications, including: inspecting, using static code analysis, a non-executable representation of the application to identify one or more points in an application for monitoring; and for each of the one or more points in the application: generating a monitoring program; and inserting, into an executable representation of the application, the monitoring program at a location in the executable representation of the application that corresponds to the identified point in the application.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

Abstract: A cyber security system includes a plurality of event sensors to detect events, a plurality of inference servers, and a server in communication with the plurality of inference servers. Each inference server of the plurality is in communication with a subset of event sensors of the plurality of event sensors. Each inference server has a portion of an event lattice and is to compare the event detected by the subset of event sensors to the event lattice. Each inference server is to identify an originator having a behavior pattern indicative of an attack and communicating an identifier associated with the originator. The server is to provide an interface indicating the behavior pattern indicative of an attack and the identifier of the originator.

Abstract: Presented herein are system and methods for detecting anomalies in microservices. A server may receive a first plurality of metrics from a microservice of a plurality of microservices. Each of the microservices may provide a respective function for an application independently from other microservices. The server may apply the first plurality of metrics to an ensemble of anomaly detection models to generate classifications. Each of the classifications may indicate the first plurality of metrics as one of anomalous or normal from a respective model of the ensemble. The ensemble may be trained using a second plurality of metrics from the microservice. The server may identify a majority of the plurality of classifications as indicating the first plurality of metrics as anomalous. The server may determine that at least one of the first plurality of metrics satisfies a threshold. The server may generate an alert to indicate an anomaly event.

Abstract: An anomaly detection system that includes a database and a server. The server is connected to the database. The server is configured to identify anomalous web traffic for a certain time period based on one or more client keys from the certain time period. The client key(s) includes at least two characteristics related to web traffic data. The server includes a processing unit and a memory. The server is configured to receive the web traffic data from the database, calculate a z-score metric for the client key, calculate a change rate metric for the client key, calculate a failure metric for the client key, determine an anomaly score based on the z-score metric, the change rate metric, and the failure metric, and determine that the certain time period is an anomalous time period based on the anomaly score.

Abstract: A surveillance system connectable to a network, comprising a communication module and a management module; said system being configured to, during an initialization phase: a. intercept a first message being sent to a first device; b. intercept a second message said second message being a response from the first device to the first message; c. calculate a time interval between the interception of the first message and the second message; d. repeat the steps a. to c. to determine further time intervals; e. determine a distribution of said time intervals; f. store the distribution and during a surveillance phase, intercept a third message said message being sent to the first device; intercept a fourth message said fourth message being a response to the third message; calculate a new time interval between the interception of the third and fourth messages; and verify that the new time interval is within the distribution.

Abstract: A method for performing biometric authentication is disclosed. In one example, the method includes obtaining first and second biometric templates and comparing them to determine if they match. The method also includes determining if a biometric certification token is valid. A computing device or other device may communicate with a verification system to determine the validity of the biometric certification token.

Abstract: Techniques for performing operation-based event suppression are described. In an example, a determination may be performed as to whether an event is to be suppressed if the event is received in response to performance of an operation. The determination may be performed based on at least one of number of actions triggered by the event, frequency of occurrence of the event in an event stream in response to performance of the operation, and frequency of occurrence of the event in the event stream without performance of the first operation.

Abstract: A snooping invalidation module is implemented at the network interface for a given core, or processing element, of a multicore or manycore device, e.g., NoC device, to discard packets with invalid header flits (e.g., duplicate packets) from being injected into the device, e.g., by a malicious hardware trojan implemented in the network interface. In some embodiments, a data-snooping detection circuit is implemented to detect a source of an on-going attack.

Abstract: In an embodiment, a process for automatic model monitoring for data streams includes receiving an input dataset, using a machine learning model to determine a model score for each data record of at least a portion of the input dataset, and determining monitoring values. Each monitoring value is associated with a measure of similarity between model scores for those data records of the input dataset within a corresponding moving reference window and model scores for those data records of the input dataset within a corresponding moving target window. The process includes outputting the determined monitoring values.

Abstract: Systems are provided for managing access to a log of dataset that is generated when the dataset is accessed. A system stores, with respect to each of a log producer and a log accessor, an encrypted symmetric key for dataset that is encrypted using a corresponding public key. The system returns the encrypted symmetric key for the log producer, such that the log producer can decrypt the dataset that is encrypted using the symmetric key. A log of the dataset is generated when the log producer accesses the dataset.

Abstract: Methods, systems, and computer-readable media for efficiently detecting threat incidents for cyber threat analysis are described herein. In various embodiments, a computing device, which may be located at a boundary between a protected network associated with the enterprise and an unprotected network, may combine one or more threat indicators received from one or more threat intelligence providers; may generate one or more packet capture and packet filtering rules based on the combined threat indicators; and, may capture or filter, on a packet-by-packet basis, at least one packet based on the generated rules. In other embodiments, a computing device may generate a packet capture file comprising raw packet content and corresponding threat context information, wherein the threat context information may comprise a filtering rule and an associated threat indicator that caused the packet to be captured.

Abstract: An information processing apparatus includes a processor configured to detect unauthorized access from a subject terminal to a subject host as a result of inputting subject input data into an autoencoder, an Internet protocol address of the subject terminal and an Internet protocol address of the subject host being used as at least part of the subject input data, the autoencoder having performed learning by using learning data, an Internet protocol address of a terminal and an Internet protocol address of a host to which the terminal has connected being used as at least part of the learning data.

Abstract: A method, system, and computer program product for performing microservice-aware reference policy checking that accept stateful security policies. The method may include receiving a security policy for a container that is part of a microservice architecture. The method may also include obtaining a first effect graph of the security policy, resulting in a security model for the container. The method may also include identifying execution behavior of the container. The method may also include generating a second effect graph of the execution behavior of the container, where the generating includes summarizing operations and interactions between entities in the execution behavior and results in a behavioral model. The method may also include comparing the behavioral model to the security model. The method may also include determining whether the container has deviated from the security policy based on the comparing. The method may also include enforcing the security policy against the container.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums for applications that detect indicators of data exfiltration through applications such as browser-based interfaces. The disclosed system monitors file system element events related to one or more target applications (such as browsers) through operating system interfaces. Once an event of interest is detected, the system interfaces with the browser to determine a context for the event of interest that may include a URL of a website that the user was visiting corresponding to the file system element event. If the URL is directed towards a prohibited site, a notification may be generated that may be used as a signal to alert an administrator. As used herein, a file system element may include a file, directory, folder, archive, blob, raw storage, metadata, or the like File system element events may include copying, deleting, modifying, or moving a file system element.

Abstract: The present invention relates to a method and an apparatus for detecting anomalies of a DNS traffic in a network comprising analysing, through a network analyser connected to said network, each data packets exchanged in the network, isolating, through the network analyser, from each of the analysed data packets the related DNS packet, evaluating, through a computerized data processing unit, each of the DNS packets generating a DNS packet status, signaling, through the computerized data processing unit, an anomaly of the DNS traffic when the DNS packet status defines a critical state, wherein the evaluating further comprises assessing, through the computerized data processing unit, each of the DNS packet by a plurality of evaluating algorithms generating a DNS packet classification for each of the evaluating algorithms, aggregating, through the computerized data processing unit, the DNS packet classifications generating the DNS packet status, and wherein the critical state is identified when the DNS packet sta

Abstract: A method is disclosed. The method includes providing, by an SDK and a first application in a mobile device, first and second security values to a security value verification module in the mobile device. If the mobile device confirms that the first and second security values match, then a second application can proceed with interaction processing.

Abstract: A method of automating emulations is provided. The method comprising collecting publicly available network data over a predefined time interval, wherein the collected network data might comprise structured and unstructured data. Any unstructured data is converted into structured data. The original and converted structured data is stored in a database and compared to known network vulnerabilities. An emulated network is created according to the collected network data and the comparison of the structured data with known vulnerabilities. Virtual machines are created to run on the emulated network. Director programs and guest actor programs are run on the virtual machines, wherein the actor programs imitate real user behavior on the emulated network. The director programs deliver task commands to the guest actor programs to imitate real user behavior. The imitated behavior is presented to a user via an interface.

Abstract: Solution management systems and methods are presently disclosed that enable receiving, compiling, and analyzing vendor solutions, determining the vendor solutions that address a target vulnerability of a client network and/or client devices, determining additional vulnerabilities of the client network and/or client devices that the vendor solutions address, and selecting a vendor solution to remediate the target vulnerability. The presently disclosed systems and methods also enable scoring, risk evaluation, and additional metrics to facilitate determining the vendor solution(s) that have the largest impact and/or benefit to the various vulnerabilities of the client network and/or client devices.

Abstract: Systems and methods are provided for protecting a plurality of electronic devices via a control server. The control server, for example, can receive one or more indications that a first electronic device is considered malicious and add it to a security threat list. Then the control server can communicate the security threat list to others of the electronic devices, networked for communication with each other, such that the other electronic devices reject all communication from any device listed on the security threat list. Next, upon receiving indication from an approved security patch-providing source that a security patch has been applied to the first electronic device, the control server can remove the first electronic device from the security threat list and communicate the updated security threat list to the other electronic devices indicating that it is safe for these electronic devices to again receive communication from the first electronic device.

Abstract: A method of monitoring execution of computer instructions includes receiving data items representing real-time measurements of side-channel information emanating from execution of computer instructions, each data item forming a value of a corresponding dimension of a side-channel information vector, receiving, for two or more of the dimensions of the side-channel vector, classifiers that assign the corresponding values of a side-channel vector to classes, and classifying the data items in accordance with the received classifiers, wherein an orthogonal distance of the data item from the classifier indicates a confidence value of the classification, generating a combined a confidence value for the side-channel information vector a, and outputting a signal if a confidence value indicates affiliation to a selected one of the two classes with a predetermined probability. The method conducts a self-test by generating a combined confidence value based to ensure correct outputting of the confidence value.

Abstract: Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.

Abstract: This specification generally relates to methods and systems for applying network policies to devices based on their current access network. One example method includes identifying a proxy connection request sent from a particular client device to a proxy server over a network, the proxy connection request including a hostname and configured to direct the proxy server to establish communication with the computer identified by the hostname on behalf of the client device; determining an identity of the client device based on the proxy connection request; identifying a domain name system (DNS) response to a DNS request including the hostname from the proxy connection request; and updating DNS usage information for the particular client based on the identified DNS response including the hostname from the proxy connection request.

Abstract: A system and method for detecting and preventing ransomware includes creating a number of watch files in a filesystem and adding a location and a timestamp of each to an ingest log. A number of native files are found in the filesystem and cataloged, adding the location and the timestamp of each to the ingest log. Periodically, each timestamp of each entry in the ingest log is compared to a current timestamp of a corresponding file in the filesystem and a count of watch files that have change and a count of native files that have changed is made. If the count of watch and native files that have changed indicate that a ransomware program is running on the computer, the ransomware program is suspended and reported. If a command indicates that the ransomware program is not ransomware, execution of the program is resumed.

Abstract: A script analysis platform may obtain a script associated with content wherein the script includes one or more functions that include one or more expressions. The script analysis platform may parse the script to generate a data structure and may traverse the data structure to determine the one or more functions and to determine properties of the one or more expressions, wherein traversing the data structure includes evaluating one or more constant sub-expressions of the one or more expressions. The script analysis platform may analyze the properties of the one or more expressions to determine whether the script exhibits malicious behavior. The script analysis platform may cause an action to be performed concerning the script or the content based on determining whether the script exhibits malicious behavior.