Abstract: A mechanism for probabilistically determining the contents of an encrypted file is provided, such that a transfer of the encrypted file can be restricted according to rules associated with an unencrypted version of the file. Embodiments generate a file size table of a subset of files, where each entry of the file size table includes a size information regarding the unencrypted file. Embodiments compare the size of the encrypted file against the file sizes and compressed file size ranges to determine whether the encrypted file has a match. If the size of the encrypted file has a single match in the table, then there is a high probability that the file associated with the matching entry is the unencrypted version of the encrypted file. Rules associated with restricting access of the file related to the matching entry can be used to control transfer of the encrypted file.

Abstract: The present invention relates to a method for access control of a multimedia system to a secure operating system and a mobile terminal for implementing the method. The method includes the steps of: initiating an application access request for selecting a trusted application from a client application of a multimedia system to a secure operating system; making a decision as to whether the client application is a malicious application, and if not, proceeding to a next step, if yes, returning Selection Failure to the client application and performing an interrupt handling; sending the application access request from the multimedia system to the secure system; and acquiring, at the secure operating system, the trusted application based on the application access request and returning the trusted application to the multimedia system.

Abstract: The present invention discloses a technique for extending threat information and/or generating new threat information by analyzing packet headers flowing through a network using threat information obtained by analyzing malware behavior or the like.

Abstract: The present disclosure is directed to systems and methods for mitigating or eliminating the effectiveness of a side-channel based attack, such as one or more classes of an attack commonly known as Spectre. Novel instruction prefixes, and in certain embodiments one or more corresponding instruction prefix parameters, may be provided to enforce a serialized order of execution for particular instructions without serializing an entire instruction flow, thereby improving performance and mitigation reliability over existing solutions. In addition, improved mitigation of such attacks is provided by randomizing both the execution branch history as well as the source address of each vulnerable indirect branch, thereby eliminating the conditions required for such attacks.

Abstract: A method performed by a system includes instantiating a vulnerability-risk-threat (VRT) service for a security edge protection proxy (SEPP) element of a 5G telecommunications network. The system intercepts and parameterizes network traffic of the SEPP element to identify network functions (NFs) or associated services that requires cybersecurity protection and selects security resources for protecting the identified NFs or associated services. The system prioritizes an NF or associated service that is most frequently used (MFU) or most recently used (MRU) and then allocates the security resources in accordance with the prioritization.

Abstract: Disclosed are systems and methods for countering a cyber-attack on computing devices by means of which users are interacting with services, which store personal data on the users. Data is collected about the services with which the users are interacting by means of the devices, as well as data about the devices themselves. The collected data is analyzed to detect when a cyber-attack on the devices is occurring as a result of a data breach of personal data on users from the online service. A cluster of the computing devices of different users of the online service experiencing the same cyber attack is identified. Attack vectors are identified based on the characteristics of the cyber attack experienced by the computing devices in the cluster. Actions are selected for countering the cyber-attack based on the identified attack vector and are sent to the devices of all users of the corresponding cluster.

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

Abstract: A system and method for protecting cloud-hosted applications against hypertext transfer protocol (HTTP) flood distributed denial-of-service (DDoS) attacks are provided. The method includes collecting telemetries from a plurality of sources deployed in at least one cloud computing platform hosting a protected cloud-hosted application; providing at least one rate-based feature and at least one rate-invariant feature based on the collected telemetries, wherein the rate-based feature and the rate-invariant feature demonstrate behavior of at least HTTP traffic directed to the protected cloud-hosted application; evaluating the at least one rate-based feature and the at least one rate-invariant feature to determine whether the behavior of the at least HTTP traffic indicates a potential HTTP flood DDoS attack; and causing execution of a mitigation action when an indication of a potential HTTP flood DDoS attack is determined.

Abstract: A computer architecture may comprise a processor, a memory, and a differential memory subsystem (DMS). A learning engine is stored on the memory and configured to present data to an expert user, to receive user sensory input measuring reactions related to the presented data, and to create an attention map based thereon. The attention map is indicative of portions of the presented data on which the expert user focused. The learning engine is configured to annotate the attention map with the natural language input labels and to train a neural network based on the user sensory input. The learning engine is configured to create a model based on the trained neural network, to provide an application program for an output target; and to instruct the output target via the application program to detect and remedy anomalous activity. The DMS is physically separate and configured for experimental data processing functions.

Abstract: Example methods and systems for a computer system to perform security threat detection are described. In one example, a computer system may intercept an egress packet from a virtualized computing instance to pause forwarding of the egress packet towards a destination and obtain process information associated a process from which the egress packet originates. The computer system may initiate security analysis based on the process information. In response to determination that the process is a potential security threat based on the security analysis, the egress packet may be dropped, and a remediation action performed. Otherwise, the egress packet may be forwarded towards the destination.

Abstract: A device receives first transaction information associated with a first transaction, and a first transaction account utilized for the first transaction and associated with a first financial institution. The device determines, based on a fraud model, that the first transaction is to be denied due to potential fraud associated with the first transaction account and receives second transaction information associated with a second transaction, and a second transaction account utilized for the second transaction and associated with a second financial institution. The device processes the first transaction information and the second transaction information, with a matching model, to determine whether the first transaction information matches the second transaction information and determines that the first transaction was incorrectly denied when the first transaction information matches the second transaction information within a predetermined threshold.

Abstract: A computer-implemented method for checking the integrity of a target computer program to be executed in a computer system.

Abstract: Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.

Abstract: Embodiments of the present invention provide an improvement to convention machine model training techniques by providing an innovative system, method and computer program product for the generation of synthetic data using an iterative process that incorporates multiple machine learning models and neural network approaches. A collaborative system for receiving data and continuously analyzing the data to determine emerging patterns is provided. Common characteristics of data from the identified emerging patterns are broadened in scope and used to generate a synthetic data set using a generative neural network approach. The resulting synthetic data set is narrowed based on analysis of the synthetic data as compared to the detected emerging patterns, and can then be used to further train one or more machine learning models for further pattern detection.

Abstract: Domains and IPs are scored using domain resolution data to identify malicious domains and IPs. A domain and IP resolution graph for a set of domains and IPs in a system. A seed set of known malicious domains and known malicious IPs is selected from a malicious domain and malicious IP database. A graphical probabilistic propagation inference from the domain and IP resolution graph and the seed set of known malicious domains and known malicious IPs is generated. A malicious score is calculated for each domain in the set of domains and each IP in the set of IPs, and the malicious domain and malicious IP database is updated.

Abstract: A device and a method for analyzing service-oriented communication in a communications network. A data packet includes a first header of an application layer for service-oriented communication, and a second header of a presentation layer, a session layer, a transport layer, a network layer, a data link layer, or a physical layer. The data packet is analyzed based on information concerning a sender and/or receiver of the data packet from the first header and as a function of information concerning a sender and/or receiver from the second header, for whether or not the data packet meets a criterion, the criterion defining a setpoint value for the sender and/or receiver in the first header as a function of the content of the second header, and/or the criterion defining a setpoint value for the sender and/or receiver in the second header as a function of the content of the first header.

Abstract: According to an embodiment, an information processing apparatus includes: a memory on which first/second processing applications are stored, the first processing application being a secure application; and a processor that is coupled to the memory and executes the first and second processing applications. The first processing application includes an issuance module, a first communication module, and a log verification module. The issuance module issues a command to call a function of the second processing application and links the command to a verification rule. The first communication module transmits, to the second processing application, a command execution request including command identification information that identifies the command, and receives, from the second processing application, an execution log including an execution result of the command identified by the command identification information.

Abstract: Provide is a visualization system that enables generation of a “dashboard” of individual visualizations. In further embodiments, the system enables users to quickly and easily generate these visualizations and integrate complex filters, queries, aggregations, etc., with simple UI input. The visualizations can be provided as a service that requests information from an underlying database. The database itself may also be hosted as a service, permitting granular and native database functions layered with the visualization architecture. The system can support additional functionality and access management to generate visualizations that can be shared with other users and/or integrated into websites, blogs, etc. The system can handle the complex logic, data interactions, dynamic data transformation, dynamic authorization, etc., needed to manage data rules (e.g., access rules layered over database permission based control, summarization/aggregation requirements, etc.

Abstract: Methods and systems for determining an affiliation of a given software with target software are provided. The method comprises: receiving a software source code of the given software; executing the software source code in an isolated program environment to identify at least one outgoing request of the given software, the at least one outgoing request being indicative of at least one respective function of the software source code; generating, based on the at least one outgoing request, a respective function identifier associated with the at least one respective function; applying at least one classifier to the respective function identifier to determine a likelihood parameter indicative of the given software being affiliated to a respective target software; in response to the likelihood parameter being equal to or greater than a predetermined likelihood parameter threshold: identifying the given software as being affiliated to the respective target software.

Abstract: A wireless network monitoring system is disclosed. In one general aspect, it includes a wireless network interface operative to access traffic on a wireless network that is connected to other devices and to a WAN access point, and capture logic responsive to the wireless network interface and operative to capture datagrams communicated between one or more of the other devices on the wireless network and the WAN access point. Inspection logic is responsive to the capture logic and operative to inspect the captured datagrams to detect conditions of concern related to the other devices on the wireless network, and conditional response logic is responsive to the inspection logic and operative to initiate actions in response to the detection of conditions of concern by the inspection logic.

Abstract: A method for preventing denial of service attacks which are distributed attacks is applied in a target service provider server, a platform server, and a botnet service provider server. The target service provider server determines a first SDN controller according to an attack protection request, and issues a first flow rule. The target service provider server directs data flow of a network equipment to a first cleaning center and controls the first cleaning center to identify the attacking or malicious element in the data flow according to the first flow rule. The platform server receives the attacking element in the data flow sent by the target service provider server, and regards the same as malicious traffic. The platform server generates an attack report, and sends the attack report to the botnet service provider server to notify the botnet service provider server to clean or filter out the malicious traffic.

Abstract: Apparatus and methods for mitigating network attacks, such as by dynamically re-routing traffic. Various disclosed embodiments manipulate path-based routing of the backbone network to insert a scrubbing appliance within the backbone network topology, rather than using traditional network addressed tunnels in the edge network. In one implementation, traffic entering the backbone network ingress peer routers (from either another backbone network, or an edge network) is normally destination-address routed via the backbone to its appropriate egress router based on a path label; however, when a Distributed Denial of Service (DDoS) attack is detected, the ingress peer router inserts an additional hop into the path label that redirects dirty traffic to a substantially centralized scrubbing appliance. The benefits of the disclosed solutions include, among other things, significantly reduced attack response/recovery times without significant capital outlays.

Abstract: A cyber-threat coordinator-component identifies devices and/or users that are in a breach state of a benchmark of parameters, utilized by AI models, that correspond to the normal pattern of life for the network. The cyber-threat coordinator-component sends an external communication to selected network devices in order to initiate actions with that network device in order to change a behavior of a detected threat of at least one a user and/or a device acting abnormal to the normal pattern of life on the network. The initiated actions are also targeted to minimize an impact on other network devices and users that are i) currently active in the network and ii) that are not in breach of being outside the normal behavior benchmark.

Abstract: Systems, methods, and computer-readable media for cybersecurity are disclosed. The systems and methods may involve receiving, by an application capable of JavaScript execution, code for execution; executing, before execution of the received code, an intercepting code, wherein the intercepting code is configured to intercept at least one application programming interface (API) invocation by the received code; intercepting, by the intercepting code, an API invocation by the received code; determining that the intercepted API invocation results in a manipulation of a backing store object; and modifying an execution of the intercepted API invocation, wherein the modified execution results in a nonpredictable environment state.

Abstract: The disclosed embodiments relate to implementation of an electronic framework, also referred to as a protocol or architecture, for electronically achieving, recording and implementing, via an electronic communications network, consensus among participants for the definition, implementation and operation of an electronic transaction processing system as a precursor to the operation of that transaction processing system in processing transactions according to the consensus among the participants. The disclosed consensus framework provides a system and protocol by which new electronic transaction processing systems may be developed and implemented among participants via an electronic negotiation and implementation of the operational rules therefore. The disclosed embodiments eliminate the need for out of band consensus negotiations and provide flexibility for participants to negotiate acceptable operational rules which can support complex transactional processes in an electronic environment.

Abstract: Aspects of the disclosure relate to the field of detecting a behavioral anomaly in an application. In one exemplary aspect, a method may comprise retrieving and identifying at least one key metric from historical usage information for an application on a computing device. The method may comprise generating a regression model configured to predict usage behavior associated with the application and generating a statistical model configured to identify outliers in the data associated with the at least one key metric. The method may comprise receiving usage information in real-time for the application. The method may comprise predicting, using the regression model, a usage pattern for the application indicating expected values of the at least one key metric. In response to determining that the usage information does not correspond to the predicted usage pattern and does not comprise a known outlier, the method may comprise detecting the behavioral anomaly.

Abstract: The disclosure includes embodiments for an ego vehicle to detect misbehavior. According to some embodiments, a method includes receiving a V2X message from an attacker. The V2X message includes V2X data describing a location of an object at a target time. The method includes receiving a set of CPMs from a set of remote devices. The set of CPMs include remote sensor data describing a free space region within the roadway environment. The method includes determining a relevant subset of the CPMs include remote sensor data that is relevant to detecting misbehavior. The method includes determining, based at least in part on the remote sensor data of the relevant subset, that the object is not located at the location at the target time. The method includes detecting the misbehavior by the attacker based on the determination that the object is not located at the location at the target time.

Abstract: Methods and systems for visualization of data associated with events detected on a monitored server host, and control of the host, are provided. A system may detect an incident on a remote server host. The system may present scores and activity graphs on a user interface for a human operator to review. The user interface may include animated activity graphs to show the progress of a past malicious event. The user interface may emphasize, de-emphasize, and/or hide subgraphs. The user interface may include quick-action buttons and wizards to permit users to immediately kill processes or isolate a computer from the network. The user interface may include controls to bulk-tag detected events associated with a subgraph. The user interface may present notifications/dashboards of significant malicious events in progress and update same when a new event rises in incident score into the top 10.

Abstract: There is provided a method for generating a representation for behavior similarity comparison by generating a program-level stateful model of one or more entities in a computer operating system operating on a computer system, the program-level stateful model having a data structure representing a state of a program; generating an updated representation of the program based on the program-level stateful model; searching for at least one other representation of another program-level stateful model similar to the updated representation of the program; and comparing the updated representation of the program to the at least one other representation of another program-level stateful model.

Abstract: Implementations include processing a set of documents using an auto-encoder to provide a first sub-set of documents, the first sub-set of documents including electronic documents with a relatively high likelihood of providing true positives in an auditing process, processing a sub-set of documents using a set of auto-generated rules to provide a second sub-set of documents, the second sub-set of documents including electronic documents with a relatively high likelihood of providing false positives in an auditing process, and defining a master set of documents for the auditing process based on the sub-set of documents, the first sub-set of documents, and the second sub-set of documents, the master set of documents including at least a portion of the sub-set of documents, and at least a portion of the first sub-set of documents, and being absent the second sub-set of documents.

Abstract: Techniques and systems for determining a malicious derivative entity within a network are provided herein. A method for determining a malicious derivative entity may include receiving, by a network-based authentication system, a plurality of network transactions. A first attribute of a network transaction within the plurality of network transactions may be identified. The method may also include identifying a plurality of entities for the first attribute. The network-based authentication system may generate a first visual representation of a relationship between the first attribute and the plurality of derivative entities. Each of the derivative entities and the first attribute may be represented as nodes within the first visual representation. A first score for each of the nodes may be determined based on a degree of centrality of the nodes within the first visual representation. One network transaction may be blocked based on at least one node exceeding a first threshold.

Abstract: A method of anomaly detection for network traffic communicated by devices via a computer network, the method including receiving a set of training time series each including a plurality of time windows of data corresponding to network communication characteristics for a first device; training an autoencoder for a first cluster based on a time series in the first cluster, wherein a state of the autoencoder is periodically recorded after a predetermined fixed number of training examples to define a set of trained autoencoders for the first cluster; receiving a new time series including a plurality of time windows of data corresponding to network communication characteristics for the first device; for each time window of the new time series, generating a vector of reconstruction errors for the first device for each autoencoder based on testing the autoencoder with data from the time window; and evaluating a derivative of each vector; training a machine learning model based on the derivatives so as to define a fi

Abstract: A method of monitoring network traffic of a connected vehicle. The method includes receiving network traffic information from a vehicle gateway, the network traffic information including malicious and/or benign information. The method also includes storing the network traffic information on a data server and periodically updating the network traffic information stored on the data server.

Abstract: Methods and systems for parsing log records. A method involves receiving a log record including data regarding a network device's operation and providing the log record to a natural language processing model. The natural language processing model may analyze the log record to identify items in the log record and relationships between items in the log record.

Abstract: A system and computer-implemented method of monitoring a network is provided. The method includes receiving a packet of network traffic, wherein the packet has an associated source and destination address pair, where this pair constitutes a connection pair. The method further includes comparing the packet to a plurality of patterns and/or compare a source or destination address of the packet to known malicious addresses, and upon determining that the packet matches a pattern of the plurality of patterns or the source or destination address of the packet matches a known malicious address. The method further includes deploying a honeypot in a container for the pattern matching the packet, if not yet deployed, and forwarding all network traffic for the connection pair to the honeypot.

Abstract: There are provided systems and methods for protecting from directory enumeration using honeypot pages within a network directory. A service provider, such as an electronic transaction processor for digital transactions, may have an internal network that is utilized by employees, developers, and other end users within the organization of the service provider. When internal devices become compromised or internal users act maliciously, they may attempt to enumerate a directory to find hidden pages that have secret or sensitive data. The service provider may therefore detect a scan of an internal directory having files paths to files and pages and may deploy honeypot pages that change an error status. Further, the service provider may add a process or operation to log additional data on these honeypot pages and/or change a byte size of the corresponding pages to confuse the enumeration attempt and obtain true source information.

Abstract: A service processor is provided that includes a processor, a memory coupled to the processor and having instructions for executing an operating system kernel having an integrity management subsystem, secure boot firmware, and a tamper-resistant secure trusted dedicated microprocessor. The secure boot firmware performs a secure boot operation to boot the operating system kernel of the service processor. The secure boot firmware records first measurements of code executed by the secure boot firmware when performing the boot operation, in one or more registers of the tamper-resistant secure trusted dedicated microprocessor. The operating system kernel enables the integrity management subsystem. The integrity management subsystem records second measurements of software executed by the operating system kernel, in the one or more registers of the tamper-resistant secure trusted dedicated microprocessor.

Abstract: A method and apparatus for determining one or more first devices that are Internet devices meeting all of the following conditions: residing at a given location; equipped with one or more ambience sensing capable sensors; and operation mode being such that their ambience sensing capable sensors should not cause transmission of data. One or more second devices are determined that are Internet devices at the given location and equipped with one or more elements capable of causing an ambient stimulation detectable by the sensors of one or more first devices. Data transmissions of the first devices are monitored. Issuing of the ambient stimulation is caused by a subset of the one or more second devices. It is determined whether the issuing of the ambient stimulation caused a significant change in the monitored data transmissions of the first devices.

Abstract: A network-compatible device with a security function for destroying user data includes the a signal input configured to receive a control signal and a configuration signal; a memory configured to store first user data; and a controller configured, upon receipt of the control signal, to carry out a safety function which destroys the first user data in the memory. The network-capable device is inoperable when the first user data is destroyed, and the controller is further configured, upon receipt of the configuration signal, which includes second user data, to store the second user data in the memory to enable the network-compatible device to operate based on the second user data.

Abstract: An anomaly detection method includes receiving, at a processor, a request including a query that references a database. A plurality of attributes is identified based on the request. The processor concurrently processes the query to identify a result, and analyzes the plurality of attributes to identify an anomaly score. When the anomaly score exceeds a first predefined threshold, a signal representing a quarantine request is sent, and a signal representing the result is not sent. When the anomaly score is between the first predefined threshold and a second predefined threshold, a signal representing a notification and a signal representing the result are sent. When the anomaly score is below the second predefined threshold, a signal representing a quarantine request is sent, and a signal representing the result is not sent.

Abstract: Provided is an incident effect range estimation device which estimates the range of the effect of an incident and shortens incident handling time. This incident effect range estimation device is provided with an incident origin log acquisition unit which acquires log information for the incident-originating device which is related to the occurrence of the incident, a communication destination log acquisition unit which acquires, on the basis of the log information for the incident-originating device, log information for a communication destination device which is the communication destination of the incident-originating device, and an effect range estimation unit which estimates the range of the effect of the incident on the basis of the communication destination device. The range of the effect of the incident can thereby be estimated automatically, and thus incident handling time can be shortened significantly.

Abstract: Some embodiments provide a local controller on a set of host computers that reduce the volume of data that is communicated between the server set and the set of host computers. The local controller executing on a particular host computer, in some embodiments, receives a portion of the namespace including only the policies (e.g., opcode) that are relevant to API-authorization processing for the applications executing on the particular host computer provided by a local agent executing on the computer to authorize the API requests based on policies and parameters. The local controller analyzes the received policies (e.g., policy opcodes) and identifies the parameters (e.g. operands), or parameter types, needed for API-authorization processing (e.g., evaluating the policy opcode upon receiving a particular API request) by the local agent. In some embodiments, the local controller performs this analysis for each updated set of policies (e.g., policy opcodes).

Abstract: Disclosed herein are methods, systems, and processes to perform live deployment of deception computing systems. An imminent or ongoing malicious attack on a protected host in a network is detected. In response to detecting the imminent or ongoing malicious attack, personality characteristics of the protected host are cloned and a honeypot clone based on the personality characteristics is generated. The honeypot clone is then deployed in the network. A determination is made that the malicious attack includes an interactive session between an attacker associated with the malicious attack and the protected host, and a live state transition is performed between the protected host and the honeypot clone using agent data if the interactive session includes an encrypted protocol or using session state data if the interactive session does not include the encrypted protocol.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized.

Abstract: The present invention discloses a system and a method for detecting anomalous patterns in a network such as a LAN, WAN, MAN, internet of things (Iot), cloud networks, or any other network. In operation, the system and method of the present invention determines a generic pattern of behavior associated with a plurality of anomaly classes based on a plurality of feature values using reinforcement learning technique. The generic pattern is fixed as a boundary for each of the plurality of anomaly classes and is representative of behavior which substantially simulates the network behavior on attack by any of the plurality of anomaly classes. Further, the present invention, provides for updating the generic pattern using reinforcement learning. The updated generic pattern is implemented to analyze and detect anomalous behavior in the incoming network traffic in real time.

Abstract: This specification generally relates to methods and systems for applying network policies to devices based on their current access network. One example method includes identifying a proxy connection request sent from a particular client device to a proxy server over a network, the proxy connection request including a hostname and configured to direct the proxy server to establish communication with the computer identified by the hostname on behalf of the client device; determining an identity of the client device based on the proxy connection request; identifying a domain name system (DNS) response to a DNS request including the hostname from the proxy connection request; and updating DNS usage information for the particular client based on the identified DNS response including the hostname from the proxy connection request.

Abstract: A cybersecurity solution that includes a system, method, or computer program for detecting and remediating malicious code in a communicating device on a computer network that connects to the Internet through a proxy server. The solution includes an operating system arranged to monitor all computing resource (CR) processes on an operating system kernel on the communicating device, determine process parameters for each CR process, determine whether each CR process is a connecting CR process by determining whether it is connecting to the proxy server, compare at least one of the process parameters for each connecting CR process with a whitelist, generate an event notification when at least one process parameter for a connecting CR process does not match the whitelist, and remediate the connecting CR process that has the at least one process parameter.

Abstract: Various embodiments of apparatuses and methods for distributed threat sensor data collection and data export of a malware threat intelligence system are described. In some embodiments, the system comprises a plurality of threat sensors, deployed at different network addresses and physically located in different geographic regions in a provider network, which detect interactions from sources. In some embodiments, a distributed threat sensor data collection and data export service receives a stream of sensor logs from the plurality of threat sensors. The stream of sensor logs has information about interactions with the threat sensors, including an identifier of the source. The service aggregates the information in the sensor logs by the source, computes significance scores for each source where a significance score quantifies a likelihood that the source is engaging in threatening network communications, and provides the significance scores to other destinations.

Abstract: Disclosed are systems and methods of adding tags for use in detecting computer attacks. In one aspect, the system comprises a computer protection module configured to: receive a security notification, extract an object from the security notification, search for the extracted object in a threat database, add a first tag corresponding to the extracted object in the threat database only when the extracted object is found in the threat database, search for signs of suspicious activity in a database of suspicious activities based on the received security notification and the added first tag, and when at least one sign of suspicious activity is found, extract a second tag from the database of suspicious activities and add the second tag to an object database, wherein the object database is used for identifying signature of targeted attacks based on security notifications, objects, first tags and second tags.

Abstract: Embodiments of the disclosure describe systems and methods for selecting a first group of users, which is selected to receive simulated phishing emails as part of a simulated phishing campaign, and adding users to a second group of users based upon those selected users interacting with a simulated phishing email that is part of a simulated phishing campaign; tracking the completion of remediation training related to phishing emails by users in the second group of users and receiving one or more indications that the users in the second group of users have completed remedial training; and automatically adding users, who are members of the second user group, to the first user group, to a third user group, or to a predetermined user group responsive to the one or more indications that the users in the second group of users have completed remedial training.