Abstract: A software management shell may provide an execution environment for one or more software agents, e.g., by creating new instances of itself on a suitable hardware platform. For example, such a management shell may address new or shifting requirements that renders a software agent non-compliant by creating a new management shell that meets the new or shifting requirements. A new management shells may learn and advertise its capabilities and capacity to assist existing management shells in meeting the new or shifting requirements. The creation of new management shells, and the migration of software agents between shells, may be in response to policy changes that govern how the software agents are to operate within the management shells and on a given hardware platform.

Abstract: An application programming interface (API) security gateway communicates with a client computer application to establish a URL key rotation operation. An API request is received from the client computer application that is directed to a computer server. The API request contains a URL address. The URL address is parsed to identify a URL key. A local validation key is generated based on the URL key rotation operation. The URL key is validated based on the local validation key to determine whether the URL key is valid. Based on determining that the URL key is valid, a modified API request is generated which contains the URL address with at least part of the URL key removed. The modified API request is provided to the computer server.

Abstract: Employing a relatively simple machine learning classifier to explain evidence that led to a security action decision by a relatively complex machine learning classifier. In one embodiment, a method may include identifying training data, training a relatively complex machine learning classifier (MLC) using the training data, making a first security action decision using the relatively complex MLC, performing a security action on a network device based on the first security action decision, training a relatively simple MLC using the training data or using a subset of the training data, making a second security action decision using the relatively simple MLC, extracting evidence that led to the second security action decision by the relatively simple MLC, and explaining the first security action decision by the relatively complex MLC using the evidence extracted from the relatively simple MLC.

Abstract: Methods of analyzing and capacity planning for multi-core, multi-chip, multi-threaded computer system environments by analyzing the scalability of a fourth layer complexity, the processor boards, and incorporating this factor into the calculation of the expected throughput of a system constructed with multiple processor boards. In particular, the method may comprise identifying a system for which system performance prediction is desired, specifying a simulation model, and determining configuration parameters for the system, the system with at least one processor board, at least one chip per board, at least one core per chip, and at least one thread per core. The method may further comprise obtaining scalability factors based on the configuration data for the system, executing a simulation process for the simulation model for a deterministic simulation time, calculating a throughput of the system as a prediction of the performance of the system, and storing the results in a storage device.

Abstract: The disclosed computer-implemented method for facilitating negotiation and exchange of information between parties may include (i) receiving, at a backend computing system from an initiating computing device, an attribute of an initiating user of the initiating computing device and a designation of a specified attribute condition, (ii) receiving, at the backend computing system from a responding computing device, an attribute of a responding user of the responding computing device, (iii) determining, at the backend computing system, whether the attribute of the responding user satisfies the specified attribute condition, and (iv) based on the attribute of the responding user satisfying the specified attribute condition, sending, from the backend computing system, the attribute of the responding user to the initiating computing device and the attribute of the responding user to the initiating computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques are disclosed herein for scanning encrypted data sent to and from applications executing in user space of a computer system. A traffic monitoring tool of a network intrusion prevention system detects a secure session being established between an application executing on a client and a server. The traffic monitoring tool retrieves, from the client application, a symmetric key generated by the client application. The traffic monitoring tool intercepts encrypted data transmitted between the client application and the server as part of the secure session. The traffic monitoring tool decrypts the encrypted data using the retrieved symmetric key. Upon determining that the decrypted data indicates a threat to the client, transmission of the encrypted data is blocked.

Abstract: The disclosed computer-implemented method for terminating a computer process blocking user access to a computing device may include (1) receiving, at a user computing device, a communication indicating that a user is unable to access the user computing device, (2) identifying, by the user computing device, an active computer process running on the user computing device, and (3) executing a process termination application stored on the user computing device to terminate the active computer process and enable the user to access the user computing device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods, root cause analysis (RCA) engines, and monitoring systems for controlling monitoring systems based on RCA are provided. An RCA engine of a hardware computer receives an alarm on an entity. The RCA engine fetches correlation domains based on the correlation domains each having been associated with the entity and in which the alarm is part of a policy applied to the correlation domains. The RCA engine determines if the alarm is for a root cause of failure for an entity in one of the correlation domains and responsive to the alarm being for the root cause of failure: transmits a message to monitoring systems, the message comprising instructions for the registered monitoring systems to stop monitoring symptom conditions associated with the root cause of failure, and transmits, through the network, an indication of a failure of the one of the entities that is the root cause of failure.

Abstract: The disclosed computer-implemented method for malware remediation may include constructing a malware detection model by (i) identifying multiple candidate hyperparameter sets, (ii) selecting, from the candidate hyperparameter sets, a set of hyperparameters for the malware detection model that optimizes a tradeoff between model efficacy and model size, and (iii) training the malware detection model on a set of training samples to distinguish between malicious samples and clean samples. After constructing the malware detection model, the disclosed computer-implemented method may also include using the constructed malware detection model to perform a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A network metrics repository stores performance metrics measured during operation of a communication network, and stores fault values indicating types of network operation faults. A neural network circuit has an input layer having input nodes, a sequence of hidden layers each having a plurality of combining nodes, and an output layer having an output node. A processor generates forecasted performance metrics based on extrapolating from measured performance metrics in the network metrics repository, and provides to the input nodes of the neural network circuit the forecasted performance metrics and the measured performance metrics. The processor adapts weights and/or firing thresholds that are used by the input nodes responsive to output of the output node, and controls operation of the communication network based on output of the output node. The output node provides the output responsive to processing through the input nodes a stream of measured performance metrics and forecasted performance metrics.

Abstract: The systems and methods described herein can be used to provide virtual service environments. In one embodiment, a virtual service model is generated by detecting one or more transactions, each of which includes a request sent from a requester to a software service and a response sent from the software service to the requester; storing information describing the detected transactions in a virtual service model, where the information describing each transaction includes information identifying a command included in the request and information identifying a response attribute included in the response; and generating information describing an unknown transaction, where the information describing the unknown transaction includes information identifying a first command and information identifying a first response attribute. The first command and the first response attribute are copies of a corresponding command and a corresponding response attribute associated with a corresponding one of the detected transactions.

Abstract: A method for behavioral analysis of scripting utility usage in an enterprise is described. In one embodiment, the method describes receiving, by a processor, data associated with execution of a scripting utility operating on a plurality of computing devices; executing a clustering algorithm on the received data; identifying at least one cluster based at least in part on executing the clustering algorithm; identifying an existence of an anomalous event associated with the scripting utility based at least in part on executing the clustering algorithm; and transmitting an indication of the anomalous event to an administrator.

Abstract: In certain embodiments, a network edge device comprises a memory storage, a networking component configured to communicate with a mobile device and a database comprising application attributes, and a processor. The processor, in certain embodiments, is located within the network edge device and is operable to receive application traffic from the mobile device (the application traffic being associated with an application), classify the application traffic by associating the application traffic with an application ID, and send a query comprising the application ID to the database comprising application attributes. In addition, the processor, in certain embodiments, is operable to receive a response, from the database comprising application attributes, comprising one or more application attributes associated with the application, wherein the response is based in part on the application ID, and to enforce a policy based in part on the application attribute.

Abstract: Methods, server, devices and registered terminals for requiring approval of toll charges are provided. A server receives, from a fixed communication device at a toll booth location, a tollway transponder identifier of a vehicle tollway transponder on a vehicle. The server determines whether a registered terminal is associated with the tollway transponder identifier. Responsive to determining that the registered terminal is associated with the tollway transponder identifier, a toll approval request message is transmitted to the registered terminal, which sends a response message back to the server. The server determines if a location of the registered terminal is within a defined distance from the toll booth location. Responsive to the location of the registered terminal being within the defined distance, the server triggers a toll charge against an account associated with the tollway transponder identifier when the response message indicates approval of the toll.

Abstract: Methods and devices for opening a firewall port for a specified time period are provided. A data packet having a source address and a destination address beyond a firewall transmitted from a process source is intercepted by an interceptor. Responsive to determining, based on the source address, that a firewall port is not open, buffering the data packet. A request comprising an identifier, a protocol identifier, and a time period the firewall port is to be open is transmitted to a firewall controller. The firewall controller authenticates the request based on the identifier and opens a firewall port determined based on the protocol identifier. The interceptor receives an open firewall port notification indicating that the firewall port has been opened and transmits the data packet through the firewall port to the destination address. The firewall controller closes the firewall port when the time period has expired.

Abstract: Some embodiments disclosed herein are directed to methods of operating a wireless device. Past usage information relating to past usage of a mobile application on the wireless device may be provided. A page of the mobile application may be rendered on a display of the wireless device based on the past usage information relating to the past usage of the mobile application on the wireless device. The page may include a plurality of page elements, and rendering the page may include rendering a first subset of the plurality of page elements on the display based on the past usage information and omitting a second subset of the plurality of page elements based on the past usage information. Related wireless devices and computer program products are also discussed.

Abstract: Traffic into and out of an organization-level network is monitored. A request for an encryption key from ransomware infecting a computer in the organization-level network to a remote command and control server is detected. A simulated reply to the ransomware is generated. A known encryption key for which the corresponding decryption key is also known is substituted for the encryption key supplied by the C&C server. The simulated reply containing the substituted known key is then supplied to the ransomware, such that the ransomware uses the known encryption key to encrypt files accessible from the computing device, and requests payment in order to provide a decryption key. Instead of paying the ransom, the encrypted files are decrypted using the known decryption key corresponding to the known encryption key which was provided to the ransomware.

Abstract: According to an embodiment of the present disclosure, a method is disclosed comprising receiving a request to access protected data stored in a smart data container. The method further comprises comparing a first device identifier associated with a first device from which the request to access the protected data stored in the smart data container was received to a second device identifier which uniquely identifies a second device that created the smart data container. The method further comprises allowing access to the protected data stored in the smart data container by the first device based on whether the first device identifier matches the second device identifier.

Abstract: Techniques are disclosed relating to authenticating a user based on a partial password. In one embodiment, a computer system stores masking criteria defining how a mask is to be applied to generated passwords. In some embodiments, the computer system receives a request from a user to generate a one-time password. In response to the request, in some embodiments, the computer system generates the one-time password having a sequence of characters, applies the mask to the generated one-time password to select a subset of the sequence of characters usable to authenticate the user, and presents the selected subset of characters to the user as a partial password for authentication.

Abstract: A computer-implemented method for automatically blocking Web Proxy Auto-Discovery Protocol (WPAD) attacks may include (i) automatically detecting, by a computing device, a WPAD request for a configuration file, (ii) identifying, by the computing device, a server attempting to fulfill the WPAD request for the configuration file, (iii) determining, by the computing device, that the server is not included in a whitelist of WPAD servers for the configuration file, and (iv) automatically performing, by the computing device and based on the determination that the server is not included in the whitelist, a security action to secure the WPAD request for the configuration file. Various other methods, systems, and computer-readable media are also disclosed.