Abstract: A method performed by a server processing computer for a plurality of monitored servers is provided. The method includes receiving a server alarm of a first type in response to one of a first set of server metrics, each of which includes a measure of a first property for the monitored servers, exceeding a first threshold. The method also includes receiving a server alarm of a second type in response to one of a second set of server metrics, each of which includes a measure of a second property for the monitored servers, exceeding a second threshold. The method includes determining a server alarm correlation between the received server alarm of the first type and the received server alarm of the second type, and generating a new server alarm configuration for a server alarm of the first type and/or the second type based on the server alarm correlation.

Abstract: Image quality optimization during remote isolated sessions. In one embodiment, a method may include a remote isolation server receiving, at a remote isolation server, a request from a local browser on a local network device to obtain webpage data from a webserver, requesting, from the webserver, the webpage data, receiving, from the webserver, the requested webpage data, rendering a first image of the requested webpage data, storing a first copy of the first image of the requested webpage data in memory associated with the remote isolation server, compressing a first portion of the first image using a first compression method, sending, from the remote isolation server, the compressed first portion of the first image to the local browser, compressing a second portion of the first image using a second compression method, and sending the compressed second portion of the first image to the local browser.

Abstract: Techniques are disclosed relating to tokenized account information with integrated authentication. In some embodiments, a shared secret key is used for tokenization and authentication. In some embodiments, a payment device stores an encrypted version of the secret key and decrypts the secret key based on a user-provided password. In some embodiments, the payment device uses the secret key and a moving factor to generate a limited-use password. In some embodiments, the payment device uses the limited-use password to modify a first identifier of an account of the user. In some embodiments, the authentication system retrieves a stored version of the secret key and a copy of the account number using a second identifier. In some embodiments, the authentication system generates the limited-use password based on the stored secret key and a moving factor, de-tokenizes the modified first identifier, and compares the result with the retrieved copy of the account number.

Abstract: An embodiment includes initiating a migration of data rows in a source dataset in a source storage device to a target dataset in a target storage device. A block size defined for the target dataset equals a block size defined for the source dataset, and the migration is to be performed according to a native sequence of the data rows. The embodiment includes receiving, during the migration, a user request for access to a first data row in the source dataset, determining that the first data row was migrated to a first target block in the target dataset, and responding to the user request using the first data row in the first target block. In specific embodiments, a capacity of the target dataset is greater than a capacity of the source dataset. In other embodiments, a capacity of the target dataset is less than a capacity of the source dataset.

Abstract: Methods and systems are provided for detecting malware. One example method generally includes receiving a reference dataset comprising an aggregation of probability distributions of a plurality of intra-file patterns for a plurality of files of at least a first class and applying a logical query to the reference dataset to generate a template distribution with probability distributions of the plurality of intra-file patterns calculated according to one or more logical operators in the logical query. The method further includes detecting a likely presence of malware in a computer file by indicating one or more areas in the computer file based on at least a portion of the calculated probability distributions of the plurality of intra-file patterns in the template distribution.

Abstract: An in-depth behavioral analysis of time-series metric data can require time consuming and computationally expensive statistical processing. To provide a more efficient behavioral analysis of a component within an environment, an application behavioral analysis system captures time-series metric data for a component, such as an application, and generates tiles comprising metric values from sequential segments of the metric data. After generating the tiles, the system iterates through the tiles of each segment and determines whether the segment shares matching tiles with other segments of the metric data. The system generates a behavioral analysis for the component based on the segments with shared tiles. The behavioral analysis may include a matrix or graph data structure which indicates the related segments. From this behavioral analysis, the system can efficiently identify common and reoccurring behaviors for a component without performing complex statistical processing of the metric data.

Abstract: Secure Quarantine of Potentially Malicious Content. In one embodiment, a method for secure quarantine of potentially malicious content may include receiving a computer file from a third party, preventing the computer file from initially being accessed by a user associated with the computing device, collecting metadata from the computer file, encrypting the file and the collected metadata using a first encryption key, creating an encrypted computer file, encrypting the first encryption key using an asymmetric key, embedding the encrypted computer file into a new computer file, wherein at least one file object that is in the encrypted computer file is removed from the new computer file, enabling user access to the new computer file and the embedded encrypted computer file.

Abstract: In one embodiment, a method for electronic document sanitization may include receiving a first request from a client device to send a first electronic document, the first request including a requested usability level of the first electronic document, removing at least one document object from the first electronic document, the document object having potentially malicious content, the removing based at least in part on receiving the first request, and transmitting the first electronic document to the client device after removing the at least one document object therefrom.

Abstract: In embodiments, a known network relation is generated from a known topology of a network and is sent to a first data source agent associated with a first tool configured to monitor the network. A first contextual topology of the network is received from the first data source agent and is based on the known network relation and first data associated with the first tool. An extended topology is generated by reconciling the known topology with at least the first contextual topology. In further embodiments, a derived network relation is received from the first data source agent. The derived network relation is sent to a second data source agent. Second contextual topology based, at least in part, on the derived network relation can be received from the second data source agent. An updated extended topology based, at least in part, on the second contextual topology can be generated.

Abstract: The disclosed computer-implemented method for improving performance of cascade classifiers for protecting against computer malware may include receiving a training dataset usable to train a cascade classifier of a machine-learning classification system. A sample to add to the training dataset may be received. A weight for the sample may be calculated. The training dataset may be modified using the sample and the weight. A weighted training for the cascade classifier of the machine-learning classification system may be performed using the modified training dataset. Computer malware may be identified using the cascade classifier. In response to identifying the computer malware, a security action may be performed to protect the one or more computing devices from the computer malware. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In one embodiment, a computer-implemented method for using customer context to detonate malware may be performed by one or more computing devices, each comprising one or more processors. The method may include receiving an artefact associated with a first device being targeted by malware, simulating in a controlled environment attributes of the first device based at least in part on the artefact, executing the malware in the controlled environment while the attributes of the first device are being simulated, and performing a security action with respect to the malware based at least in part on the execution of the malware in the controlled environment.

Abstract: The disclosed computer-implemented method for identifying users may include (i) detecting that a user at an endpoint computing device is connecting to an identity provider, (ii) detecting, after detecting that the user at the endpoint computing device is connecting to the identity provider, that a mobile device has received a second-factor authentication message, (iii) discovering, by a security service, that the user at the endpoint computing device matches a known user profile registered to the mobile device by correlating the user at the endpoint computing device connecting to the identity provider with the mobile device receiving the second-factor authentication message, and (iv) applying a security policy to the user at the endpoint computing device based on the known user profile matched to the user by the security service. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques are disclosed relating to generating and validating a container for an application. A container for an application may an executable package that include the source code for the application along with the runtime information, system tools, system libraries, and settings for the application. A container validation procedure is determined for the container using a plurality of container validation routines. The container validation routines may reflect the role various validation entities have in validating the container and approving it for deployment. If the container successfully passes the container validation procedure, the container may be deployed on a computer system.

Abstract: Methods, root cause analysis (RCA) engines, and monitoring systems for controlling monitoring systems based on RCA are provided. An RCA engine of a hardware computer receives an alarm on an entity. The RCA engine fetches correlation domains based on the correlation domains each having been associated with the entity and in which the alarm is part of a policy applied to the correlation domains. The RCA engine determines if the alarm is for a root cause of failure for an entity in one of the correlation domains and responsive to the alarm being for the root cause of failure: transmits a message to monitoring systems, the message comprising instructions for the registered monitoring systems to stop monitoring symptom conditions associated with the root cause of failure, and transmits, through the network, an indication of a failure of the one of the entities that is the root cause of failure.

Abstract: A computer-implemented method for enforcing dynamic network security policies may include (i) monitoring, by a network traffic protection system, network packets transmitted on a network segment, (ii) detecting, by the network traffic protection system, a suspicious transmission of at least one network packet associated with an endpoint computing device connected to the network segment, (iii) modifying, based on the suspicious transmission of the network packet, at least one network security policy for the network segment, and (iv) enforcing, by the network traffic protection system, the modified network security policy for all endpoint computing devices connected to the network segment. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method includes determining a match score indicative of similarities between (1) signal information associated with a current route being traveled by a user in connection with a transaction with a merchant and (2) signal information associated with an established route traveled by the user in connection with a previous transaction between the user and the merchant, wherein the signal information comprises signal signatures that identify one or more signal emitters identified along each route. The method also includes determining whether the current route matches the established route based on whether the match score is above a threshold. The method further includes if the match score is below the threshold, transmitting a message indicating that the user was not authenticated.

Abstract: Provided is a process that includes: obtaining a training set of n-grams labeled as offensive; causing a machine learning model to be trained based on the training set of n-grams, wherein the machine learning model, when trained, is configured to classify natural language text as offensive or non-offensive; obtaining input natural language text expressing a computer-generated utterance; classifying after causing training, the computer-generated utterance as offensive or non-offensive using the machine learning model; and causing an output to be provided to a recipient, the output being based on whether the machine learning model classifies the computer-generated utterance as offensive or non-offensive.

Abstract: Systems, apparatuses, methods, and computer readable mediums for implementing an email deception service. A system includes one or more processors coupled to one or more memories storing program instructions. The program instructions are executable by the processor(s) to scan live emails for suspicious emails. The suspicious emails are emails with phishing links, business compromise emails, emails with malware attachments, and so on. When a suspicious email is detected, the processor(s) execute the program instructions to interact with the suspicious email in a way that mimics an end-user. A set of decoy credentials are provided to an attacker during the interaction, and then a decoy account is monitored for accesses by the attacker using the decoy credentials. Accesses to the decoy account are monitored and recorded to obtain intelligence on the attacker.

Abstract: Methods and devices for opening a firewall port for a specified time period are provided. A data packet having a source address and a destination address beyond a firewall transmitted from a process source is intercepted by an interceptor. Responsive to determining, based on the source address, that a firewall port is not open, buffering the data packet. A request comprising an identifier, a protocol identifier, and a time period the firewall port is to be open is transmitted to a firewall controller. The firewall controller authenticates the request based on the identifier and opens a firewall port determined based on the protocol identifier. The interceptor receives an open firewall port notification indicating that the firewall port has been opened and transmits the data packet through the firewall port to the destination address. The firewall controller closes the firewall port when the time period has expired.

Abstract: A computer-implemented method for server load control may include: (a) receiving a request of a first type or a second type; (b) transmitting a response of a form that will not be processed by the second computer, thereby reducing the load on a third computer, when the request is of the first type, and that will be processed by the second computer when the request is of the second type; and (c) when the request is of the second type and the response is processed by the second computer, receiving a message from the second computer that results from the processed response and indicates that the request is not of the first type. Various other methods, systems, and computer-readable media are also disclosed.