Abstract: Computerized methods and systems reduce the false positive rate of Web Application Firewalls (WAFs), by operating automatically and utilizing system defined “trusted sources”.

Abstract: Computerized methods and systems determine an entry point or source of an attack on an endpoint, such as a machine, e.g., a computer, node of a network, system or the like. These computerized methods and systems utilize an attack execution/attack or start root, to build an attack tree, which shows the attack on the end point and the damage caused by the attack, as it propagates through the machine, network, system, or the like.

Abstract: Computerized methods and systems determine an initial execution of an attack on an endpoint. An indicator of the attack is obtained by analysis of a first process on the endpoint. A sequence of processes that includes the first process associates the initial execution of the attack with the first process. Each respective process in the sequence of processes is created or executed by at least one of the initial execution or a process in the sequence of processes. The initial execution is identified based on linking from the first process to the initial execution through a combination of executions and creations of the processes in the sequence of processes.

Abstract: Computerized methods and systems inspect data packets received from a web server for the presence of a value from a list of prohibited values. If a prohibited value is absent, a gateway injects at least one JavaScript code segment for execution by a web browser. The at least one JavaScript code segment includes a plurality of JavaScript functions which include at least one security analysis JavaScript function and a plurality of modified JavaScript functions. Each of the modified JavaScript functions is created from a respective native JavaScript function to include at least one code segment that when executed inspects for at least one of: a dynamic modification of at least one JavaScript function from a prohibited list of JavaScript functions, a dynamic creation of at least one JavaScript function from the prohibited list of JavaScript functions, or a dynamic reference to a value from the list of prohibited values.

Abstract: Computerized methods and systems identify malware enabled by automatically generated domain names. An agent executes a malware, in a controlled environment, at a first temporal input value and a second temporal input value. A first set of domain names is generated in response to the execution at the first temporal input value. A second set of domain names is generated in response to the execution at the second temporal input value. The agent compares the first set of domain names with the second set of domain names to produce a comparison output metric.

Abstract: A method for monitoring access of users to Internet SaaS applications includes the CISO (company Internet security office) in the configuration and operation of the method, instead of relying only on whatever security the SaaS application implements. Certificates, not accessible to users, are pushed to a user's client. When an access request is received from a client by an application, a gateway requests from the client the certificate. After a notification and approval process with the user, a received certificate is verified, user access to the application is allowed or denied, and the CISO notified of the attempted access.

Abstract: Methods and systems provide mechanisms for inspection devices, such as firewalls and servers and computers associated therewith, to selectively manipulate files, for which a download has been requested. The manipulation is performed in a manner which is transparent to the requesting user.

Abstract: A method for introducing a replacement code segment over-the-air through a wireless mobile communication network to an existing code resident on a mobile terminal: identifying the mobile terminal from among terminals served through the wireless mobile communication network; sending a push notification through the network to the mobile terminal, the push notification indicative of the replacement code segment ready for downloading; activating a dynamic update module resident in the mobile terminal, in response to the push notification; sending a request for the replacement code segment; downloading the replacement code segment to the mobile terminal; and transferring the downloaded replacement code segment to the dynamic update module for dynamic replacement of a corresponding old code segment within the mobile terminal with the replacement code segment, obviating a need to recompile the existing code.

Abstract: Disclosed are methods and systems for detecting malware and potential malware based on using generalized attack trees (generalized attack tree graphs). The generalized attack trees are based on attack trees (attack tree graphs), whose objects, such as links and vertices, have been analyzed, and some of these objects have been generalized, resulting in the generalized attack tree of the invention.

Abstract: Computerized methods and systems identify events associated with an attack initiated on an endpoint client. A listing of processes executed or created on the endpoint during the attack is obtained. The listing of processes includes a first process and at least one subsequent process executed or created by the first process. The computerized methods and systems analyze for the occurrence of at least one event during a time interval associated with the attack. The computerized methods and systems determine whether the listing of processes includes a process that when executed caused the occurrence of the at least one event. If the listing of processes excludes process that when executed caused the occurrence of the at least one event, the at least one event and the causing process are stored, for example, in a database or memory.

Abstract: Computerized methods and systems receive neutralized data items on a first entity from a second entity over a network by receiving a first data item from the second entity. A security protocol that applies rules and policies is applied to the first data item to create a second data item that is a neutralized version of the first data item. The first data item and the second data item are converted into comparable forms. The second data item is analyzed against the first data item by comparing the comparable forms to form at least one comparison measure. The second data item is received on the endpoint if the at least one comparison measure satisfies a threshold criterion. The security protocol is modified to adjust the applied rules and policies if the at least one comparison measure does not satisfy the threshold criterion.

Abstract: Securely exchanging keys to establish secure connections to low powered connected devices (LPCDs), such as smart devices and IoT (Internet Of Things) devices, and mutual authentication between these devices and third party controllers is accomplished via a higher performance machine configured with a dedicated remote service (DRS). A known symmetric pre-shared key (PSK) is used to establish a secure first connection between the LPCD and the DRS using another symmetric key. The DRS can then use asymmetric key exchange to securely send a new symmetric key to the 3P, and send the same new symmetric key to the LPCD using the secure first connection. This facilitates LPCDs to securely establish secure communications with other devices, in particular for control by third party (3P) devices. This also allows authentication of the LPCD with cloud services, and enables a DRS to vouch for associated devices to other DRSs.

Abstract: Methods and systems provide mechanisms for inspection devices, such as firewalls and servers and computers associated therewith, to modify HTTP requests, without requiring the inspection device to terminate the connections at the TCP (Transport Control Protocol) level, as occurs with contemporary web proxies, e.g., web proxy servers—either explicit or implicit proxies.

Abstract: Client-less methods and systems destroy/break the predictive layout of, for example, a client computer memory. The methods and systems operate by injecting a library that manipulates the client computer memory during exploitation attempts.

Abstract: Processing client requests for duplicate-free server operations is particularly useful for creating and sending items using Microsoft Exchange Web Services (EWS). The system facilitates avoiding creation and sending of duplicate items. In contrast to conventional implementations that send a single command to create and then perform subsequent processing of an item, a feature of the present embodiment is using two commands: a first command to create the item, and a second command to subsequently process the item. In a specific implementation, an EWS item's provided ChangeKey property is used to keep track of the EWS's reply from the server to the client, thereby avoiding duplicate item creation.

Abstract: Computerized methods and systems mitigate the effect of a ransomware attack on an endpoint by detecting access events associated with requests by processes, including ransomware processes, to access data items on the endpoint. The data items are hidden from the operating system processes executed on the endpoint. In response to detecting an access event, an action is taken against the process associated with the access event.

Abstract: Client-less methods and systems destroy/break the predictive layout of, for example, a client computer memory. The methods and systems operate by injecting a library that manipulates the client computer memory during exploitation attempts.

Abstract: Methods and systems for protecting components of a linked vehicle from cyber-attack are disclosed. These methods and systems comprise elements of hardware and software for receiving a packet; tunneling the packet to a terrestrial-based security service, analyzing whether the packet is harmful to a component in the vehicle, and at least one action to protect at least one component.

Abstract: The present invention discloses methods for effective network-security inspection in virtualized environments, the methods including the steps of: providing a data packet, embodied in machine-readable signals, being sent from a sending virtual machine to a receiving virtual machine via a virtual switch; intercepting the data packet by a sending security agent associated with the sending virtual machine; injecting the data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses the virtual switch; forwarding the data packet to the security virtual machine by employing a packet-forwarding mechanism; determining, by the security virtual machine, whether the data packet is allowed for transmission; upon determining the data packet is allowed, injecting the data packet back into the sending security agent via the direct transmission channel; and forwarding the data packet to the receiving virtual machine via the virtual switch.

Abstract: Methods and systems for mitigating cyber attacks on components of an automotive communication system are disclosed. These methods and systems comprise elements of hardware and software for receiving a frame; determining whether the frame potentially affects correct operation of an automotive component; and, taking protective action.