Abstract: Methods and systems allow organizations to discover accounts, subscriptions, properties, sites and other online portals within each distinct social network platform and across disparate social network platforms, publishing platforms and networks that represent, claim to represent or are relevant to their organization and/or brands based on search terms and facilitate the statistical reporting and analysis of activities on the discovered properties.

Abstract: Systems, methods, and apparatuses directed to efficiently determining whether a device making a request to access an application or service is a managed device and using that information to set an appropriate security policy for the device or the request to access the application or service. In some embodiments, a service or server (referred to as a Managed Device Identification Service) is configured to request a client certificate from a device that is requesting access to a cloud-based application or service as part of a protocol handshake. If a certificate is received, it is compared to a stored certificate to determine if the device is a managed device and as a result, the appropriate security policy.

Abstract: Systems, methods, and apparatuses directed to implementations of an approach and techniques for more effectively preparing for, detecting, and responding to cybersecurity threats directed at people or at groups of people. Embodiments are directed to classifying or segmenting employees by “predicting” what are believed to be two attributes of an employee that contribute to making them at a higher risk of being a target of a cybersecurity attack. These attributes are the employee's seniority level (e.g., employee, contractor, manager, executive, board member) and the employee's primary function or role in an organization (e.g., HR, Legal, Operations, Finance, Marketing, Sales, R&D, etc.

Abstract: Systems, apparatuses, and methods for more effectively preparing for and responding to cybersecurity threats directed at people or at groups of people. A segmentation process is described that evaluates multiple characteristics of a person that may make them a potential target or that may make a cybersecurity attack on that person more likely to be successful. Based on the segmentation, a security analyst can apply an appropriate risk reduction or security protocol to each person or group of similarly situated people to reduce the likelihood of an attack and/or the likelihood of a successful attack.

Abstract: An intelligent clustering system has a dual-mode clustering engine for mass-processing and stream-processing. A tree data model is utilized to describe heterogenous data elements in an accurate and uniform way and to calculate a tree distance between each data element and a cluster representative. The clustering engine performs element clustering, through sequential or parallel stages, to cluster the data elements based at least in part on calculated tree distances and parameter values reflecting user-provided domain knowledge on a given objective. The initial clusters thus generated are fine-tuned by undergoing an iterative self-tuning process, which continues when new data is streamed from data source(s). The clustering engine incorporates stage-specific domain knowledge through stage-specific configurations. This hybrid approach combines strengths of user domain knowledge and machine learning power.

Abstract: A spammy app detection system may search a database for any new social media application discovered during a recent time period. A spammy app detection algorithm can be executed on the spammy app detection system on an hourly basis to determine whether any of such applications is spammy (i.e., posting to a social media page anomalously). The spammy app detection algorithm has a plurality of stages. When a new social media application fails any of the stages, it is identified as a spammy app. The spammy app detection system can update the database accordingly, ban the spammy application from further posting to a social media page monitored by the spammy app detection system, notify an entity associated with the social media page, further process the spammy application, and so on. In this way, the spammy app detection system can reduce digital risk and spam attacks.

Abstract: A system and methods for determining the degree to which a vendor, supplier, or company's compliance or lack of compliance with a specific regulation or requirement contributes to, or could contribute to, the cybersecurity risk of an organization whose employees use that company's products or services. This source of risk may be evaluated for a plurality or set of vendors to determine an estimated total risk arising this source or set of sources. In response to evaluating the degree or level of this source of risk, the system and methods can be used to determine or select the apprFinal opriate security process or protocol that should be applied to employees, devices, systems, and networks to limit the risk to the organization.

Abstract: Aspects of the disclosure relate to detecting and identifying malicious sites using machine learning. A computing platform may receive a uniform resource locator (URL). The computing platform may parse and/or tokenize the URL to reduce the URL into a plurality of components. The computing platform may identify human-engineered features of the URL. The computing platform may compute a vector representation of the URL to identify deep learned features of the URL. The computing platform may concatenate the human-engineered features of the URL to the deep learned features of the URL, resulting in a concatenated vector representation. By inputting the concatenated vector representation of the URL to a URL classifier, the computing platform may compute a phish classification score. In response to determining that the phish classification score exceeds a first phish classification threshold, the computing platform may cause a cybersecurity server to perform a first action.

Abstract: A cyberthreat detection system queries a content database for unstructured content that contains a set of keywords, clusters the unstructured content into clusters based on topics, and determines a cybersecurity cluster utilizing a list of vetted cybersecurity phrases. The set of keywords represents a target of interest such as a newly discovered cyberthreat, an entity, a brand, or a combination thereof. The cybersecurity cluster thus determined is composed of unstructured content that has the set of keywords as well as some percentage of the vetted cybersecurity phrases. If the size of the cybersecurity cluster, as compared to the amount of unstructured content queried from the content database, meets or exceeds a predetermined threshold, the query is saved as a new classifier rule that can then be used by a cybersecurity classifier to automatically, dynamically and timely identify the target of interest in unclassified unstructured content.

Abstract: A message-hold decision maker system used with an electronic mail processing system that processes electronic messages for a protected computer network improves the electronic mail processing system's performance by increasing the throughput performance of the system. The improvements are achieved by providing an electronic mail processing gateway with additional logic that makes fast and intelligent decisions on whether to hold, block, allow, or sandbox electronic messages in view of potential threats such as viruses or URL-based threats. A message hold decision maker uses current and stored information from a plurality of specialized classification engines to quickly make the decisions. In some examples, the message hold decision maker will instruct an email gateway to hold an electronic mail message while the classification engines perform further analysis.

Abstract: Disclosed is an effective domain name defense solution in which a domain name string may be provided to or obtained by a computer embodying a visual domain analyzer. The domain name string may be rendered or otherwise converted to an image. An optical character recognition function may be applied to the image to read out a text string which can then be compared with a protected domain name to determine whether the text string generated by the optical character recognition function from the image converted from the domain name string is similar to or matches the protected domain name. This visual domain analysis can be dynamically applied in an online process or proactively applied in an offline process to hundreds of millions of domain names.

Abstract: A communication system includes multiple Point-of-Presence (POP) interfaces distributed in a Wide-Area Network (WAN), and one or more processors coupled to the POP interfaces. The processors are configured to assign to an initiator in the communication system a client Internet Protocol (IP) address, including embedding in the client IP address an affiliation of the initiator with a group of initiators, to assign to a responder in the communication system a service IP address, including embedding in the service IP address an affiliation of the service with a group of responders, and to route traffic between the initiator and the responder, over the WAN via one or more of the POP interfaces, in a stateless manner, based on the affiliation of the initiator and the affiliation of the service, as embedded in the client and service IP addresses.

Abstract: Technology is disclosed for detecting, classifying, and/or enforcing policies on social networking activity. The technology can store a content policy, classify content posted to a social network, determine that the classification corresponds to the content policy, and apply an action specified by the content policy to the posted content.

Abstract: Aspects of the disclosure relate to detecting impersonation in email body content using machine learning. Based on email data received from user accounts, a computing platform may generate user identification models that are each specific to one of the user accounts. The computing platform may intercept a message from a first user account to a second user account and may apply a user identification model, specific to the first user account, to the message, so as to calculate feature vectors for the message. The computing platform then may apply impersonation algorithms to the feature vectors and may determine that the message is impersonated. Based on results of the impersonation algorithms, the computing platform may modify delivery of the message.

Abstract: Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Abstract: Systems and methods for analyzing applications (“apps”) on a mobile device for security risks for a company while maintaining the mobile device owner's privacy and confidentiality concerning the applications. The mobile device may be a user's personal device (a “bring your own device”). In an example method, a process generates one or more cryptographic representations of application information for each application on the mobile device. The cryptographic representations may comprise a hash or composite hash. The cryptographic representations may be transmit outside the mobile device to a system which makes a determination and provides an indication whether the application is permitted or not permitted for use at the company. The company can be associated with a hashed permitted or not permitted list. The application information can include application name, executable code, and a version number. The method may include automatically remediating the application if it matches a known risk.

Abstract: Aspects of the disclosure relate to using a machine learning system to process a corpus of documents associated with a user to determine a user-specific consequence index. A computing platform may load a corpus of documents associated with a user. Subsequently, the computing platform may create a first plurality of smart groups based on the corpus of documents, and then may generate a first user interface comprising a representation of the first plurality of smart groups. Next, the computing platform may receive user input applying one or more labels to a plurality of documents associated with at least one smart group. Subsequently, the computing platform may create a second plurality of smart groups based on the corpus of documents and the received user input. Then, the computing platform may generate a second user interface comprising a representation of the second plurality of smart groups.

Abstract: Systems, methods and products for classifying images according to a visual concept where, in one embodiment, a system includes an object detector and a visual concept classifier, the object detector being configured to detect objects depicted in an image and generate a corresponding object data set identifying the objects and containing information associated with each of the objects, the visual concept classifier being configured to examine the object data set generated by the object detector, detect combinations of the information in the object data set that are high-precision indicators of the designated visual concept being contained in the image, generate a classification for the object data set with respect to the designated visual concept, and associate the classification with the image, wherein the classification identifies the image as either containing the designated visual concept or not containing the designated visual concept.

Abstract: Aspects of the disclosure relate to dynamic and automated spear phishing management. A computing platform may identify users to receive a simulated spear phishing message. In some instances, the computing platform may receive a very attacked persons (VAP) list and may identify the users to receive the simulated spear phishing message based on the VAP list. Based on historical message data associated with a first user, the computing platform may identify message features associated with the first user. Using a predetermined template and for a first user account linked to the first user, the computing platform may generate a first spear phishing message based on the message features. The computing platform may then send, to the first user account, the first spear phishing message.

Abstract: Systems, methods, and apparatuses directed to efficiently determining whether a device making a request to access an application or service is a managed device and using that information to set an appropriate security policy for the device or the request to access the application or service. In some embodiments, a service or server (referred to as a Managed Device Identification Service) is configured to request a client certificate from a device that is requesting access to a cloud-based application or service as part of a protocol handshake. If a certificate is received, it is compared to a stored certificate to determine if the device is a managed device and as a result, the appropriate security policy.