Abstract: Disclosed techniques include cybersecurity threat management using element mapping. A plurality of cybersecurity threat protection applications is accessed. The cybersecurity threat protection applications include at least two different data management schemas. A first mapping of each of the plurality of cybersecurity threat protection applications is integrated. The first mapping includes a transformation of outputs of each of the plurality of cybersecurity threat protection applications. A second mapping of each of the plurality of cybersecurity threat protection applications is integrated. The second mapping includes a transformation of inputs of each of the plurality of cybersecurity threat protection applications. Cybersecurity is managed for a data network, based on data collected through the first mapping and data transmitted through the second mapping. The integrating a first mapping and a second mapping comprises a universal data layer for cybersecurity management.

Abstract: Predictive rendering (also referred to herein as speculative rendering) is disclosed. The predictive rendering is performed by an endpoint browser in response to a user input made by a user. The predictive rendering is verified using a surrogate browser that is executed on a remote server. The verification can be performed asynchronously.

Abstract: Techniques to facilitate prevention of malicious attacks on a web service are disclosed herein. In at least one implementation, a computing system intercepts a web request directed to a web server providing the web service. The computing system identifies whether or not the web request is malicious. When the web request is identified as malicious, the computing system redirects the web request to an isolated mitigation server configured to mimic responses of the web server. The isolated mitigation server processes the web request to generate artificial content based on the web request that appears to be genuine content provided by the web server, and presents the artificial content in response to the web request.

Abstract: Systems, methods, and computer-readable media for call classification and for training a model for call classification, an example method comprising: receiving DTMF information from a plurality of calls; determining, for each of the calls, a feature vector including statistics based on DTMF information such as DTMF residual signal comprising channel noise and additive noise; training a model for classification; comparing a new call feature vector to the model; predicting a device type and geographic location based on the comparison of the new call feature vector to the model; classifying the call as spoofed or genuine; and authenticating a call or altering an IVR call flow.

Abstract: Disclosed herein are techniques for protecting web applications from untrusted endpoints using remote browser isolation. In an example scenario, a browser isolation system receives a request from a client browser executing on a client device to connect with a remote application accessible via a private network. A surrogate browser is provided to facilitate communications between the client browser and the remote application. A security policy is enforced against the communications.

Abstract: Providing policy check functionality to file uploads is disclosed. An attempted file upload is detected at a browser isolation system. A user of a client is prompted to provide a credential associated with the file and usable to access contents of the file. A policy is applied to the file upload.

Abstract: A score indicating a likelihood that a first subject is the same as a second subject may be calibrated to compensate for aging of the first subject between samples of age-sensitive biometric characteristics. Age of the first subject obtained at a first sample time and age of the second subject obtained at a second sample time may be averaged, and an age approximation may be generated based on at least the age average and an interval between the first and second samples. The age approximation, the interval between the first and second sample times, and an obtained gender of the subject are used to calibrate the likelihood score.

Abstract: Embodiments described herein provide for a computer that detects one or more keywords of interest using acoustic features, to detect or query commonalities across multiple fraud calls. Embodiments described herein may implement unsupervised keyword spotting (UKWS) or unsupervised word discovery (UWD) in order to identify commonalities across a set of calls, where both UKWS and UWD employ Gaussian Mixture Models (GMM) and one or more dynamic time-warping algorithms. A user may indicate a training exemplar or occurrence of call-specific information, referred to herein as “a named entity,” such as a person's name, an account number, account balance, or order number. The computer may perform a redaction process that computationally nullifies the import of the named entity in the modeling processes described herein.

Abstract: In an embodiment, a computer-implemented method prevents use of a network protocol over an encrypted channel. In the method, a packet is received on an encrypted channel addressed to a network address. It is determined whether a network host at the network address is able to service a request formatted according to the network protocol over the encrypted channel. When the network host is determined to be able to resolve to a domain name over the encrypted channel, the network packet is blocked.

Abstract: Techniques to facilitate network security analysis and attack response are disclosed herein. In at least one implementation, a passive analysis system receives a copy of network traffic, performs deep analysis on the copy of network traffic, and generates security data points based on the deep analysis. The passive analysis system then provides the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.

Abstract: A behavioral monitor executing in user space generates a plurality of filters corresponding to a plurality of processes executing in the user space. A first process transmits a system call to a corresponding filter of the plurality of filters in kernel space. The first process receives a signal from the corresponding filter. The first process analyzes the arguments submitted in the system call. The first process determines that the arguments may be associated with malicious activity. The first process generates an event and transmitting the event to the behavioral monitor. The behavioral monitor analyzes the event to determine whether the event is associated with malicious activity. The behavioral monitor causes a process group associated with the first process to cease executing and restores a previous version of the at least one file modified by the process group.

Abstract: In one embodiment, data at rest is securely stored. A data safe performing data plane processing operations in response to requests of received read data requests, received write data requests, and received read information responses, with the data safe being immutable to processing-related modifications resulting from said performing data plane processing operations. Performing these data plane processing operations does not expose any pilot keys outside the data safe in plaintext form nor in encrypted form. The pilot keys are used to encrypt information that is subsequently stored in a storage system. In one embodiment, the information encrypted and decrypted by the data safe includes data structure instances including feature-preserving encrypted entries generated using feature-preserving encryption on corresponding plaintext data items.

Abstract: Embodiments described herein provide for detecting whether an Automatic Number Identification (ANI) associated with an incoming call is a gateway, according to rules-based models and machine learning models generated by the computer using call data stored in one or more databases.

Abstract: Systems and methods are discussed for performing multi-key cryptographic operations. Policies can be received that define whether to perform a cryptographic operation with respect to various data items generated by one or more computing devices. The data items can be identified and compared to the policies to determine whether to perform the cryptographic operation on subsets of data items. The cryptographic operation can be performed with respect to a first subset of the data items using a first key, while the cryptographic operation can be performed with respect to a second subset of the data items using a second key.

Abstract: Techniques to facilitate passive detection of forged web browsers are disclosed herein. In at least one implementation, web traffic between a web server and a client is monitored, and a hypertext transfer protocol (HTTP) header transmitted by the client is processed to determine a type of web browser associated with the client. Attribute data points for the client are generated based on fields in the HTTP request header transmitted by the client and connection behavior of the client with the web server. The attribute data points for the client are then compared with predetermined attribute data points for the type of web browser associated with the client to determine if the client is a genuine web browser of the type of web browser associated with the client.

Abstract: In an embodiment, a method is configured to detect compromised credentials, comprising: generating a plurality of bloom filters, wherein each bloom filter corresponds to a particular subset of a set of compromised credentials; receiving an index value from a client computing device; in response to receiving the index value, determining a target bloom filter corresponding to the index value, and sending the target bloom filter to the client computing device; receiving a first value from the client computing device; in response to receiving the first value, generating a second value based on the first value, and sending the second value to the client computing device.

Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to define a parent application executing on a secure runtime hardware resource. A state snapshot of the secure runtime hardware resource is maintained. A fork request for a child application to be derived from the parent application is received. An updated state snapshot of the state snapshot is formed. The child application is instantiated. Encrypted state is transferred from the parent application to the child application. The encrypted state is used to derive an encryption key shared by the parent application and the child application. The encrypted state in the child application is decrypted using the encryption key to spawn an independent child application operative as an additional secure runtime instance. The parent application on the secure runtime hardware resource and the child application operative as the additional secure runtime instance are executed independently.

Abstract: A system for authenticated communications between devices, the system comprising: a plurality of devices comprising at least a first and second device; and one or more communication pathways configured to communicatively couple the first and second devices for data streaming of a data object; and the first device comprising a memory coupled to at least one processor, the first device configured to: generate a plurality of datasets corresponding to a plurality of data fragments constituting the data object, each dataset comprising encryption keys used to encrypt the corresponding data fragments, encrypt a first dataset of the plurality of datasets using a first dataset key derived based, in part, on a first encryption algorithm, and determine a second dataset key based, in part, on at least one of the first encryption algorithm and second encryption algorithm.

Abstract: Techniques to facilitate operation of a centralized trust authority for web application components are disclosed herein. In at least one implementation, a plurality of web resources used to construct web applications is received. Over a secure application programming interface (API), component registration information associated with each of the plurality of web resources is received, provided by producers of the web resources. The plurality of web resources is analyzed to determine unique identities and security attributes for each of the web resources. A plurality of security risk factors is identified for each of the plurality of web resources based on the component registration information and the security attributes determined for each of the web resources. A security profile is generated for each of the plurality of web resources based on the security risk factors identified for each of the web resources.

Abstract: Security is provided for enterprise local area networks (LANs) by pre-vetting and identifying the security characteristic and actions of any new wireless networks that tries to connect to a secure LAN network. The disclosure herein provides for identification and classification of IEEE 802.11 wireless networks by using monitoring sensor system within and managed by a centralized cloud. The monitoring sensors interrogate the network mimicking the behavior of known platforms, such as an end-user's workstation or mobile device followed by random actions simulating a human person. The response characteristics of the wireless network including the behavior patterns relating to the LAN system and human behavior are collected.