Abstract: Software products that are installed on a computer are identified from application names of application programs on the computer. The application names are pre-filtered to discard those that do not meet initial product filtering criteria that were used to collect sample data from which training datasets for training encoder-only transformer models were selected. Application names that meet initial product filtering criteria are classified using the encoder-only transformer models. Application names that have been classified by the encoder-only transformer models as those of supported products are post-filtered to discard those that do not meet the initial product filtering criteria of corresponding supported products. Application names that have not been discarded by the post-filtering are deemed to be those of software products installed on the computer.

Abstract: Disclosed are a system and method for detecting an unauthorized Internet of things (IoT) device in a private computer network. Packets of network traffic are collected in the private computer network. An IoT packet is identified from among the collected packets. IoT data is extracted from the IoT packet and encrypted. The encrypted IoT data is transmitted to an artificial neural network in the cloud over the public Internet. The artificial neural network infers, based on the encrypted IoT data, a device type of an IoT device that transmitted the IoT packet in the private computer network. The IoT device is detected to be unauthorized in response to detecting that the device type of the IoT device is not a recognized IoT device type in the private computer network.

Abstract: A system for protecting public-facing computing assets of an organization includes a correlation system and security appliances. Public-facing computing assets of the organization are discovered as being accessible from the Internet. The security appliances monitor network traffic between monitored computing assets of the organization and clients on the Internet. The correlation system correlates certificate information of digital certificates of the monitored computing assets with certificate information of digital certificates of the discovered public-facing computing assets to identify an unprotected computing asset.

Abstract: A secure web gateway is deployed on the cloud between a web client and a web server. The secure web gateway sends the web client a redirect response status code with a replacement server location in response to a Hypertext Transfer Protocol (HTTP) request sent by the web client to access a target resource on the web server. The secure web gateway thereafter receives from the web client a Hypertext Transfer Protocol Secure (HTTPS) request to access the target resource, the HTTPS request includes the replacement server location. The secure web gateway sends the HTTPS request as an HTTP request to the web server. The secure web gateway receives an HTTP response from the web server, and forwards the HTTP response as an HTTPS response to the web client.

Abstract: Similar geographically proximate infrastructures are identified from a received compromised Internet protocol (IP) address of a compromised infrastructure. The geographic location of the compromised infrastructure is determined from the compromised IP address. The geographic locations of other infrastructures are determined from their respective exposed IP addresses. Geographically proximate infrastructures are identified from among the other infrastructures, with the geographically proximate infrastructures having geographic locations that are within a predetermined distance of the geographic location of the compromised infrastructure. Similar geographically proximate infrastructures are identified from among the geographically proximate infrastructures, with the similar geographically proximate infrastructures having a same industrial purpose as the compromised infrastructure.

Abstract: Behavior report generation monitors the behavior of unknown sample files executing in a sandbox. Behaviors are encoded and feature vectors created based upon a q-gram for each sample. Prototypes extraction includes extracting prototypes from the training set of feature vectors using a clustering algorithm. Once prototypes are identified in this training process, the prototypes with unknown labels are reviewed by domain experts who add a label to each prototype. A K-Nearest Neighbor Graph is used to merge prototypes into fewer prototypes without using a fixed distance threshold and then assigning a malware family name to each remaining prototype. An input unknown sample can be classified using the remaining prototypes and using a fixed distance. For the case that no such prototype is close enough, the behavior report of a sample is rejected and tagged as an unknown sample or that of an emerging malware family.

Abstract: An enterprise network has endpoints, which are computers with a computer program that needs patches to remove vulnerabilities. A plot of a percentage of vulnerable endpoints over time is generated. Patching cycles and residual phases are identified in the plot. A Residual Vulnerable Percentage (RVP) is determined from the plot, the RVP being an average of percentage of vulnerable endpoints in a residual phase. A Time to Patch Managed (TTPM) is determined from the plot as a time period from a beginning of a patching cycle to a beginning of a residual phase in the patching cycle. A performance indicator that is based on the RVP or the TTPM is compared to a corresponding reference to determine if a corrective action needs to be performed to address deficiencies in the efficiency and/or effectiveness of the patching process.

Abstract: System and method for taking actions to mitigate security risks in a computer network are disclosed. The costs of security events and taking actions to block permissions granted to users are defined. For each of the users, prediction models are created, one for each of the security events. Using prediction models of a selected user, predictions on whether the security events will occur and/or predictions of severity if the security events actually occur are generated. For the selected user, an action list that indicates whether or not to take actions to block particular permissions granted to the selected user is generated based at least on the predictions, costs of the events, and costs of the permissions.

Abstract: An endpoint computer is protected from malicious distributed configuration profiles. The endpoint computer receives a distributed configuration profile over a computer network. Before installation of the distributed configuration profile in the endpoint computer, features of the distributed configuration profile are used to traverse a supervised decision tree. A rating score is generated based on weights of nodes of the supervised decision tree that are traversed using the features of the distributed configuration profile. The distributed configuration profile is detected to be malicious based at least on the rating score.

Abstract: Proper functioning of an antivirus software running on an endpoint system is detected using a test data that is provided to the endpoint system. The test data is also provided to a backend system, which provides the endpoint system with an antivirus definition that includes information for detecting the test data. The antivirus software running on the endpoint system scans for the test data and reports detection of the test data to the backend system. The antivirus software is deemed to have failed the proper functioning test when the antivirus software fails to report detection of the test data. Proper functioning of the antivirus software is also detected by performing a challenge procedure, which involves sending a challenge message to the endpoint system. The endpoint system is expected to respond to the challenge message with a response that includes expected information.

Abstract: System and methods of analyzing customer events logs for cybersecurity with privacy protection are disclosed. Events logs of cybersecurity events are received from customer computers. Customers in the events logs are represented with ring signatures. Candidate features that occur in a group of events are identified in the events logs. A candidate feature is analyzed, based on corresponding ring signatures, to determine if the candidate feature can be attributed to a customer or a limited number of customers. If so, the candidate feature is considered private and is discarded. Otherwise, the candidate feature is retained as public data suitable for use in cybersecurity operations.

Abstract: A computer system generates a hierarchical evolutionary tree of digests of sample files. The digests are generated using a locality sensitive hashing function. The digests are grouped into several clusters, and the clusters are grouped into several nodes. The nodes are connected in hierarchical order to generate the hierarchical evolutionary tree. A digest of a file being evaluated for malware is generated using the locality sensitive hashing function. The digest is put in a cluster of the hierarchical evolutionary tree having digests that are most similar to the digest relative to digests of other clusters of the hierarchical evolutionary tree. The digest is identified to be of the same malware family as the digests of the cluster.

Abstract: A risk knowledge graph is created from information on risk events involving network entities of a private computer network. Each of the risk events is represented as a node in the risk knowledge graph. The nodes are connected by edges that represent the risk events. The nodes are grouped into communities of related nodes. A response action is performed against a community to mitigate a cybersecurity risk posed by the community.

Abstract: A cloud computing infrastructure hosts a web service with customer accounts. In a customer account, files of the customer account are listed in an index. Files indicated in the index are arranged in groups, with files in each group being scanned using scanning serverless functions in the customer account. The files in the customer account include a compressed tar archive of a software container. Member files of a compressed tar archive in a customer account are randomly-accessed by way of locators that indicate a tar offset, a logical offset, and a decompressor state for a corresponding member file. A member file is accessed by seeking to the tar offset in the compressed tar archive, restoring a decompressor to the decompressor state, decompressing the compressed tar archive using the decompressor, and moving to the logical offset in the decompressed data.

Abstract: Anomalous activities on a computer network are detected from audit or sign-in activity information of a target entity as recorded in an audit or sign-in log. A baseline graph of the target entity is generated using information on activities of the target entity during a collection period. A predict graph of the target entity is generated with information on activities of the target entity during another collection period, which follows and is shorter than the earlier collection period. A residual graph that indicates nodes or edges that are in the predict graph but not in the baseline graph is generated. The residual graph is scored and the score is compared to a threshold to determine whether the target entity has performed an anomalous activity.

Abstract: Systems and methods for Internet access control are presented. A third-party application is hosted by a third-party server on the Internet. The third-party application has third-party data of a user. An Internet access control device detects an Internet access by the user to a target server on the Internet. The Internet access control device allows or blocks the Internet access depending on whether the Internet access is permitted or prohibited based on the third-party data.

Abstract: Systems and methods are presented for mitigating cyber threats. Cybersecurity-related data are stored in a semantic cybersecurity database. A user interface converts a user input to a command utterance. A command node that corresponds to the command utterance is identified in the cybersecurity database. The command node is resolved to one or more action nodes that are connected to the command node, and each action node is resolved to one or more parameter nodes that are connected to the action node. The command node has a command that implements actions indicated in the action nodes. Each action can have one or more required parameters indicated in the parameter nodes. The values of the required parameters are obtained from the command utterance, prompted from the user, or obtained from the cybersecurity database. Actions with their parameter values are executed to mitigate a cyber threat in accordance with the user input.

Abstract: Features of sample files that are known to be normal are extracted by random projection. The random projection values of the sample files are used as training data to generate one or more anomaly detection models. Features of a target file being inspected are extracted by generating a random projection value of the target file. The random projection value of the target file is input to an anomaly detection model to determine whether or not the target file has features that are novel relative to the sample files. The target file is declared to be an outlier when an anomaly detection model generates an inference that indicates that the target file has novel features.

Abstract: Methods and apparatus for detecting, in a gateway device configured for facilitating communication between an intranet and an external network, the existence of an unauthorized wireless access point in the intranet. The method includes determining whether a packet received at the gateway originates from one of the wireless devices. If a received at the gateway originates from a wireless device, the method includes determining whether a source MAC address associated with the packet is one of the set of known MAC addresses. If not, the method further includes taking a remedial action to prevent the unauthorized wireless access point from accessing one of the intranet and the external network.

Abstract: A computer network includes a camera node, a network access node, a verification node, and a display node. Video content recorded by a camera at the camera node is transmitted to the display node and to the verification node for verification. The video content is verified at the display node and at the verification node. Recording metadata of the video content is stored in a distributed ledger and retrieved by the display node to verify the video content. The verification node receives, from the network access node, verification data for verifying the video content.