Abstract: An enterprise network has network assets, with each network asset having a network interface. A network graph has the network assets as nodes and connections between network interfaces of network assets as edges. An activity graph has nodes and edges, with each node representing a logical resource that performs an activity on the enterprise network, and each edge representing a relationship between the logical resources. Subgraphs of the activity graph are aligned to subgraphs of the network graph to create a mapping based on network assets associated with activities. Activity subgraphs that are aligned to the same network subgraph are compared for similarity to detect anomalous activities. The network graph is displayed at different hierarchical levels as a visualization on a display screen, with risk assessments overlayed on corresponding nodes on the visualization.

Abstract: Method and system for evaluating contents stored in a Distributed Hash Table (DHT) network are described. Contents are stored as chunks across nodes of the DHT network. Contents are subjected to cybersecurity evaluations to generate risk histories of the chunks. A reputation of a target content is determined based on corresponding risk histories of individual chunks that are present in the target content.

Abstract: A computer network of an organization has network assets and honeypots. Probes are deployed on the computer network to collect telemetry data of the network assets. Asset profiles of the network assets are extracted from the telemetry data to obtain organization-specific data. A prompt is generated, with the prompt including an instruction to generate a honeypot configuration based on the organization-specific data. The prompt is input to a generative artificial intelligence (AI) model, such as a large language model (LLM). A honeypot is configured in accordance with the honeypot configuration that is output by the generative AI model responsive to the prompt.

Abstract: Novel vulnerabilities in Open-Source Software (OSS) packages are identified from comments made on repositories of a version control platform. Security-related comments are identified and converted into a conversation format, such as a dialog. A prompt that includes the dialog is created and input to a generative Artificial Intelligence (AI) model. The prompt includes instructions that guide the AI model in generating an output. The output indicates whether a component of an OSS package has a vulnerability.

Abstract: A customer account on a serverless platform is monitored for deployment of serverless function codes. When a serverless function code is detected to have been deployed in the customer account, the deployment is checked against admission control policies of the customer account. A corresponding serverless function in the customer account that results from the deployment of the serverless function code is terminated when the deployment of the serverless function code is prohibited by an admission control policy.

Abstract: Disclosed are a system and methods for detecting anomalies in a computer network. Files that are stored in the computer network of an organization are enumerated. The locality-sensitive hash values of the enumerated files are calculated. Sensitive files among the enumerated files are identified based on the locality-sensitive hash values of the enumerated files. Similarity between identified sensitive files is determined based on their distance from each other. The identified sensitive files are linked on a timeline based on their similarity and creation time. One or more event filters are applied to the timeline to detect anomalous file events. Files on the timeline that are involved in the anomalous file events and users that operated on the files are flagged. Mitigation is performed on the flagged files and users.

Abstract: A sandbox module on a host computer executes sample programs and includes a dynamic analysis module that collects run-time behaviors of the sample program. A static analysis module collects static behaviors of the sample programs. The behaviors are sent to a recurrent neural network to train one or more models. Each model is trained on a type of sample file. During prediction, the sequence network inputs the behaviors from an unknown sample program. An encoder encodes the behaviors into numerical tuples. A recurrent neural network model inputs the tuples and outputs a predicted behavior of the sample program based upon the tuples. A decoder decodes a numerical tuple representing the predicted behavior and outputs the predicted behavior into a decision engine. The decision engine of the sandbox outputs a decision regarding whether the sample program is malicious or not. Look up tables permit mapping between tuples and the textual behaviors.

Abstract: A URL is input into a virtual browser of a crawler which requests that URL and all of its resource URLs in order to form a network graph. Network features are extracted. An identity stage uses an identity model based upon lexical and host features to determine if the input URL and resource URLs are malicious or benign. A similarity stage uses a similarity model and similarity functions to produce a similarity score between each pair of the input URL and a resource URL. An activity stage uses an activity model to determine if the input URL's network is malicious or benign based upon the network graph and extracted network activity features. Edges of the graph are weights, similarity scores, attributes or network features. A finality stage concludes malicious if the identity stage concluded that the URL was malicious or the activity stage concluded that the URL's network was malicious.

Abstract: Penetration testing is performed on a cellular network environment. An attacker system sends a request packet to a target user equipment that is connected to a base station of a cellular network. A source Internet Protocol (IP) address of the request packet is changed to an IP address that allows a response packet from the target user equipment to be received at a relay system. The request packet is encapsulated in a General Packet Radio Services Tunneling Protocol User (GTP-U) tunnel packet that is sent to a UPF of the cellular network. The response packet, which is responsive to the request packet, is received at the relay system by way of the UPF. A destination IP address of the response packet is changed to an IP address of the attacker system before forwarding the response packet to the attacker system.

Abstract: Online content is received in a user computer over the public Internet. A target text of the online content is selected to check for misinformation. A search query is generated using the target text. An online search is performed using the search query to generate a first set of search results. Another online search is performed using an opposite search query, which conveys a meaning that disagrees with the target text, to generate a second set of search results. Misinformation in the online content is detected based on how much the target text aligns with collected online contents from the first and second search results.

Abstract: Disclosed is a system and method of black box testing a cybersecurity system. An attack chain or an element of the attack chain is decomposed into constituent primitives. Primitive codes for the primitives are generated by a generative artificial intelligence (AI) model. The primitive codes are assembled into a pseudo-malware. A malware scanning engine is black box tested against the pseudo-malware to determine whether the malware scanning engine can detect the pseudo-malware.

Abstract: A client locates a server in a computer network without using the Domain Name System (DNS). The client transmits a request User Datagram Protocol (UDP) packet that includes a locating pattern. Responsive to detecting the locating pattern in the request UDP packet, a monitor that monitors communication of the client informs the server of the Internet Protocol (IP) address and port number of the client. Responsive to receiving the IP address and port number of the client, the server sends the client a response UDP packet that includes the locating pattern and the IP address and port number of the server. The client uses the IP address and port number of the server from the response UDP packet to communicate with the server.

Abstract: A suspicious Uniform Resource Locator (URL) of a resource on the public Internet is detected by searching a part of the URL for a candidate substring, which is the longest possible substring that is in accordance with a Base64 encoding scheme. The candidate substring is converted to a candidate binary data in accordance with the Base64 encoding scheme. The candidate binary data is then converted to a candidate American Standard Code for Information Interchange (ASCII) string. The candidate ASCII string is evaluated to determine the information type of the candidate ASCII string. A determination as to whether the URL is suspicious is based at least on the information type of the candidate ASCII string.

Abstract: Bring Your Own Vulnerable Driver (BYOVD) attacks are detected in Windows-based desktop computers. An opening of a device handle to a device object by a process is detected in the desktop computer. An object path that is used in the opening of the device handle is obtained and parsed to identify a device name of the device object. The device name is compared to device names associated with drivers that have known vulnerabilities. The process that opened the device handle is detected as indicative of a BYOVD attack if the device name is associated with a driver that has a known vulnerability and the process is not a normal process.

Abstract: A system for preventing submission of sensitive information of an enterprise to a generative artificial intelligence (AI) chatbot includes an endpoint computer and a backend system. A user of the enterprise employs the endpoint computer to chat with the generative AI chatbot. The chat is monitored on the endpoint computer, and a record of the chat is provided to the backend system over the public Internet. In the backend system, the record of the chat is parsed to identify the enterprise's sensitive information, enabling the facilitation of corresponding security management responses and actions.

Abstract: Interactable objects of a virtual world are scanned to determine if they are malicious. A spatial resource identifier (SRI) of an interactable object is received in a virtual reality (VR) interface that is employed by a user to access the virtual world. The interactable object is scanned when it has been rendered and is in range of the user. The scanning includes querying a backend system, using the SRI, for a reputation of the interactable object when the VR interface is incapable of scanning the interactable object.

Abstract: Filters that include matching criteria for detecting data indicative of attack techniques of cyber threats are provided in a repository. Filters that meet filter conditions of a rule of a heuristic model are automatically included in the rule. Filters that have been automatically included in the rule by having met the filter conditions of the rule are automatically removed from the rule when the filters no longer meet the filter conditions of the rule. A security log is scanned for data that meet matching criteria of filters included in the rule. The heuristic model issues an alert at least in response to detecting that the security log includes data that meet matching criteria of filters included in the rule.

Abstract: Network threat events are declared in response to detecting network traffic data indicative of network threats in network traffic involving hosts of a private computer network. Common hosts of the private computer network are identified in network threat events that have occurred within a sampling period. For each identified common host, a baseline of network behavior of the common host in network threat events that have occurred within a sliding time window is generated. A new threat event that has occurred after the sliding time window is identified as anomalous by comparing a network behavior of a common host in the new network threat event against the baseline of network behavior of the common host. An alert is issued in response to detecting an anomalous network threat event that has a risk rating that exceeds a threshold risk level.

Abstract: Anomalous loading of a dynamic-link library (DLL) is detected on a desktop computer. When the file of the DLL is not a known normal file, the locality sensitive (LSH) values of files of known versions of a known normal DLL that corresponds to the DLL are obtained from an LSH repository and compared to the LSH value of the file of the DLL. The smallest distance between the LSH value of the file of the DLL and each of the LSH values from the repository is selected for comparison to a risk threshold. The Loading of the DLL is detected to be an anomaly when the smallest distance is not less than the risk threshold.

Abstract: A cloud computing platform provides compute instances of customer accounts. A shell script in a compute instance is evaluated by normalizing the shell script to output a set of tokens that are separated by a predetermined separator. The set of tokens is searched for presence of reference tokens. The counts of the reference tokens in the set of tokens are formed into an occurrence vector, which is evaluated by a machine learning model to determine if the shell script is malicious.