Abstract: A risk knowledge graph is created from information on risk events involving network entities of a private computer network. Each of the risk events is represented as a node in the risk knowledge graph. The nodes are connected by edges that represent the risk events. The nodes are grouped into communities of related nodes. A response action is performed against a community to mitigate a cybersecurity risk posed by the community.

Abstract: A cloud computing infrastructure hosts a web service with customer accounts. In a customer account, files of the customer account are listed in an index. Files indicated in the index are arranged in groups, with files in each group being scanned using scanning serverless functions in the customer account. The files in the customer account include a compressed tar archive of a software container. Member files of a compressed tar archive in a customer account are randomly-accessed by way of locators that indicate a tar offset, a logical offset, and a decompressor state for a corresponding member file. A member file is accessed by seeking to the tar offset in the compressed tar archive, restoring a decompressor to the decompressor state, decompressing the compressed tar archive using the decompressor, and moving to the logical offset in the decompressed data.

Abstract: Anomalous activities on a computer network are detected from audit or sign-in activity information of a target entity as recorded in an audit or sign-in log. A baseline graph of the target entity is generated using information on activities of the target entity during a collection period. A predict graph of the target entity is generated with information on activities of the target entity during another collection period, which follows and is shorter than the earlier collection period. A residual graph that indicates nodes or edges that are in the predict graph but not in the baseline graph is generated. The residual graph is scored and the score is compared to a threshold to determine whether the target entity has performed an anomalous activity.

Abstract: Systems and methods for Internet access control are presented. A third-party application is hosted by a third-party server on the Internet. The third-party application has third-party data of a user. An Internet access control device detects an Internet access by the user to a target server on the Internet. The Internet access control device allows or blocks the Internet access depending on whether the Internet access is permitted or prohibited based on the third-party data.

Abstract: Systems and methods are presented for mitigating cyber threats. Cybersecurity-related data are stored in a semantic cybersecurity database. A user interface converts a user input to a command utterance. A command node that corresponds to the command utterance is identified in the cybersecurity database. The command node is resolved to one or more action nodes that are connected to the command node, and each action node is resolved to one or more parameter nodes that are connected to the action node. The command node has a command that implements actions indicated in the action nodes. Each action can have one or more required parameters indicated in the parameter nodes. The values of the required parameters are obtained from the command utterance, prompted from the user, or obtained from the cybersecurity database. Actions with their parameter values are executed to mitigate a cyber threat in accordance with the user input.

Abstract: A method for preventing spam comments from populating a web site is provided. The method includes intercepting a HTTP (Hypertext Transfer Protocol) response, which includes a web page with a form for enabling a client's general comments to be published on the web site. The method also includes modifying the web page with the form to create a modified web page with a randomized form. The modifying includes randomly adding a set of randomized variable names to the web page with the form. The set of randomized variable names is a set of randomly generated character strings. The method further includes forwarding the modified web page with the randomized form to the client. The method yet also includes adding the set of randomized variable name to a form database, which is configured for storing data about the modified web page with the randomized form.

Abstract: A system for preventing information leakage due to access by an application to a file is provided. The system for preventing information leakage includes an application identification module configured to obtain data associated with the application. The system for preventing information leakage also includes an association table containing file-type data and trusted-application data. In addition, the system also includes an access control module to determine the application identifier and the association table. The system for preventing information leakage is configured to determine whether to deny content access by the application to content of the file as saved in the file.

Abstract: Features of sample files that are known to be normal are extracted by random projection. The random projection values of the sample files are used as training data to generate one or more anomaly detection models. Features of a target file being inspected are extracted by generating a random projection value of the target file. The random projection value of the target file is input to an anomaly detection model to determine whether or not the target file has features that are novel relative to the sample files. The target file is declared to be an outlier when an anomaly detection model generates an inference that indicates that the target file has novel features.

Abstract: Methods and apparatus for detecting, in a gateway device configured for facilitating communication between an intranet and an external network, the existence of an unauthorized wireless access point in the intranet. The method includes determining whether a packet received at the gateway originates from one of the wireless devices. If a received at the gateway originates from a wireless device, the method includes determining whether a source MAC address associated with the packet is one of the set of known MAC addresses. If not, the method further includes taking a remedial action to prevent the unauthorized wireless access point from accessing one of the intranet and the external network.

Abstract: A multiclass classifier generates a probability vector for individual data units of an input data stream. The probability vector has prediction probability values for classes that the multiclass classifier has been trained to detect. A class with the highest prediction probability value among the classes in a probability vector is selected as the predicted class. A confidence score is calculated based on the prediction probability value of the class. Confidence scores of the class are accumulated within a sliding window. The class is declared to be the detected class of the input data stream when the accumulated value of the class meets an accumulator threshold. A security policy for an application program that is mapped to the class is enforced against the input data stream.

Abstract: A computer network includes a camera node, a network access node, a verification node, and a display node. Video content recorded by a camera at the camera node is transmitted to the display node and to the verification node for verification. The video content is verified at the display node and at the verification node. Recording metadata of the video content is stored in a distributed ledger and retrieved by the display node to verify the video content. The verification node receives, from the network access node, verification data for verifying the video content.

Abstract: A scam detection system includes a user computer that runs a security application and a backend system that runs a scam detector. An email is received at the user computer. The security application extracts and forwards a content of the email, which includes a body of the email, to the backend system. The email body of the email is anonymized by removing personally identifiable information from the email body. A hash of the anonymized email body is generated and compared against hashes of a whitelist and a blacklist. The anonymized email body is classified. A segment of text of the anonymized email body is identified and provided to the user computer when the anonymized email body is classified as scam.

Abstract: A system for stateful detection of cyberattacks includes an endpoint computer and a backend computer system. The endpoint computer monitors for cyberattacks and sends out queries for detected security events. The backend computer system stores observation data that are included in the queries. The backend computer system combines current observation data from a current query, relevant observation data from previous queries, and relevant cybersecurity data. The combined data are evaluated for cyberattacks.

Abstract: A login authentication process to access a computer service includes displaying a virtual keyboard on a display screen of a computer. A user enters a password by clicking on the virtual keyboard. The manner the user clicked on the virtual keyboard to enter the password is compared to the manner an authorized user of the computer service clicked on the virtual keyboard to enter an authorized password during a learning phase. The login authentication is deemed to be a success when the password matches the authorized password, and the manner the user clicked on the virtual keyboard to enter the password matches the manner the authorized user clicked on the virtual keyboard to enter the authorized password.

Abstract: A computer-implemented method for generating a first set of longest common sequences from a plurality of known malicious webpages, the first set of longest common sequences representing input data from which a human generates a set of regular expressions for detecting phishing webpages. There is included obtaining HTML source strings from the plurality of known malicious webpages and transforming the HTML source strings to reduce the number of at least one of stop words and repeated tags, thereby obtaining a set of transformed source strings. There is further included performing string alignment on the set of transformed source strings, thereby obtaining at least a scoring matrix. There is additionally included obtaining a second set of longest common sequences responsive to the performing the string alignment. There is further included filtering the second set of longest common sequences, thereby obtaining the first set of longest common sequences.

Abstract: A system for facilitating Internet security for devices on a local area network (LAN) is disclosed. The LAN may connect to a rating server through the Internet and may including at least an anti-malware application for detecting malware. The system may include a black list for being implemented on the LAN for storing identifiers of a set of forbidden sites. The devices may be prevented from accessing content provided by each of the forbidden sites. The system may also include a profiler for being implemented on the LAN for updating the black list utilizing a set of result data. The data may include scan result data and rating result data. The scan result data may pertain to results of scans performed by the anti-malware application; the rating result data may pertain to results of rating performed by the rating server.

Abstract: A target binary file is clustered by reducing the target binary file to its architecture-agnostic functions, which are converted into an input string. The target digest of the input string is calculated and compared to digests of malicious binary files. A cluster having digests of malicious binary files that are similar to the target digest is identified. In response to identifying the cluster, the target binary file is detected to be malicious and of the same malware family as the malicious binary files of the cluster.

Abstract: A file is stored in a public cloud storage. A serverless computing platform receives an event notification that the file has been stored and, in response, creates an instance of an ephemeral environment wherein a security module is executed. The security module creates a memory-mapped space with memory locations that are mapped to the entire content of the file but does not allocate memory for all of the memory locations. Instead, the security module retrieves sections of the file from the public cloud storage as these sections are accessed in their designated memory locations in accordance with the memory mapping, allocates memory for the retrieved sections, stores the retrieved sections in their designated memory locations, and scans the retrieved sections in their designated memory locations for malicious code. The security module continues scanning the file in sections until relevant sections of the file have been scanned.

Abstract: An endpoint system receives a target file for evaluation for malicious scripts. The original content of the target file is normalized and stored in a normalized buffer. Tokens in the normalized buffer are translated to symbols, which are stored in a tokenized buffer. Strings in the normalized buffer are stored in a string buffer. Tokens that are indicative of syntactical structure of the normalized content are extracted from the normalized buffer and stored in a structure buffer. The content of the tokenized buffer and counts of tokens represented as symbols in the tokenized buffer are compared against heuristic rules indicative of malicious scripts. The contents of the tokenized buffer and string buffer are compared against signatures of malicious scripts. The contents of the tokenized buffer, string buffer, and structure buffer are input to a machine learning model that has been trained to detect malicious scripts.

Abstract: A machine learning system includes multiple machine learning models. A target object, such as a file, is scanned for machine learning features. Context information of the target object, such as the type of the object and how the object was received in a computer, is employed to select a machine learning model among the multiple machine learning models. The machine learning model is also selected based on threat intelligence, such as census information of the target object. The selected machine learning model makes a prediction using machine learning features extracted from the target object. The target object is allowed or blocked depending on whether or not the prediction indicates that the target object is malicious.