Abstract: A network security device has a local area network (LAN) interface and a wide area network (WAN) interface, with a capability to route packets of a network connection along a fast path that bypasses a network stack of an operating system of the network security device. A packet of a network connection that is received at the LAN interface is routed to a virtual network interface. A packet inspector reads the packet from the virtual network interface, inspects the packet, and writes the packet back to the virtual network interface after inspection. The packet is routed from the virtual network interface to the WAN interface, and exits the WAN interface towards the destination network address of the packet. After inspecting one or more packets of the network connection, subsequently received packets of the network connection are routed along the fast path.

Abstract: A system for evaluating files for cyber threats includes a machine learning model and a locality sensitive hash (LSH) repository. When the machine learning model classifies a target file as normal, the system searches the LSH repository for a malicious locality sensitive hash that is similar to a target locality sensitive hash of the target file. When the machine learning model classifies the target file as malicious, the system checks if response actions are enabled for the target file. The system reevaluates files that have been declared as normal, and updates the LSH repository in the event of false negatives. The system disables response actions for files that have been reported as false positives.

Abstract: A cybersecurity server receives an executable file to be classified. A call graph of the executable file is generated. Functions of the executable file are represented as vertices in the call graph, and a vertex value is generated for each vertex. The vertex values are arranged in traversal order of the call graph to generate a call graph pattern. A digest of the call graph pattern is calculated and compared to one or more malicious digests.

Abstract: One embodiment disclosed relates to a system for managing data for logistics, sourcing and/or production. The system includes: a private blockchain maintained by a first network of nodes; a trusted public blockchain maintained by a second network of nodes; a private agent system; and a bridge system connected to both the private blockchain and the public blockchain. The private agent system operates to extract blocks of metadata from the private blockchain and utilize a hash tree structure to generate a first root hash value from the blocks of metadata. The bridge system operates to verify the first root hash value and store the first root hash value as a notarized data certificate in the trusted public blockchain. Another embodiment disclosed relates to a method for data certificate notarization utilizing a bridging system from a private blockchain to a trusted public blockchain. Other embodiments and features are also disclosed.

Abstract: A global locality sensitive hash (LSH) database stores global locality sensitive hashes of files of different private computer networks. Each of the private computer networks has a corresponding local LSH database that stores local locality sensitive hashes of files of the private computer network. A target locality sensitive hash is generated for a target file of a private computer network. The global and local LSH databases are searched for a locality sensitive hash that is similar to the target locality sensitive hash. The target file is marked for further evaluation for malware or other cybersecurity threats when the target locality sensitive hash is not similar to any of the global and local locality sensitive hashes.

Abstract: One embodiment disclosed relates to a system for detecting anomalous messaging, discovering compromised accounts, and generating responses to threatened attacks. The system utilizes API commands and log forwarding for interaction and communication between a messaging and account hunting platform, other hunting platforms, an action center, and a security operations center. Another embodiment relates to a method of, and system for, performing a complete root cause analysis. Another embodiment relates to a method of, and system for, anomaly discovery which may advantageously utilize reference data to correlate different anomalies for reporting as a single incident.

Abstract: One embodiment of the presently-disclosed invention relates to an intrusion prevention system that includes a plurality of FPGA instances and a plurality of compute instances in a cloud network. The plurality of FPGA instances perform pre-processing that determines whether data packets received from the network gateway are associated with suspicious flows. The data packets associated with the suspicious flows are communicated from the plurality of FPGA instances to a plurality of compute instances in the cloud network. The plurality of compute instances perform post-processing that determines whether a suspicious flow is malicious. Other embodiments, aspects and features are also disclosed.

Abstract: An intrusion prevention system includes a machine learning model for inspecting network traffic. The intrusion prevention system receives and scans the network traffic for data that match an anchor pattern. A data stream that follows the data that match the anchor pattern is extracted from the network traffic. Model features of the machine learning model are identified in the data stream. The intrusion prevention system classifies the network traffic based at least on model coefficients of the machine learning model that are identified in the data stream. The intrusion prevention system apples a network policy on the network traffic (e.g., block the network traffic) when the network traffic is classified as malicious.

Abstract: A computer network includes a camera node, a network access node, a verification node, and a display node. Video content recorded by a camera at the camera node is transmitted to the display node and to the verification node for verification. The video content is verified at the display node and at the verification node. Recording metadata of the video content is stored in a distributed ledger and retrieved by the display node to verify the video content. The verification node receives, from the network access node, verification data for verifying the video content.

Abstract: Examples relate to extracting data from network communications. In one example, a programmable hardware processor may: receive a first set of network packets; store each network packet included in the first set in a first storage device; identify, from each network packet included in a subset of the first set of network packets, data included in the network packet, the data meeting at least one condition defined by first programmable logic of the programmable hardware processor; and for each network packet included in the subset: extract, from the network packet, data of interest; and store, in a second storage device, i) the extracted data of interest, and ii) an identifier associated with the network packet.

Abstract: Examples relate to identifying signatures for data sets. In one example, a computing device may: for each of a plurality of first data sets, obtain a data set signature; generate a first data structure for storing each data set signature that is distinct from each other data set signature; for each of a plurality of second data sets, obtain at least one data subset; generate a second data structure for storing each data subset; remove, from the first data structure, each data set signature that matches a data subset included in the second data structure; and for each data set signature removed from the first data structure, identify each first data set from which the data set signature was obtained; and for each identified first data set, obtain a new data set signature.

Abstract: A cybersecurity server receives an executable file. The executable file is disassembled to generate assembly code of the executable file. High-entropy blocks and blocks of printable American Standard Code for Information Interchange (ASCII) characters are removed from the assembly code. Instructions of the assembly code are normalized, chunked, and merged into a data stream. The digest of the data stream is calculated using a fuzzy hashing algorithm. The similarity of the digest to a malicious digest is determined to evaluate the executable file for malware.

Abstract: In one embodiment, a network security device monitors network communications between a computer and another computer. A periodicity of transmissions made by one computer to the other computer is determined, with the periodicity being used to identify candidate time point pairs having intervals that match the periodicity. A graph is constructed with time points of the candidate time point pairs as nodes and with intervals of time point pairs as edges. A longest path that continuously links one time point to another time point on the graph is compared to a threshold length to verify that the transmissions are periodic, and are thus potentially indicative of malicious network communications.

Abstract: A network device has a Local Area Network (LAN) port and several Wide Area Network (WAN) ports. The network device detects a computing device that is connected to the LAN port initiating establishment of a TCP connection. The network device creates a TCP socket that establishes the TCP connection with the computing device and inspects TCP packets on the TCP connection to identify a cloud application associated with the TCP packets. The network device creates another TCP socket that establishes a TCP connection to the identified cloud application by way of a WAN port that is designated to be an output port for the identified cloud application. A routing path is created between the LAN port and the designated WAN port. Subsequent TCP packets originated by the computing device for the identified cloud application are forwarded along the routing path.

Abstract: In one embodiment, local begin and end tags are detected by a network security device to determine a local context of a network traffic flow, and a local feature vector is obtained for that local context. At least one triggering machine learning model is applied by the network security device to the local feature vector, and the result determines whether or not deeper analysis is warranted. In most cases, very substantial resources are not required because deeper analysis is not indicated. If deeper analysis is indicated, one or more deeper machine learning model may then be applied to global and local feature vectors, and regular expressions may be applied to packet data, which may include the triggering data packet and one or more subsequent data packets. Other embodiments, aspects and features are also disclosed.

Abstract: Examples relate to providing hierarchical classifiers. In some examples, a superclass classifier of a hierarchy of classifiers is trained with a first type of prediction threshold, where the superclass classifier classifies data into one of a number of subclasses. At this stage, a subclass classifier is trained with a second type of prediction threshold, where the subclass classifier classifies the data into one of a number of classes. The first type of prediction threshold of the superclass classifier and the second type of prediction threshold of the subclass classifier are alternatively applied to classify data segments.

Abstract: A method for determining which web page among multiple candidate web pages is similar to a given web page. For each candidate web page, a set of scoring rules is provided to score the components therein. When the given web page is compared against a candidate web page, each component that is found in both the given web page and the candidate web page under examination is given a score in accordance with the set of scoring rules that is specific to that web page under examination. A composite similarity score is computed for each comparison between the given webpage and a candidate web page. If the composite similarity score exceeds a predefined threshold value for a comparison between the given webpage and a candidate web page, that candidate web page is deemed the web page that is similar.

Abstract: A smart home includes Internet of things (IOT) devices that are paired with an IOT gateway. A backend system is in communication with the IOT gateway to receive IOT operating data of the IOT devices. The backend system generates a machine learning model for an IOT device. The machine learning model is consulted with IOT operating data of the IOT device to detect anomalous operating behavior of the IOT device. The machine learning model is updated as more and newer IOT operating data of the IOT device are received by the backend system.

Abstract: Examples relate to identifying malicious activity using data complexity anomalies. In one example, a computing device may: receive a byte stream that includes a plurality of bytes; determine, for a least one subset of the byte stream, a measure of complexity of the subset; determine that the measure of complexity meets a predetermined threshold measure of complexity for a context associated with the byte stream; and in response to determining that the measure of complexity meets the threshold, provide an indication that the byte stream complexity is anomalous.

Abstract: The presently-disclosed solution provides an innovative system and method to protect a computer user from a phishing attack. Computer vision is effectively applied to match identifiable key information in suspect content against a database of identifiable key information of legitimate content. In one embodiment, the presently-disclosed solution converts suspect content to a digital image format and searches a database of logos and/or banners to identify a matching logo/banner image. Once the matching logo/banner image is found, the legitimate domain(s) associated with the matching logo/banner image is (are) determined. In addition, the presently-disclosed solution extracts all the URLs (universal resource links) directly from the textual data of the suspect content and further extracts the suspect domain(s) from those URLs. The suspect domain(s) is (are) then compared against the legitimate domain(s) to detect whether the suspect content is phishing content or not.