Abstract: Aspects of the disclosure relate to monitoring a computing network to determine data exfiltration. A computing platform may use time-series modeling to determine anomalous network activity with respect to outgoing data. Additional aspects of this disclosure relate to analysis of web activities associated with a user to determine compromised user accounts/devices. The computing platform may use domain categorization to determine if web activity associated with a user is anomalous.

Abstract: Removal of PII is provided. Sensor data is captured using sensors of a vehicle. Object detection is performed on the sensor data to create a sematic labeling of objects in the sensor data. A model is utilized to classify regions of the sensor data with a public or private labeling according to the sematic labeling and a PII filter corresponding to a jurisdiction of a current location of the vehicle. The sensor data is utilized in accordance with the public or private labeling.

Abstract: A mechanism for building decentralized computer applications that execute on a distributed computing system. The present technology works within a web browser, client application, or other software and provides access to decentralized computer applications through the browser. The present technology is non-custodial, wherein a public-private key pair, which represents user identity, is created on a client machine and then directly encrypted by a third-party platform without relying on one centralized computing system.

Abstract: A method for a system for security evaluation includes working one state at a time; identifying primitives of interest and systematically applying relevant attacks for the system; starting at chip level, working through states, and then expanding a system boundary and repeating; following a sequence of: chip>circuit card>subsystem>system>platform for a product solution under analysis; determining if a system definition has sufficient detail, or is too abstract; for a chip with a native secure boot protocol, determining if all players are represented; representing attacks as vectors made up of measurements of the following attributes: Dollars, days, Probability of success, Probability of destruction, technology node, and number of samples; and representing countermeasures as vectors made up of scaling factors for each of attack attributes.

Abstract: Introduced here are Internet monitoring platforms configured to define, monitor, and assess the boundary of a private network associated with a client. By monitoring the entire Internet, a private network, and relationships between these networks, an Internet monitoring platform can discover changes in the boundary of the private network that is defined by those assets on the private network capable of interfacing with a public network, such as the Internet. The Internet monitoring platform may, in response to discovering the boundary of the private network has experienced a change, identify an appropriate remediation action by mapping the change to a technological issue, a relevant business relationship, etc. For example.

Abstract: Systems, apparatuses, and methods are described for preauthorizing a batch of access rights licenses, e.g., Digital Rights Management (DRM) licenses, and storing them at a location. The preauthorization may be based on predicting a batch of content items to be viewed. The location may be a content server or a user device. After receiving a request from the user device to play back a content item of the batch of predicted content items, the DRM license may be provided from the storage location instead of performing an authorization operation to obtain one from a DRM server. Providing the DRM license from the storage location may take less time than performing the authorization operation to obtain the DRM license from the DRM server.

Abstract: A cyber threat defense system and a method for detecting a cyber threat may use a predictor, e.g. a Transformer deep learning model, which is configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. This provides a notification comprising (i) information about the one or more anomalies; and (ii) a prediction of what would have been expected.

Abstract: A computer system controls access to network devices. One or more user interface elements associated with one or more network devices that are within a view of a user are displayed to the user via an augmented reality display. Input from the user is received comprising instructions to execute a command at a network device of the one or more network devices. The user is determined, according to a security policy, to be authorized to execute the command at the network device. In response to determining that the user is authorized to execute the command, the command is executed at the network device. Embodiments of the present invention further include a method and program product for controlling access to network devices in substantially the same manner described above.

Abstract: An information processing apparatus connected to one or more vehicles and a threat information server storing pieces of threat information. The information processing apparatus includes: a processor; and a memory including at least one set of instructions that, when executed by the processor, causes the processor to perform: obtaining a detection result of an attack on one of the vehicles; (a) determining whether the attack is included in any one of the pieces of threat information; (b) when the attack is included therein, determining whether the resolution state to the attack included in the one of the pieces of threat information indicates that the attack has not been resolved or has been resolved; (c) deciding a processing priority level of the attack, based on a determination result in (a) and a determination result in (b); and (d) outputting the processing priority level decided.

Abstract: In some aspects, a user device may detect an authentication event associated with unlocking the user device. The user device may determine, based at least in part on sensor data from a sensor of the user device, an environmental context of the user device. The user device may select, from a plurality of authentication functions of the user device, an authentication function based at least in part on the environmental context of the user device. The user device may activate an authentication component that is associated with the authentication function to authenticate a user in association with unlocking the user device. Numerous other aspects are provided.

Abstract: A network security computing system includes a steganographic communications analysis engine monitoring incoming and outgoing messages on a secure computing network. The steganographic communications analysis engine identifies a pattern of file transfers between a first computing device on the secure computing network and an internal or external message recipient. When a pattern is identified, the steganographic communications analysis engine quarantines an associated computing device from the secure network. The steganographic communications analysis engine analyzes files transferred between the computing device and the recipient for indications of steganographic information and causes display, based on an identified indication of steganography, an indication that the computing device had been compromised by command and control malware.

Abstract: A URL velocity monitor is integrated with a message-hold decision maker of an electronic mail processing system that processes electronic messages for a protected computer network. The URL velocity monitor receives or obtains a URL, decomposes the URL into URL features based on logical boundaries, and determines features of interest from the URL features for velocity tracking. Examples of URL features can include a randomized URL segment. The velocity of each feature of interest is tracked over a period of time using a counting algorithm that employs a slow counter or a fast counter. The two different counters track two types of velocities which represent different domain behaviors targeting the protected computer network. The URL velocity monitor determines whether the velocity of a feature of interest is accelerating within the time period. If so, the URL is placed in a queue or a sandbox.

Abstract: Techniques are disclosed relate to systems, methods, and non-transitory computer readable media for improved cybersecurity intelligence using custom trigger events. One system may include a non-transitory memory configured to store at least threat model data; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising: receiving, over a communications network, the at least one custom trigger event for a threat model which identifies a cybersecurity threat; determining whether the cybersecurity threat triggers the performance of the orchestrated response based on the custom trigger event; and launching, when the cybersecurity threat triggers the performance of the orchestrated response, a first application and a second application of the plurality of applications of the orchestrated response.

Abstract: An anomalous action security assessor is disclosed. An anomaly is received from a set of anomalies. A series of linked queries associated with the anomaly is presented to the user. The series of linked queries includes a base query and a subquery. The base query tests an attribute of the anomaly and resolves to a plurality of outcomes of the base query. The subquery is associated with an outcome of the plurality of outcomes of the base query. The series of linked queries finally resolve to one of tag the anomaly and dismiss the anomaly. A security alert is issued if the series of linked queries finally resolves to tag the anomaly.

Abstract: A scheduling method and apparatus, a device and a storage medium, which relate to fields of big data, cloud computation, artificial intelligence, intelligent authentication and intelligent scheduling. A specific implementation includes: acquiring an authentication request that indicates to-be-authenticated information; determining an authentication strategy group required by an authentication processing procedure of the to-be-authenticated information, wherein the authentication strategy group is determined based on an authentication dependency relationship between authentication strategies and comprises at least two authentication strategies; and calling the authentication strategies in the authentication strategy group in parallel, and performing authentication processing on the to-be-authenticated information in parallel, to obtain an authentication processing result corresponding to the authentication strategy group.

Abstract: A method is provided for collecting diagnostic information in a device having a rich execution environment (REE) and a secure element (SE). The method includes detecting initialization of the device. If it is determined that the initialization of the device was a result of a potential security related event, a communication component of the REE responsible for communicating with the secure element is activated if not already activated. The secure element sends a request to the communication component for diagnostic information related to the security event. The diagnostic information is received in the SE from the communication component and stored in an attack log for storing security events. An attack log is generated in the secure element including the potential security event and the related diagnostic information. The attack log and the related diagnostic information is communicated to a secure server via a secure channel.

Abstract: The disclosure herein describes a system and method for predictive identification of breached entities. Identification number and expiration date pairs associated with compromised records in a source file are analyzed to identify a set of candidate entities having records at least partially matching the source file data pairs having events occurring during a selected time period. Probability vectors are calculated for records associated with each identified entity. A divergence value is calculated which represents a distance between probability distribution vectors for each entity and probability distribution vectors for the source file. A predicted breached entity is identified based on the divergence values. The predicted breached entity is notified of the predicted breach. The notification can include an identification of the breached entity, identification of breached records, predicted time of breach, and/or a recommendation to take action to mitigate the predicted breach.

Abstract: A mechanism for building decentralized computer applications that execute on a distributed computing system. The present technology works within a web browser, client application, or other software and provides access to decentralized computer applications through the browser. The present technology is non-custodial, wherein a public-private key pair, which represents user identity, is created on a client machine and then directly encrypted by a third-party platform without relying on one centralized computing system.

Abstract: Conditionally initiating a security measure in response to an estimated increase in risk imposed related to a particular user of a computing network. The risk is determined using a rolling time window. Accordingly, sudden increases in risk are quickly detected, allowing security measures to be taken quickly within that computing network. Thus, improper infiltration into a computing network is less likely to escalate or move laterally to other users or resources within the computing network. Furthermore, the security measure may be automatically initiated using settings pre-configured by the entity. Thus, the security measures go no further than what the entity instructed, thereby minimizing risk of overreaching with the security measure.

Abstract: Methods, systems, and computer readable media for network security are described. In some implementations, security tasks and roles can be allocated between an endpoint device and a firewall device based on tag information sent from the endpoint, the tag information including one or more characteristics of a traffic flow, information of resource availability, and/or reputation of a process associated with a traffic flow.