Abstract: A system and method for deploying cybersecurity resources includes sourcing cybersecurity operations data that includes a plurality of distinct datasets derived from a handling of a target cybersecurity event; extracting, from the cybersecurity operations data, at least cybersecurity task feature data relating to a plurality of cybersecurity tasks and metadata, wherein each cybersecurity task of the plurality of cybersecurity tasks includes an identification of an operation executed when handling or the target cybersecurity event and an identification of an operator executing the operation; deriving timestamp data for each operation executed by a respective operator of each respective cybersecurity task of the plurality of cybersecurity tasks instantiating, by computer processors, a cybersecurity event data structure; using entries of the cybersecurity event data structure to compute allocation values for cybersecurity resources for handling impending cybersecurity events; and deploying, within a security ope

Abstract: Various systems and methods for bus-off attack detection are described herein. An electronic device for bus-off attack detection and prevention includes bus-off prevention circuitry coupled to a protected node on a bus, the bus-off prevention circuitry to: detect a transmitted message from the protected node to the bus; detect a bit mismatch of the transmitted message on the bus; suspend further transmissions from the protected node while the bus is analyzed; determine whether the bit mismatch represents a bus fault or an active attack against the protected node; and signal the protected node indicating whether a fault has occurred.

Abstract: Disclosed is an improved systems, methods, and computer program products that performs user behavior analysis to identify malicious behavior in a computing system. The approach may be implemented by generating feature vectors for two time periods, performing scoring, and then performing anomaly detection.

Abstract: Threats to systems and data captured by such systems can be automatically detected and remediated. Inbound traffic on an enterprise network can be monitored and analyzed to detect a threat based on parameters of the inbound traffic. In response, a patch can be identified or generated to address known or unknown threats based on a comparison of parameters. Once identified or generated, the patch can be conveyed to a target computing resource for deployment to address the threat.

Abstract: A method, including identifying, in network data traffic, a set of pairs of source and destination nodes, each pair having a given source node, a given destination node, and one or more ports accessed in the traffic between the nodes in each pair, and computing, for each pair, a respective baseline that indicates a first number of the ports that source nodes other than the given source node in the pair accessed on the given destination node during a first period. For each pair, a respective test score is computed that indicates a difference between a second number of the ports that the given source node in the pair accessed on the given destination node during a second period and the baseline, and a preventive action is initiated with respect to the given source node in any of the pairs for which the test score is greater than a threshold.

Abstract: Systems, methods, and devices are disclosed for cognitive collaboration systems on a hybrid node. A query is received by a virtual assistant running on a public cloud, and it is determined whether the query pertains to data available on a public cloud resource, or the query pertains to data available on a private cloud resource. When it is determined that the query pertains to the data available on the public cloud resource, the query is interpreted by using a first model trained on at least one machine learning technique on data from the public cloud. When it is determined that the query pertains to the data available on the private cloud resource, the query is interpreted by using a second model trained on at least one machine learning technique on the data from the private cloud.

Abstract: A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication. Message traffic from compromised endpoints is detected. Attributes of ransomware may be detected in the message traffic, as well as attempts to circumvent the security appliance. Compromised devices may be quarantined.

Abstract: A computer-implemented method to automatically identify hotspots in a network graph. The method includes receiving, by a processor, input data, wherein the input data includes a plurality of messages, each message containing a set of message data. The method further includes generating, by a pattern detector, and based on the input data, a network graph, wherein the network graph includes a plurality of nodes. The method also includes determining a first risk indicator for each of the plurality of nodes. The method includes assigning a first weight to the first risk indicator for each of the plurality of nodes. The method further includes identifying a first hotspot in the plurality of nodes, wherein the first hotspot is based on the first weight of the first risk indicator of a first node. The method also includes outputting, by a network interface, the first hotspot and the network graph.

Abstract: Novel tools and techniques might provide for implementing secure communications for IoT devices. In various embodiments, a gateway or computing device might provide connectivity between or amongst two or more Internet of Things (“IoT”) capable devices, by establishing an IoT protocol-based, autonomous machine-to-machine communication channel amongst the two or more IoT capable devices. For sensitive and/or private communications, the gateway or computing device might establish a secure off-the-record (“OTR”) communication session within the IoT protocol-based, autonomous machine-to-machine channel, thereby providing encrypted machine-to-machine communications amongst the two or more IoT capable devices, without any content of communications that are exchanged amongst the IoT capable devices over the secure OTR communication session being recorded or logged.

Abstract: An anomaly detection model is trained to detect malicious traffic sessions with a low rate of false positives. A sample feature extractor extracts tokens corresponding to human-readable substrings of incoming unstructured payloads in a traffic session. The tokens are correlated with a list of malicious traffic features and frequent malicious traffic features across the traffic session are aggregated into a feature vector of malicious traffic feature frequencies. An anomaly detection model trained on feature vectors for unstructured malicious traffic samples predicts the traffic session as malicious or unclassified. The anomaly detection model is trained and updated based on its' ongoing false positive rate and malicious traffic features in the list of malicious traffic features that result in a high false positive rate are removed.

Abstract: Aspects of the disclosure relate to detecting and identifying devices at enterprise locations to protect enterprise-managed information and resources. In some embodiments, a computing platform may capture information identifying devices present at a first enterprise location during a malicious event. Then, the computing platform may generate alerts when one of the devices present at the first enterprise location during the malicious event is detected at a second enterprise location. In other embodiments, when such a device is detected at the second enterprise location, an enterprise center monitoring system may generate commands that cause an augmented reality device at the second enterprise location to present one or more augmented-reality user interfaces that include one or more augmented-reality elements identifying a user in possession of the detected device.

Abstract: Described are platforms, systems, and methods for providing a threat scenario rule to detect a specified threat scenario use case. In one aspect, a method comprises: receiving, from an interface, a set of threat detection parameters; determining a set of recommended threat identifier use cases from a plurality of threat identifier use cases based on the set of threat detection parameters; providing, to the interface, the set of recommended threat identifier use cases; receiving, from the interface, a threat scenario use case comprising a selection of the set of recommended threat identifier use cases; determining a threat scenario rule comprising logic to detect the threat scenario use case; and providing the threat scenario rule to the interface.

Abstract: Cybersecurity is enhanced to detect credential spray attacks. Accounts with access failure events are divided into buckets B1 . . . BN based on access failure count ranges R1 . . . RN. For instance, accounts with one logon failure may go in B1, accounts with two failures in B2, etc. Buckets will thus have account involvement extents E1 . . . EN, which are compared to thresholds T1 . . . TN. An intrusion detection tool generates an alert when some Ei hits its Ti. Detection may spot any credential sprays, not merely password sprays. False positives may be reduced by excluding items from consideration, such as logon attempts using old passwords. False positives and false negatives may be balanced by tuning threshold parameters. Breached accounts may be found. Detection may also permit other responses, such as attack disruption, harm mitigation, and attacker identification. Credential spray attack detection may be combined with other security mechanisms for defense in depth of cloud and other network accounts.

Abstract: Methods and systems are presented for detecting attacks to a computer network based on analyzing access of external script through a web server. When an HTTP request is directed to a web server, the HTTP request is analyzed to determine whether the HTTP request refers to an external network address. External content that includes executable script code may be obtained from an external server based on the external network address. The external script code may be modified to transform the external script code to be inexecutable by a computer. The modified script code may be subsequently stored. The modified script may also be analyzed to determine whether the script is associated with an attack to the web server or an associated computer network.

Abstract: Systems and methods for secured access to cloud-based applications or services include a service node that may receive a request from client including a URL associated with an application manager. The service node may send a URL prefix identifying a termination to the termination node. The service node may receive a client hello message from the client that includes a first field incorporating the URL prefix, and may send the client hello message to the termination node to initiate a handshake with the client using a wildcard certificate of server, for establishing a SSL channel between the client and the termination node for a session of the application. The service node can direct a communication of the session from the client to the predetermined termination node, for decryption, using the established SSL channel, according to the URL prefix incorporated in a server name indication (SNI) field of the communication.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Example methods, apparatus, systems and articles of manufacture to implement cooperative mitigation of distributed denial of service attacks originating in local networks are disclosed. An example local network router disclosed herein includes a mitigator to mitigate a distributed denial of service attack detected by an Internet service provider, the distributed denial of service attack associated with network traffic originating from a first device connected to a local network. The example local network router also includes a threat signaling server to identify the first device based on first information received from a threat signaling client of the Internet service provider, the first information describing the distributed denial of service attack. The example threat signaling server is also to transmit second information to notify the threat signaling client of the Internet service provider when the network traffic associated with the distributed denial of service attack has been mitigated.

Abstract: The present disclosure provides a method and a device for data interception based on Local Break Out (LBO). The method includes: receiving, by a local gateway, an interception request to intercept data of an interception target; intercepting, by the local gateway, LBO data of the interception target based on the interception request, to obtain intercepted data; and transmitting, by the local gateway, the intercepted data. The present disclosure can solve the solving the problem in the related art that an interception target cannot be intercepted in an LBO scenario.

Abstract: A first login request for the first service is received at a first server that provides a first service and from a terminal. Device identifier information of the terminal is generated by a hardware processor at the first server. The device identifier information of the terminal is associated, by the hardware processor at the first server, with first login state information. The first login state information indicates that the terminal has logged into the first server. The device identifier information and the first login state information are transmitted to a second server. The second server provides a second service that has a trusted login relationship with the first service.