Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

Abstract: In an embodiment, a statistical approach for augmenting signature detection in a Web application firewall includes receiving a new request including a parameter in a uniform resource identifier (URI), tokenizing the new request, and determining a compound probability that tokens in a value that is associated with the parameter of the URI and that is included in the new request are associated with an attack. The compound probability is determined based at least in part on component probabilities of tokens of historical values associated with the parameter of the URI.

Abstract: A method for providing a trusted service to a trusted execution environment running on a remote host machine includes receiving a message from the trusted execution environment and incrementing a counter of the trusted service. A response message is sent to the trusted execution environment using a value of the incremented counter.

Abstract: A method for processing data of an analytical instrument for analyzing biological samples is presented. The method comprises receiving instrument data from the analytical instrument at a data processing module communicatively connected with the analytical instrument, generating metadata from the received instrument data at the data processing module, applying a first encryption to the instrument data at the data processing module, applying a second encryption to the generated metadata at the data processing module, and transmitting the encrypted metadata and encrypted instrument data to a remote server. The remote server and the data processing module are communicatively connected. The method also comprises removing the second encryption from the metadata at the remote server and forwarding the instrument data encrypted by the first encryption from the remote server to a management system of the analytical instrument.

Abstract: One or more computing devices, systems, and/or methods for assessing riskiness of a domain are provided. For example, a content request is received from a content provider service that hosts a website associated with a domain. The content request is evaluated to identify request features. Feature scores are assigned to the request features using labeled feature data. The feature scores are aggregated to generate a content request risk score corresponding to a riskiness of the content request corresponding to fraud, such as domain spoofing. The content request risk score along with other content request risk scores of content requests associated with the content provider service are aggregated to create a content provider risk score corresponding to a riskiness of the content provider service, such as a risk of the domain being fraudulent. The content provider risk score is used to either block or process the content request.

Abstract: A method for performing cyber-security analysis includes storing a semantic graph with nodes representing monitored computer-based entities, and edges representing monitored relationships. Each edge has an associated tally. A set of threat scores associated with multiple computer-based entities is stored in the memory. The semantic graph is updated in response to receiving event data. The updating includes decomposing the event data into a set of entities and a set of associated relationships, updating the tally of one of the edges based on the set of relationships, modifying an alert attribute of a monitored computer-based entity when the event data includes an applicable alert, and modifying a threat score of at least one computer-based entity based on the event data when the event data includes an applicable alert, to define a set of modified threat scores. The updated semantic graph is monitored for cyber-security risks within the multiple computer-based entities.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise an analytic server, which improves the cybersecurity of a unified system comprising a plurality of sub-systems. The analytic server may instantiate a sub attack tree for each network sub-system within the unified system of distributed network infrastructure. The analytic server may access the sub attack trees of the network sub-systems based on the corresponding identifiers. The analytic server may build a high-level attack tree of the unified system by aggregating the sub attack tree of each sub-system. The analytic server may determine how the interconnection of the plurality of network sub-systems may affect the unified system security. The analytic server may update one or more nodes of the attack tree to reflect the changes produced from the interconnection. The analytic server may build the attack tree based on a set of aggregation rules.

Abstract: Methods and systems are described for implementing automated controls assessment through an application programming interface (“API”) driven software development kit. For example, the system may receive a response from an API-based agent to an automated controls assessment audit. The system may process the response, using a library of reusable features for controls assessment audits for a plurality of computer domains, to generate a result of the automated controls assessment audit. The system may then generate an outcome of the first automated controls assessment audit.

Abstract: A system and method for accelerated anomaly detection and replacement of an anomaly-experiencing machine learning-based ensemble includes identifying a machine learning-based digital threat scoring ensemble having an anomalous drift behavior in digital threat score inferences computed by the machine learning-based digital threat scoring ensemble for a target period; executing a tiered anomaly evaluation for the machine learning-based digital threat scoring ensemble that includes identifying at least one errant machine learning-based model of the machine learning-based digital threat scoring ensemble contributing to the anomalous drift behavior, and identifying at least one errant feature variable of the at least one machine learning-based model contributing to the anomalous drift behavior; generating a successor machine learning-based digital threat scoring ensemble to the machine learning-based digital threat scoring ensemble based on the tiered anomaly evaluation; and replacing the machine learning-based di

Abstract: Techniques for sample traffic based self-learning malware detection are disclosed. In some embodiments, a system/process/computer program product for sample traffic based self-learning malware detection includes receiving a plurality of samples for malware detection analysis using a sandbox; executing each of the plurality of samples in the sandbox and monitoring network traffic during execution of each of the plurality of samples in the sandbox; detecting that one or more of the plurality of samples is malware based on automated analysis of the monitored network traffic using a command and control (C2) machine learning (ML) model if there is not a prior match with an intrusion prevention system (IPS) signature; and performing an action in response to detecting that the one or more of the plurality of samples is malware based on the automated analysis of the monitored network traffic using the C2 ML model. In some embodiments, the IPS signatures and C2 ML model are automatically generated and trained.

Abstract: Systems, methods, and computer-readable media for determine a neighborhood graph can include the following processes. A neighborhood graph system generates a neighborhood graph for a plurality of nodes in an enterprise network, the neighborhood graph representing a multi-hop connections between any two nodes of the plurality of nodes. A security score service determines a security score for each of the plurality of nodes to yield a plurality of scores. The neighborhood graph system updates the neighborhood graph of the plurality of nodes using the plurality of scores to provide a visual representation of securities of the plurality of nodes relative to each other.

Abstract: An electronic component includes a processor and a memory. The electronic component has a secure platform capable of storing at least one dual key pair and a corresponding digital signature. There is also a system including a host machine and an electronic component capable of being operated by the host machine. The electronic component has a processor, a memory, and a secure platform capable of storing at least one dual key pair and a corresponding digital signature. Another aspect describes a method, which includes reading a public key from an electronic component by a host machine, verifying the public key against a stored key in the host machine, digitally signing data using a private key from the electronic component, verifying the signed data against the stored key, and using the electronic component by the host machine only if the signed data and the public key are verified.

Abstract: Identifying network applications using images generated from payload data and time data. In some embodiments, a method may include capturing target payload data and target time data from a target flow of network packets between a target client application and a target server application, generating a target image from the target payload data and the target time data, and determining, based on the target image, an output including an extent to which the target image matches one of a plurality of predetermined images in order to determine a likelihood that the target client application and/or the target server application matches one of a plurality of predetermined client applications and/or one of a plurality of predetermined server applications.

Abstract: Systems and methods for sharing authentication between applications include receiving a request to share authentication from a first application with a second application. An account identifier and identity token for a user are obtained from the first application. Access to a communication application associated with the account identifier is verified as available. The account identifier and identity token are sent to a second application server for verification with a first application server. A verification message is received in the communication application from the second application server. The verification message is determined to contain confirmation information and authentication is shared from the first application with the second application. Related systems and methods include retrieving information associated with an operating system to facilitate sharing authentication between applications.

Abstract: Systems, devices, and methods are disclosed for exchanging electronic information over a communication network and, more specifically, to authenticating and verifying data integrity between two or more interacting users exchanging information. A client computing device generates a split secret that is transmitted to a server via two distinct communication channels. The split secret is generated based on a public key of a public-private key pair generated by the client computing device based on a unique identifier. Validity of the public key can authenticate source identity.

Abstract: Techniques for detection of algorithmically generated domains based on a dictionary are disclosed. In some embodiments, a system, process, and/or computer program product for detection of algorithmically generated domains based on a dictionary includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; generating a graph based on the DNS data stream; and identifying a malicious dictionary based on the graph.

Abstract: Disclosed are various examples for enforcing network access permissions on applications that are installed on a client device. A network whitelist or network blacklist can be deployed by a management service onto a managed client device. A management component can facilitate enforcement of the whitelist and/or blacklist to enforce network access rules on installed applications.

Abstract: A client device is configured to receive user-input and provide user-output to a client-user. A service provider is configured to serve a network-provided service for authorized users. An identity provider is configured to: maintain authorization information for the network-provided service and generate a permission-object that i) specifies that the client-user is an authorized user of the network-provided service and ii) may include an access-override field that specifies a network address of a remote browser isolation (RBI) host. The system also includes the RBI host configured to access the network-provided service; run the network-provided service in an isolation environment to generate a graphic user interface (GUI); provide a visual reproduction of the GUI to the client device; receive browser-input from the client device; and apply the browser-input to the running network-provided service.

Abstract: Flexible authentication technologies customized to particular tenants of a data center network can be implemented. For example, an administrator can specify a primary authentication server and specify at which data centers different applications are to be hosted for a given tenant. End users can be shielded from the complexities of implementing such configuration details. For example, single sign-on authentication can be implemented, even when applications are configured to be hosted in different data centers. Enterprise tenants can thus control where applications are hosted and enforce data containment scenarios without encumbering users with additional tasks. Collaboration and application-to-application authentication can be achieved.

Abstract: One embodiment of the disclosure relates to a method of transferring game data of a user stored in association with a first user identification information on a first platform to a second platform by executing computer readable instructions by one or more computer processors. The first user identification information is used to identify the user on the first platform and a second user identification information is used to identify the user on the second platform. The method includes a step of generating link data that associates the first user identification information with the second user identification information included in the identification code read by a first client device, and a step of identifying the game data based on the second user identification information and the link data and providing a game to the second client device by using the game data.