Abstract: A distributed security system includes a plurality of content processing nodes that are located external to a network edge of an enterprise and located external from one of a computer device and a mobile device associated with a user, and a content processing node is configured to monitor a content item that is sent from or requested by the external system; classify the content item via a plurality of data inspection engines that utilize policy data and threat data; and one of distribute the content item, preclude distribution of the content item, allow distribution of the content item after a cleaning process, or perform threat detection on the content item, based on classification by the plurality of data inspection engines; and an authority node communicatively coupled to the plurality of content processing nodes and configured to provide the policy data and the threat data for threat classification.

Abstract: Systems and methods for detection of domain generated algorithms (DGA) and their command and control (C&C) servers are disclosed. In one embodiment, such an approach includes examining DNS queries for DNS resolution failures, and monitoring certain set of parameters such as number of levels, length of domain name, lexical complexity, and the like for each failed domain. These parameters may then be compared against certain thresholds to determine if the domain name is likely to be part of a DGA malware. Domain names identified as being part of a DGA malware may then be grouped together. Once a DGA domain name has been identified, activity from that domain name can be monitored to detect successful resolutions from the same source to see if any of the successful domain resolutions match these parameters. If they match specific thresholds, then the domain is determined to be a C&C server of the DGA malware and may be identified as such.

Abstract: A method, computer program product, and computer system for repairing a Dockerfile. Library versions containing initial version numbers of libraries are extracted from the Dockerfile. A Monte Carlo tree search (MCTS) is executed, using the extracted library versions as input, which generates a tree that includes multiple levels populated with noses. Each node in a level represents the generic library name of a library version in the Dockrerfile and an associated randomly selected version number. At least one of the randomly selected version numbers associated with at least one node in a level differs from the initial version number associated with a versionf. A best successful installation path is selected from the at least one successful installation path. The Dockerfile is repaired by inserting randomly selected version numbers into Dockerfile as replacements for some of the initial version numbers.

Abstract: A method for authenticating an individual for login to a server computer includes receiving at the server computer data for a first authentication image from an electronic computing device. First attributes are identified of one or more similar geometrical shapes from the data for the first authentication image. A determination is made as to whether the first attributes of the one or more similar geometrical shapes from the data for the first authentication image correspond to second attributes from a second authentication image accessible on or by the server computer. When the first attributes correspond to the second attributes, the individual is authenticated on the server computer.

Abstract: A method including receiving, by a security device from a network device, an initial security instruction set including a plurality of initial security instructions associated with operation of the security device; receiving, by the security device from the network device, an event signal associated with the security device carrying out a network-facing operation; transmitting, by the security device to the network device based on receiving the event signal, a security instruction associated with the security device carrying out the network-facing operation, the security instruction being from among the plurality of initial security instructions; receiving, by the security device from the network device based on transmitting the security instruction, communication information to enable the security device to carry out the network-facing operation; and carrying out, by the security device, the network-facing operation based on utilizing the communication information is disclosed.

Abstract: A method including transmitting, by a network device to a security device, an initial security instruction set including a plurality of initial security instructions; transmitting, by the network device to the security device based on transmitting the initial security instruction set, an event signal associated with the security device carrying out a network-facing operation; transmitting, by the security device to the network device based on receiving the event signal, a security instruction associated with the security device carrying out the network-facing operation, the security instruction being from among the plurality of initial security instructions; translating, by the network device, the security instruction into a host instruction to be executed by the network device; and receiving, by the security device from the network device based on transmitting the security instruction, communication information to enable the security device to carry out the network-facing operation is disclosed.

Abstract: The present disclosure relates to a method for authenticating a user. The method comprises recording image data of the user and deriving at least one first facial feature of the user's face and at least one first gesture feature of one or more gestures of the user from the image data. The method further provides for determining a degree of access of the user to data depending on whether the first gesture feature corresponds to at least one predetermined second gesture feature and whether the first facial feature corresponds to at least one predetermined second facial feature.

Abstract: The system and method disclosed performs entity authentication through identification proofing. A relying party such as a corporation or other type of entity having a secure website, computer network and secure facility working a risk engine can determine the authenticity, validation and verification during registration of a user entity. The identification proofing is integrated with a risk engine. The risk engine is capable of using bio-behavior based information which may be continuously monitored.

Abstract: Systems, methods, and software described herein provide for validating security actions before they are implemented in a computing network. In one example, a computing network may include a plurality of computing assets that provide a variety of different operations. During the operations of the network, administration systems may generate and provide security actions to prevent or mitigate the effect of a security threat on the network. However, prior to implementing the security actions within the network, computing assets may exchange security parameters with the administration systems to verify that the security actions are authentic.

Abstract: Various systems and methods of establishing and providing credential dependency information in RESTful transactions are described. In an example, accessing credential resource dependencies may be performed by a credential management service (CMS) or other server, with operations including: receiving a request for a credential resource in a Representation State Transfer (RESTful) communication; identifying the credential resource which has a credential path that indicates a dependency associated with a credential; identifying dependency characteristics of the credential resource, based on the dependency; populating the credential resource to include a dependent credential, based on the dependency characteristics; and transmitting the populated credential resource in response to the request.

Abstract: A network device identifies an Internet Protocol Security (IPsec) tunnel that connects the network device to a remote device and determines that dead peer detection (DPD) is enabled at the network device. The network device receives a first DPD request message from the remote device via the IPsec tunnel, and sends a first DPD response message to the remote device via the IPsec tunnel. The network device determines that a workload of the network device satisfies a threshold amount, and sends one or more encapsulating security payload (ESP) packets that include traffic flow confidentiality (TFC) payload data to the remote device via the IPsec tunnel. The network device determines that the workload of the network device does not satisfy the threshold amount. The network device receives a second DPD request message from the remote device and sends a second DPD response message to the remote device via the IPsec tunnel.

Abstract: Systems and methods for detecting malicious activity in a computer system. One or more graphs can be generated based on information objects about the computer system and relationships between the information objects, where the information objects are vertices in the graphs and the relationships are edges in the graphs. Comparison of generated graphs to existing graphs can determine a likelihood of malicious activity.

Abstract: Disclosed are various approaches for workflow service back end integration. In some examples, a command is transmitted causing a client device to present a workflow action to perform. A user command to perform the workflow action is identified using the client device. Authentication data including user credentials and a navigation action for a visual user interface is identified. The user credentials are transmitted to the network service and an emulation of the navigation action is performed. A command that performs the workflow action is transmitted to the network service.

Abstract: In one embodiment, a charm application enables user devices to communicate via physical charms. Upon receiving, from a first user device, a read request that is associated with the physical charm, the charm application identifies a message and an authorization list that are associated with the physical charm and previously received from a second user device. The charm application then determines whether a first user associated with the first user device is authorized to read the message based on the authorization list. If the first user is authorized to read the message, then the charm application transmits the message to the first user device. Notably, each physical charm may be exchanged between any number of users, but only read by authorized users via a user device. Accordingly, user devices may communicate private messages including any type of data with other user devices irrespective of whether technical infrastructures are accessible.

Abstract: The concepts and technologies disclosed herein are directed to a website verification service. A system can receive, from a web server that hosts a website, a query for a set of authentication credentials (“credentials”) to be used to verify that the website is trustworthy. The system can generate and provide the credentials to the web server. The web server can, in turn, provide the credentials to a web browser device for presentation to a user via a web browser application executing on the web browser device. The system also can provide the credentials to a verifier device. The verifier device can present the credentials to the user via a verifier application executing on the verifier device. The user can compare the credentials presented via the web browser application to the credentials presented via the verifier application executing on the verifier device to determine whether the website can be trusted.

Abstract: A system includes an intelligent electronic device (IED) configured to perform operations that include receiving a first user input and deriving a first connectivity association key (CAK) based on the first user input. The system also includes a gateway configured to perform operations that include receiving a second user input, deriving a second CAK based on the second user input, identifying the first CAK of the IED, establishing an adoption link with the IED based on a match between the first CAK and the second CAK, generating a third CAK, and distributing a copy of the third CAK to the IED via the adoption link to establish a MKA connectivity association with the IED.

Abstract: Embodiments of the present invention provide computer-implemented methods, computer program products and computer systems. Embodiments of the present invention can monitor user activity for one or more user interactions performed while connected to a Virtual Private Network. Embodiments of the present invention can then identify potential risks associated with a user and respective user interactions. Embodiments of the present invention can then, in response to determining a respective user interaction of the one or more interactions is suspicious, generate a real time risk score for the respective user interaction. Embodiments of the present invention can then, in response to the generate real time risk score exceeding a threshold level of risk for the respective user interaction, initiate a secondary authentication protocol.

Abstract: Systems, computer program products, and methods are described herein for implementing an enhanced authentication framework using Erasable Programmable Read-Only Memory (EPROM) grid pattern recognition.

Abstract: Examples are disclosed for detecting synthetic online entities that may be used for fraudulent purposes or other purposes. In some aspects, a computing system can generate a data structure that includes nodes and links between the nodes. The nodes can represent online entities and the links can represent geographic associations or transactional associations between pairs of online entities. These associations can be identified from electronic transactions involving the online entities. The computing system can determine, from the links between the nodes, that a degree of connectivity among a subset of the nodes exceeds a threshold connectivity. The degree of connectivity indicates electronic communications involving online entities represented by the subset of the nodes. The computing system can transmit, based on the degree of connectivity exceeding the threshold connectivity, an alert indicating a potential synthetic entity (e.g., potentially fraudulent activity) within the subset of the nodes.

Abstract: A device configured to receive a connection request that includes device authentication credentials and to determine the user device passes authentication in response to identifying a device profile associated with the device authentication credentials. The device is further configured to receive user credentials for a first user and identify a first user identity that corresponds with the user credentials. The device is further configured to establish a first network connection with the user device, to send a token request to the user device, and to receive a token via the first network connection. The device is further configured to identify a second user identity based on the token, to determine the first user identifier matches the second user identifier, and to establish a second network connection for the user device, wherein the network connection enables the user device to access the network.