Abstract: Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.

Abstract: Techniques are provided for device protection against unauthorized encryption using population of available storage. One method comprises obtaining, in response to an unauthorized encryption of data associated with a processing device, an indication of an amount of available storage space in a storage device associated with the processing device; creating a file to populate the indicated amount of available storage space in the storage device; and writing the created file to the storage device. The unauthorized encryption of data may comprise a ransomware attack. The indicated amount of available storage space in the storage device may comprise an amount of available space in a file system associated with the storage device. The file system may write the created file to the storage device by populating available storage areas of the storage device.

Abstract: The present disclosure relates to an anomaly detection method based on an artificial neural network. The anomaly detection method based on the artificial neural network includes collecting first log data including first user log data and first system log data, and providing the collected first log data to a trained first artificial neural network model to perform anomaly detection for a plurality of users and systems.

Abstract: A system and method utilize machine learning and natural language processing to identify malware DNA of a sample malware. The sample malware is analyzed for text strings using natural language processing, and machine learning models are applied to the text strings to classify the text strings as malware DNA relative to prototype malwares.

Abstract: A system and method for improved endpoint detection and response (EDR) in a cloud computing environment initiates inspection based on data received from a sensor deployed on a workload. The method includes: configuring a resource, deployed in a cloud computing environment, to deploy thereon a sensor, the sensor configured to detect runtime data; detecting a potential cybersecurity threat on the resource based on detected runtime data received from the sensor; and initiating inspection of the resource for the potential cybersecurity threat.

Abstract: A computer-implemented method, computer program product and computing system for: a computer-implemented method is executed on a computing device and includes: obtaining object information concerning one or more initial objects within a computing platform in response to a security event; identifying an event type for the security event; and executing a response script based, at least in part, upon the event type.

Abstract: A method provides a set of computer data statistical profiles derived from a corresponding set of samples of computer data to a ransomware detection system and obtains a prediction of the likelihood of a ransomware attack in the set of samples of computer data. The system utilizes a machine learning system trained to achieve data models, with each model trained initially on a corresponding cluster of curated computer data statistics profiles, each cluster including statistics characterizing a corresponding cluster of curated samples resulting from exposing a selection of raw data samples to processing by actual ransomware. Each model is subject to iterations against initial validation data until performance convergences, with sample sources from the same backups not being present in both training and validation models. The models have been subject to final validation against actual customer data to address data drift that would otherwise result in excessive false predictions.

Abstract: A clientless security system to secure cellular devices across a network in a cloud-based environment. The clientless security system includes a tenant with multiple cellular devices, tunnels for transmitting traffic, and a traffic steering module for directing traffic toward a gateway. The clientless security system further includes gateways to apply policies based on a device profile and an alert generator. The traffic steering module provides a SIM with network identifiers, configures the SIM with a custom network identifier, creates a device-to-IP mapping, and distributes the device-to-IP mapping to gateways in real-time. The gateways apply multiple policies based on a device profile, receive traffic from the traffic steering module, and perform a reverse lookup. The gateways further determine a device identity, apply policies, and forward traffic to a destination. The alert generator is also used to notify the tenant of further remediation in case of policy violations.

Abstract: A method and system determine network based access to restricted systems. The method includes receiving a request for a permission access status of a party seeking access to one of the restricted systems. A database of periodically updated lists of entities is accessed. A name of the party is extracted from the request. A determination is made whether the name does not match one of the entities. The name is decomposed into parts if the name not matching one of the entities. A determination is made whether any of the parts of the name matches one of the entities. A denial of access status is forwarded from the computer server to an external computing device if any of the parts of the name matches one of the entities.

Abstract: A method for mitigating the effects of malware is provided. The method includes determining a compressibility of a portion of data, determining a data corruption condition is satisfied based on the determined compressibility, and modifying a retention policy for retention of stored snapshots associated with the portion of data based on the satisfaction of the data corruption condition. The modifying of the retention policy includes generating a first snapshot associated with the portion of the data, prior to writing cached data associated with the portion of the data, writing the cached data associated with the portion of the data, and generating a second snapshot associated with the portion of the data, responsive to the deletion.

Abstract: A method and device for issuing an identity certificate to a blockchain node in a blockchain network includes issuing a first identity certificate to a first terminal. a second identity certificate issuance request that is from the first terminal and that is made by using the first identity certificate is received and a second identity certificate is issued to the first terminal, which forwards the second identity certificate to a second terminal. A third identity certificate issuance request that is from the second terminal and that is made by using the second identity certificate is received and a third identity certificate is issued to the second terminal, which forwards the third identity certificate to a third terminal.

Abstract: A method for handling rogue devices in a wireless communication network includes: detecting an interactive behavior between a user equipment and a network-side device in the wireless communication network; determining whether the user equipment is a rogue device according to the interactive behavior; and transmitting identification information of the determined rogue device to the network-side device, for the network-side device to perform blocking processing on the rogue device.

Abstract: There are provided systems and methods for automated adjustment of security alert components in networked computing systems. An entity, such as an electronic transaction processor for digital transactions, may utilize threat detection within a security information and event management system. The threat detection may implement one or more processes to tune security alerts automatically, which can be done prior to deployment. A security alert may be broken into modular components, which may be run progressively, in increasing sampling numbers, against a set of computing logs to identify hits. The hits are compared to an expected proportion for each modular component to determine whether the modular component is providing proper results. Further, threat detection may utilize a system to obtain justifications for potentially malicious behavior to eliminate false positives. This may be done automatically when detecting suspicious activities.

Abstract: A blockchain of block entries provided to and requested by a plurality of users from endpoints, including user devices, in a distributed network is maintained in a distributed network of nodes. The block entries each comprise a plurality of data portions that are each associated with an access level. A request to view one or more data portions of a block entry is received which includes an access code associated with at least one access level. The access code in the request is evaluated with the blockchain of block entries to identify one or more data portions associated with the access level. A customized view of the block entry is generated which includes the one or more data portions associated with the access level. Enhanced operational efficiency and customer convenience is thereby provided in industries including for the tracking, management, and fulfillment of parking services at a parking facility.

Abstract: A blockchain of block entries that can be requested by users from user devices is maintained in a distributed network of nodes. Block entries include a plurality of data portions that are each associated with an access level. A request from an auditor to view one or more data portions of a block entry can includes an access code associated with at least one access level can be evaluated to identify one or more data portions associated with the access level. A customized view of the block entry which includes the one or more data portions associated with the access level can be generated. An artificial intelligence engine can review entries within the distributed ledger, identify earnings information associated with the sales of the commercial inventory, determine tax based on earning information, and pay the tax via fiat or cryptocurrency to government authorities based on earnings information.

Abstract: A system and method for detecting cybersecurity risk on a resource in a computing environment utilizes static analysis of a cloned resource and runtime data from the live resource. The method includes: configuring a resource deployed in a computing environment to deploy thereon a sensor, the sensor configured to detect runtime data; detecting runtime data from the sensor of the resource; generating an inspectable disk based on an original disk of the resource; initiating inspection based on the detected runtime data for a cybersecurity object on the inspectable disk; detecting the cybersecurity object on an inspectable disk; and initiating a mitigation action on the resource.

Abstract: A key management system for providing encryption of a disk in a client device is provided. The system comprises a trusted platform module (TPM) having a first fragment of a key, a remote storage having a second fragment of the key, and a processing unit to partially boot instructions relating to booting of the client device, send a request for validation to the TPM, receive the first fragment of the key from the TPM on successful validation, request for the second fragment of the key with credentials to access the remote storage. The credentials and a network of the request are verified, the second fragment of the key is transmitted on successful validation. The first fragment and the second fragment of the key are combined to generate an encryption key for booting the client device. The first fragment of the key and the second fragment of the key are rotatable.

Abstract: In some embodiments, a processor can receive an input string associated with a potentially malicious artifact and convert each character in the input string into a vector of values to define a character matrix. The processor can apply a convolution matrix to a first window of the character matrix to define a first subscore, apply the convolution matrix to a second window of the character matrix to define a second subscore and combine the first subscore and the second subscore to define a score for the convolution matrix. The processor can provide the score for the convolution matrix as an input to a machine learning threat model, identify the potentially malicious artifact as malicious based on an output of the machine learning threat model, and perform a remedial action on the potentially malicious artifact based on identifying the potentially malicious artifact as malicious.

Abstract: The encrypted data analysis device includes a sorting unit that sorts by [Time Information] and then sorts by [User ID] an encrypted data set group including a plurality of encrypted data sets, each of the plurality of encrypted data sets including a [Location ID], the [User ID], and the [Time Information], an encoding unit that generates a [Flow], and encoding the [Location ID] extracted, and an equal sign determination unit that determines whether a [User ID] and another [User ID] adjacent to each other are equal, and when not equal, replaces a corresponding [Flow] with a [predetermined value that represents invalid].

Abstract: The present disclosure involves systems, software, and computer implemented methods for integrated data privacy services. An example method includes determining, by a data privacy integration service, a condition that has occurred from performing a data privacy integration protocol that indicates that a first object is to be redistributed to applications in a multiple-application landscape. Application responder group configurations are identified that group the applications into multiple redistribution responder groups for performing redistribution operations for an object type of the first object in response to redistribution requests. A redistribution command to redistribute the first object is sent to each application in a first redistribution responder group.