Abstract: An anomaly detection device is a device for detecting an anomaly in a mobile body and includes: a type determiner that determines a type of an anomaly detected; a type change determiner that determines whether or not a change has occurred between a type of an anomaly detected last time and a type of an anomaly detected this time; and an anomaly detection log transmitter that transmits an anomaly detection log related to the anomaly detected this time when the change has occurred, and does not transmit the anomaly detection log related to the anomaly detected this time when the change has not occurred.

Abstract: The following relates generally to computer security, and more particularly relates to computer security in a virtual environment, such as a metaverse. In some embodiments, one or more processors: receive a set of known events (e.g., security threats) including event classifications; receive data of layers of the virtual environment; detect events in the data of the layers of the virtual environment; and determine correlations between the events in the data of the layers of the virtual environment. The correlations may be between events in different layers of the virtual environment. The one or more processors may also predict future events by analyzing the detected events.

Abstract: A system and method for improved endpoint detection and response (EDR) in a cloud computing environment configures a resource deployed in a cloud computing environment to deploy thereon a sensor, configured to listen on a data link layer for an event. The method further includes detecting a potential cybersecurity threat on the resource; sending a definition based on the cybersecurity threat to the sensor, wherein the definition includes a logical expression, which when applied to an event produces a binary outcome, and wherein the sensor is further configured to apply the definition to the event; determining that the potential cybersecurity threat is an actual cybersecurity threat in response to the produced binary outcome having a predetermined value; and generating an instruction to perform a mitigation action based on the actual cybersecurity threat.

Abstract: A method is disclosed that includes receiving, at a computing device, an event log including events derived from machine data, and determining a score by comparing an event from the event log with frequent patterns of features. Determining the score includes determining a length of a frequent pattern within the event in the event log and a count of occurrences of the frequent pattern within the events, determining a contribution of the frequent pattern based on the length and the count, determining a penalty for an unmatched feature of the first event based on a cardinality of the events, and averaging the contribution and the penalty to obtain the score. The method further includes issuing an alert identifying the first event as an anomaly using the first score and an anomaly score threshold.

Abstract: An apparatus and method for enhancing cybersecurity of an entity, wherein the apparatus includes at least a processor and a memory containing instructions configuring the at least a processor to receive entity data including cybersecurity related data from an entity, compare the entity data to a cybersecurity metric, generate a cybersecurity enhancement program as a function of the comparison, wherein the cybersecurity enhancement program includes a cyber-attack simulation, and implement the cybersecurity enhancement program for the entity based on the entity data.

Abstract: The embodiments disclose a system and method including a random number generator coupled to the randomized machine learning-based malware detector configured for determining changes of settings and selections of parameters, candidate classifiers integrated with the randomized machine learning-based malware detector and configured to be initiated by a random number to avoid transferable learning, a set of feature combinations for random feature selection including monitoring granularity and detection prediction latency and a random number for identifying a set of feature combinations that minimize the overhead and maintain enough variance in data for baffling the malware adversarial attacks.

Abstract: Technologies are shown for secure token refresh where a client receives a first access token from an authentication service, generates an asymmetric key pair, stores the first access token in association with a private key, and sends a public key to the authentication service. The service stores the public key in association with the first access token. The client sends a refresh token request to the service with the first access token. The service responds with a verification request with proof data. The client signs the proof data with the private key and sends the signed proof data to the service. The service verifies the signed proof data using the public key associated with the first access token, creates a second access token that is stored in association with the public key, and sends the second access token to the client, which stores it in association with the private key.

Abstract: Disclosed herein are system, method, and computer program product embodiments for enabling access to a firmware-locked function of a secure device. A secure device may be production hardware that has locked certain functions not available for public use. In an embodiment, the secure device may receive a request to access a firmware-locked function. The request may include an authorization token that includes an identifier specific to the particular secure device and a permission identifier identifying the firmware-locked function. Based on the receipt of the authorization token, the secure device may retrieve authorization data from the firmware memory of the secure device to determine whether the provided authorization token matches the firmware authorization data. Using the authorization token, the secure device may determine whether to grant access to the firmware-locked function.

Abstract: In one embodiment, a method includes extracting, by a vulnerability scanning tool, a plurality of images from one or more pods running within a cluster. The method also includes determining, by the vulnerability scanning tool, a plurality of unique images from the plurality of images, scanning, by the vulnerability scanning tool, the plurality of unique images in parallel, and detecting, by the vulnerability scanning tool, one or more vulnerabilities within the plurality of unique images in response to scanning the plurality of unique images in parallel. The method further includes determining, by the vulnerability scanning tool, a vulnerability level associated with a pod of the one or more pods and assigning, by the vulnerability scanning tool, the vulnerability level to the pod.

Abstract: A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. The set of selected events is performed. In some cases, at least one emulator detection resistance action is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

Abstract: In an example there is provided a method for receiving notification of an intrusion event in relation to an application from an intrusion detection system, accessing state data in relation to a state of the application prior to the intrusion event, the state data having been stored on the basis of a change of state of the application, accessing a policy to be applied to the state data in response to the intrusion event, modifying the state data on the basis of the policy, and restoring the application on the basis of the modified state data.

Abstract: The present invention relates to systems and methods for detecting anomalies in computer network traffic with fewer false positives and without the need for time-consuming and unreliable historical baselines. Upon detection, traffic anomalies can be processed to determine valuable network insights, including health of interfaces, devices and network services, as well as to provide timely alerts in the event of attack.

Abstract: The present disclosure describes systems and methods for using for a simulated phishing campaign, information about one or more situations of a user determined from an electronic calendar of the user, A campaign controller may identify/an electronic calendar of a user for which to direct a simulated phishing campaign, determine one or more situations of the user from information stored in the electronic calendar and select either a template from a plurality of templates or a starting action from a plurality of starting actions for the simulated phishing campaign based at least on the one or more situations of the user. The campaign controller may communicate to one or more devices of the user a simulated phishing communication based at least on the respective template or starting action.

Abstract: Techniques for improving data security and access control at the distributed execution level of distributed computing systems are provided. The techniques can include receiving a data access request from a data processing application to access data, directing the data access request to a security data application, modifying the data access request, executing the modified data access request to obtain data that is responsive to the modified data access request, and providing the obtained data to the data processing application.

Abstract: Disclosed herein are systems and methods for identifying and mitigating Flush-based cache attacks. The systems and methods can include adding a zombie bit to a cache line. The zombie bit can be used to track the status of cache hits and misses to the flushed line. A line that is invalidated due to a Flush-Caused Invalidation can be marked as a zombie line by marking the zombie bit as valid. If another hit, or access request, is made to the cache line, data retrieved from memory can be analyzed to determine if the hit is benign or is a potential attack. If the retrieved data is the same as the cache data, then the line can be marked as a valid zombie line. Any subsequent hit to the valid zombie line can be marked as a potential attack. Hardware- and software-based mitigation protocols are also described.

Abstract: A method and system for certification and authentication of objects is disclosed herein. The method and system use multiple attestations along with digital ledger technology to provide a digital certificate of authenticity for an object such as a work of art, collectible, or a non-fungible token (NFT).

Abstract: An anti-malware computer providing a hardware-centric solution for preventing (or substantially reducing) hacking which cannot be affected by contaminated software. The anti-malware computer is configured with an anti-malware circuit device, Internet regulator devices and an Internet active indicator that facilitate receiving an Internet access request from an Internet regulator device. Responsive to the Internet access request received, establishing an Internet communications link between the anti-malware computer and the Internet and illuminating an Internet active indicator. Monitoring for active Internet activity cessation from the anti-malware computer and if inactive initiating an Internet inactivity timer and counting the total Internet inactivity time. If an Internet inactivity level has been met blocking the Internet communications link between the anti-malware computer and the Internet and deactivating the Internet ready indicator.

Abstract: A computing device monitors for an event trigger by a secure computing module. Based on identifying an event trigger at the computing device, the secure computing module executes a health check according to a configuration identifying operating anomalies that are indicative of malicious activity at the computing device. The health check includes scanning a filesystem and communications module operation and configuration of the computing device for indications of malicious activity. Based on identified operating anomalies at the computing device, the secure computing module determines response measures to secure the computing device. The secure computing module executes the response measures individually or in combination at the computing device based on a response configuration.

Abstract: A blockchain of block entries that can be requested by users from user devices is maintained in a distributed network of nodes. Block entries include a plurality of data portions that are each associated with an access level. A request from an auditor to view one or more data portions of a block entry can includes an access code associated with at least one access level can be evaluated to identify one or more data portions associated with the access level. A customized view of the block entry which includes the one or more data portions associated with the access level can be generated. An artificial intelligence engine can review entries within the distributed ledger, identify earnings information associated with the sales of the commercial inventory, determine tax based on earning information, and pay the tax via fiat or cryptocurrency to government authorities based on earnings information.

Abstract: Mechanisms for analyzing a structured file for malicious content are provided, comprising: parsing the structured file into a plurality of portions; selecting a selected portion of the portions; checking the selected portion to determine if at least one pre-condition is met; and in response to determining that the at least one pre-condition is met: decoding the selected portion to form a decoded portion; and checking the decoded portion to determine if it is malicious. In some embodiments: the at least one pre-condition can be changed; the structured file is a MICROSOFT OFFICE XML file; the selected portion is a file; the at least one pre-condition checks at least one attribute of the selected portion; decoding the selected portion comprises decompressing the selected portion; and/or checking the decoded portion to determine if it is malicious comprises checking whether a previously decoded portion of the structure file meets at least one condition.