Abstract: Disclosed herein are embodiments of systems, methods, and products comprise a computing device, which provides a secure data transport service (SecureX) for data packets traversing from an end user device (EUD) to a mission network over untrusted networks. The disclosed SecureX module may be software product running on the EUD and on a SecureX appliance fronting the mission network. The SecureX module on the EUD compresses the data packets by removing header fields that are constant over the same packet flow and double encrypts the data packets with different cryptographic keys. The SecureX on the EUD transmits the double compressed encrypted data packets over the untrusted network. The SecureX appliance receives the double compressed encrypted data packets, decrypts the data packets and decompresses the data packets to recreate the original data packets. The SecureX appliance transmits the original data packets to the mission network.

Abstract: A machine learning model is scanned to detect actual or potential threats. The threats can be detected before execution of the machine learning model or during an isolated execution environment. The threat detection may include performing a machine learning file format check, vulnerability check, tamper check, and stenography check. The machine learning model may also be monitored in an isolated environment during an execution or runtime session. After performing a scan, the system can generate a signature based on actual, potential, or absence of detected threats.

Abstract: A system includes a set of adapter interfaces, a router module, and a processor. Each adapter interface is assigned to a different level of security. The router module sends requests to the adapter interfaces, based on the security levels associated with the devices that submitted the requests. A first adapter interface establishes a first connection to the servers, providing access to a first zone. A second adapter interface establishes a second connection to the servers, providing access to a second zone. The first zone includes a set of resources assigned to the first level of security that is not included in the second zone. Each adapter interface further receives data and applies different levels of security to the data, based on the security levels associated with the devices that submitted the data.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to allow for the mitigation of ransomware. For example, the system can determine that an application begins to execute, determine that the application attempts to modify a file, determine a file type for the file, and create a security event if the application is not authorized to modify the file type. In another example, the system determines an entropy value between the file and the attempted modification of the file, and create a security event if the entropy value satisfies a threshold or determine a system entropy value that includes a rate at which other files on the system are being modified by the application, and create a security event if the system entropy value satisfies a threshold.

Abstract: Configuration discrepancies, such as server drift among different servers or malicious code installed on one or more servers, can be identified using system attribute information regarding processes, CPU usage, memory usage, etc. The system attribute information can be used to generate an image, which can be compared to other images to determine if a configuration discrepancy exists. Image recognition algorithms can be used to facilitate image comparison for different systems. By identifying configuration discrepancies, downtime and other issues can be mitigated and system performance can be improved.

Abstract: Applications executing on phones, tablets and other client devices can be designed to authenticate with network services, but reliably identifying a client device that is not previously known to the service can be difficult. A television receiver or other trusted device that is previously known to the service, however, can act as an intermediary for initially delivering the client's identifying data to the authentication service. After the authentication service has received reliable identifying information about the client from another trusted device, the service is able to directly authenticate the client device in subsequent transactions by requesting and verifying receipt of the same secret identifier.

Abstract: This document described a module and method for monitoring systems of a host device for anomalous activities or security weaknesses. The module is configured to passively monitor the content contained within the main memory of the host device and data received by hardware components in the host device for anomalies or security weaknesses. When such anomalies are detected, the module will then initiate countermeasures to prevent the anomalies from affecting the host device and/or any storage/peripheral devices linked to the host device.

Abstract: A vehicle computer system includes one or more sensors configured to receive input regarding a vehicle's environment, and a controller in communication with the one or more sensors of the vehicle. The controller is configured to identify a cyber-attack on one or more vehicle controllers in the vehicle, and respond to the cyber-attack based upon at least the vehicle environment.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes in idle mode. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, along with a key change indication indicating that the NAS key has changed. The target AMF sends the key change indication to the user equipment.

Abstract: Methods and devices for distributing and receiving content are provided. In one example aspect, a method comprises: receiving a command on a first electronic device to output content at an output device associated with a second electronic device; and in response to receiving the command to output content at the output device associated with the second electronic device: providing content access information from the first electronic device to the second electronic device, and adjusting a security state on the second electronic device.

Abstract: A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication by overwriting the DHCP responses. Message traffic from compromised endpoints is detected. Attributes of ransomware may be detected in the message traffic, as well as attempts to circumvent the security appliance. Compromised devices may be quarantined. Additionally, the DHCP address assignment may be policed to ensure accuracy and correctness to provide an additional layer of security.

Abstract: A method of generating a baseline of expected behavior on a single machine or endpoint to accurately fingerprint the native behavior of the NTLM protocol on that particular endpoint in a network. By limiting the scope of a baseline to a single endpoint, the scope of the baseline can consist of expected behavior (including supported hash functions, version strings and various feature flags). Deviations from these behaviors are considered evidence of a redundant implementation of NTLM utilized by an attacker and thus as evidence of an attempted PTH attack. Using this method it is possible to accurately detect PTH attacks originating from all publicly known non-standard implementations of NTLM existing in tools such as Impacket, Metasploit, and Invoke-TheHash.

Abstract: In one example embodiment, an electronic device is provided and configured to: acquire authentication data for an authorized user; store the authentication data in an enclave; acquire identification data for a potential user, and compare, in the enclave, the identification data to the authentication data for recognizing if the potential user is the authorized user. In another embodiment, a server is provided and includes at least one processor; at least one memory; at least one driver, where the server is configured to: receive assertion data from an electronic device, where the assertion includes an authentication signing key and results from a comparison of acquired data and reference data; and determine it the assertion data is valid by: comparing the results to a threshold; and comparing the authentication signing key to an authentication signing key assigned to the electronic device.

Abstract: Certain aspects of the present disclosure provide techniques for identifying fraudulent user identifiers in a software application. An example method generally includes generating a vector representation of a user identifier. Using a first machine learning model and the vector representation of the user identifier, a fingerprint representative of the user identifier is generated. Using the first machine learning model and the generated fingerprint, a score is generated. The score generally describes a likelihood that the user identifier corresponds to a fraudulent user identifier. One or more similar user identifiers are identified based on the generated fingerprint and a second machine learning model. One or more actions are taken within a computing system relative to a user associated with the user identifier based on the generated score and the identified one or more similar user identifiers.

Abstract: Systems and methods for authenticating access to multiple data stores substantially in real-time are disclosed. The system may include a server coupled to a network, a client device in communication with the server via the network and a plurality of data stores. The server may authenticate access to the data stores and forward information from those stores to the client device. An exemplary authentication method may include receipt of a request for access to data. Information concerning access to that data is stored and associated with an identifier assigned to a client device. If the identifier is found to correspond to the stored information during a future request for access to the store, access to that store is granted.

Abstract: Computer-implemented systems and methods include receiving unknown content in a cloud-based sandbox; performing an analysis of the unknown content in the cloud-based sandbox, to obtain a score to determine whether or not the unknown content is malware; obtaining events based on the analysis; running one or more rules on the events; and adjusting the score based on a result of the one or more. The systems and methods can include classifying the unknown content as malware or clean based on the adjusted score. The analysis can include a static analysis and a dynamic analysis, with the events generated based thereon.

Abstract: Collaborative computing and electronic records are disclosed. An entity that may be able to help achieve an objective is discovered and a connection to the entity established. A meta-language is used to exchange with the entity a description of the objective and a description of the entity. The meta-language is used to negotiate with the entity a contract to help achieve the objective. In the event a contract to help achieve the objective is reached, performing a self-configuration in accordance with the contract.

Abstract: An acquisition unit (10) acquires normal sample data and non-normal sample data. A model generation unit (120) generates a normal model representing the normal sample data. A change unit (141) generates a non-normal feature vector of the non-normal sample data, and generates a non-normal changed vector obtained by changing an element of the non-normal feature vector. When the non-normal changed vector and the normal model are similar to each other, a verification unit (142) executes a process using sample data represented by the non-normal changed vector. The verification unit (142) verifies whether an anomalous event is detected by a detection device. Upon verification that an anomalous event is not detected, the verification unit (142) determines whether an anomalous event is present, independently of the detection device.

Abstract: A system includes a processor and a memory accessible to the processor. The memory stores instructions that, when executed by the processor, cause the processor to determine a privacy policy score for one of an application and a website and provide the privacy policy score to a device.

Abstract: A payment application isolation method and apparatus, and a terminal are provided. In the payment application isolation method, a payment application that is selected by a user and that is to be added to an isolation area is obtained; and if the to-be-added payment application has an attribute of being addable to a first isolation area, the to-be-added payment application is added to the first isolation area; or if the to-be-added payment application has an attribute of being addable to a second isolation area, the to-be-added payment application is added to the second isolation area. A payment application added to the first isolation area has an attribute of being invocable by a trusted application installed outside the first isolation area, and a payment application added to the second isolation area has an attribute of being completely isolated from an application installed outside the second isolation area.