Abstract: In one aspect, an illustrative methodology implementing the disclosed techniques includes, by a computing device, determining that an application process includes use of a first image and a second image, one of the first and second images being generated as part of the application process, and detecting a difference in content of the first image or the second image based on a comparison of the first and second images. The method also includes, by the computing device, revoking access to a file that includes at least one of the first and second images based on the detection of the difference in content of one of the first and second images.

Abstract: A computer-implemented method, computer program product and computing system for: receiving platform information from a plurality of security-relevant subsystems; processing the platform information to generate processed platform information; identifying more threat-pertinent content included within the processed content; and routing the more threat-pertinent content to a threat analysis engine.

Abstract: Methods and systems utilizing sandbox outputs for files, such as dynamic file analysis (DFA) reports, regardless of size, to automatically create rules. From these rules, the maliciousness of the file is determined, and if the file is malicious, i.e., malware, the malware is classified into malware families.

Abstract: A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication. Message traffic from compromised endpoints is detected. Attributes of ransomware may be detected in the message traffic, as well as attempts to circumvent the security appliance. Compromised devices may be quarantined.

Abstract: A server, in communication with a plurality of microservices in a microservices mesh environment, obtains data about inbound communications to a first microservice and outbound communications from the first microservice of the plurality of microservices. The server analyzes the data to learn an operational behavior of the first microservice and determine a firewall rule set to be applied associated with the first microservice based on the operational behavior learned for the first microservice. The server causes a micro-firewall to be instantiated for the first microservice. The micro-firewall is configured to apply the firewall rule set to inbound communications to the first microservice and outbound communications from the first microservice.

Abstract: The disclosed computer-implemented method for detecting anomalous system command line data may include (i) receiving command line data from a target computing system, (ii) building a baseline model that utilizes machine-learning to analyze the command line data, the baseline model comprising a support-vector machine (SVM), natural language processing, and a hashing function, (iii) assigning, utilizing the baseline model, a score to each of a plurality of instances of the command line data, and (iv) identifying, based on the score, anomalous commands comprising potentially malicious data when any of the instances of the command line data fails to exceed a threshold. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods, systems, and devices for protecting against abnormal computer behavior are described. The method may include monitoring a computer process related to an application running on a computing device of one or more computing devices, analyzing a database including a set of digital fingerprints, where a digital fingerprint of the set of digital fingerprints relates to the application, the digital fingerprint including an indication of a set of computer processes related to the application that are classified as normal computer processes for the application, determining that the computer process related to the application is an abnormal computer process based on analyzing, and performing a security action on the computing device to protect the computing device against the abnormal computer process based on the determining.

Abstract: This disclosure discloses a data judging method applied in a distributed storage system and the distributed storage system. The distributed storage system includes a plurality of processing units and a plurality of storage units corresponding to each processing unit. The data judging method prescribes that a processing unit corresponding to a storage unit that stores preset data is a first processing unit, the storage unit that stores the preset data corresponding to the first processing unit is a first storage unit, other storage units corresponding to the first processing unit except for the first storage unit are second storage units. The data judging method provided by this disclosure may judge whether the preset data needs to be encrypted. Thus, privacy protection may be performed to preset data that needs to be encrypted, without performing encryption protection to all data, thereby being capable of utilizing data reasonably.

Abstract: A Cyber-Physical System (“CPS”) may have monitoring nodes that generate a series of current monitoring node values representing current operation of the CPS. A normal space data source may store, for each monitoring node, a series of normal monitoring node values representing normal operation of the CPS. An abnormal data generation platform may utilize information in the normal space data source and a generative model to create generated abnormal to represent abnormal operation of the CPS. An abnormality detection model creation computer may receive the normal monitoring node values (and generate normal feature vectors) and automatically calculate and output an abnormality detection model including information about a decision boundary created via supervised learning based on the normal feature vectors and the generated abnormal data.

Abstract: An attack pattern extraction device includes an extraction unit and an attack pattern generation unit. The extraction unit extracts a common character string of parameters included in an access log of communication that is determined as an attack. The attack pattern generation unit generates an attack pattern on the basis of a character string with a string length being equal to or longer than a predetermined length among extracted consecutive character strings.

Abstract: Provided is a system and method for implementing remote trust services for blockchain. In one example, the method may include one or more of retrieving block content from a portion of a blockchain via an application programming interface (API), in response to a triggering event being detected, calling an off-chain trust service to sign the retrieved block content, receiving accreditation results of the retrieved block content from the off-chain trust service, the accreditation results comprising an indication of whether the retrieved block content has been successfully signed, and writing the received accreditation results to a block within the blockchain.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; and instructions encoded within the memory to instruct the processor to provide a security agent to: identify a malicious process; construct a genealogical process tree of the malicious process, the genealogical process tree including both vertical direct inheritance and horizontal indirect inheritance relationships; and terminate the malicious process and at least some related processes in the genealogical process tree.

Abstract: A system and method for providing automated service-based malware remediation. When a computing device is attacked by malware such as ransomware, multiple manual steps are usually needed to fully remediate the device. Users are typically required to follow several steps to remove the ransomware, and potentially must engage in the challenging task of reimaging the impacted device as well as choosing a restore point for point-in-time recovery. The disclosed systems provide a mechanism by which a cloud-based service manages a fully automated remediation and file recovery process for the user.

Abstract: A malware attack is detected in a computing system by monitoring file I/O and coordinated network I/O traffic and referencing criteria including a correlation coefficient calculated relative to the I/O. If the file I/O and coordinated network I/O was initiated by an executing process that meets criteria indicative of malware, a correlation coefficient is calculated with respect to the file I/O and coordinated network I/O. The executing process is identified as malware if a threshold criteria is met that considers the correlation coefficient.

Abstract: Data storage nodes that participate in a requested data statistical analysis as participant data storage nodes are determined and divided into a plurality of node sets. Data stored in each participant data storage node associated with a particular node set is encrypted, where the encrypted data is divided into a number of fragments at least equal to a number of participant data storage nodes associated with the particular node set. Each participant data storage node sends a portion of the encrypted data to each of the other participant data storage nodes within the particular node set. Each participant data storage node processes received encrypted data and data remaining on the particular participant data storage node to obtain a processing result. Each participant data storage node sends the processing result to a proxy node, wherein the proxy node performs data statistical analysis based on the processing result.

Abstract: A call stack acquisition device reproduces, from a memory dump, a memory space of a process to which a thread as a production target of a call stack belongs. Then, the call stack acquisition device acquires execution context of the thread by acquiring, from a virtual memory space, register information of the thread, which is stored in a memory by an OS. In addition, the call stack acquisition device acquires a current stack position and a currently executed function from the acquired execution context. Thereafter, the call stack acquisition device acquires the call stack by tracing return addresses of a series of functions as callers of the currently executed function on the stack from metadata of an execution file of the process including the thread.

Abstract: Identifying and protecting against evolving cyberattacks using temporal word embeddings. In some embodiments, a method may include identifying sequences of security events that occurred over time on endpoint devices. The method may also include embedding each of the sequences of security events into low dimensional vectors, such that each of the sequences of security events is treated as a sentence, and such that each of the security events is treated as a word in the corresponding sentence. The method may further include analyzing the low dimensional vectors to identify a first cyberattack represented by a first sequence of security events and a second cyberattack represented by a second sequence of security events that is different from the first sequence of security events, the second cyberattack being an evolved version of the first cyberattack. The method may also include, in response to identifying the second cyberattack, protecting against the second cyberattack.

Abstract: The present disclosure relates to using correlations between support interaction data and telemetry data to discover emerging incidents for remediation. One example method generally includes receiving a corpus of support interaction data and a corpus of telemetry data. Topics indicative of underlying problems experienced by users of an application are extracted from the corpus of support interaction data. A topic having a rate of appearance in the support interaction data above a threshold value is identified. A set of telemetry data relevant to the topic is extracted from the corpus of telemetry data, and a subset of the relevant set of telemetry data having a frequency in the relevant set of telemetry data above a second threshold value is identified. The topic and the subset of telemetry data are correlated to an incident to be remediated, and one or more actions are taken to remedy the incident.

Abstract: The present invention extends to methods, systems, and computer program products for configuring, enforcing, and monitoring separation of trusted execution environments. Firmware images consistent with configuration of multiple separate execution domains can be generated without requiring changes to existing application source code. A cryptographically signed firmware image can be loaded at a processor to form multiple separate execution domains at the processor. Communications can be secured across separate execution domains without using shared memory.

Abstract: A server, in communication with a plurality of microservices in a microservices mesh environment, obtains data about inbound communications to a first microservice and outbound communications from the first microservice of the plurality of microservices. The server analyzes the data to learn an operational behavior of the first microservice and determine a firewall rule set to be applied associated with the first microservice based on the operational behavior learned for the first microservice. The server causes a micro-firewall to be instantiated for the first microservice. The micro-firewall is configured to apply the firewall rule set to inbound communications to the first microservice and outbound communications from the first microservice.