Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Detection of squatting domains is disclosed. A set of new fully qualified domain names (FQDNs) is received. The set of new FQDNs is analyzed to detect domain squatting by identifying a subset of the new FQDNs as candidate squatting domains. The candidate squatting domains are distributed to a security device/service.

Abstract: Adapting detection of security threats, including by retraining computer-implemented models is disclosed. An indication is received that a natural language processing model should be retrained. A list of training samples is generated that includes at least one synthetic training sample. The natural language processing model is retrained at least in part by using the set of generated training samples. The retrained natural language processing model is used to determine a likelihood that a message poses a risk.

Abstract: The present disclosure provides a stability criterion for time-delay of cyber-physical power systems under distributed control, which relates to a field of cyber-physical power systems technologies.

Abstract: A system for detecting Denial-of-Service (DoS) attacks on one or more user profiles collects a number of invalid sign-on attempts on the one or more user profiles during every time interval. The system determines a number of invalid sign-on attempts on every user profile since the start of the first time interval. The system detects a first DoS attack on a particular user profile if a first number of invalid sign-on attempts on the particular user profile exceeds a single-user profile. The system detects a second DoS attack on multiple user profiles during the first time interval if the increase in the total number of invalid sign-on attempts since the last time interval exceeds a scan-level threshold number. The system detects a third DoS attack on multiple user profiles if the total number of invalid sign-on attempts detected during combined time intervals exceeds a third threshold number.

Abstract: Examples are disclosed herein to implement remote authentication and passwordless password reset. An example server includes: at least one processor to forward executable instructions to a client device, the executable instructions, when executed at the client device, to cause the client device to: authenticate a user of an account based on a biometric authentication factor; obtain a local storage key by decrypting an encrypted local storage key with a cloud key obtained from a remote authentication server, the cloud key associated with the client device; decrypt a key bag with the local storage key, the key bag including a content encryption key and an encrypted credential encrypted with the content encryption key, the encrypted credential associated with the user; and decrypt the encrypted credential with the content encryption key to obtain a credential without the user supplying a master password associated with the account.

Abstract: Novel tools and techniques might provide for implementing application, service, and/or content access control. Based at least in part on a consumer's choice of applications, services, content, and/or content providers—particular in exchange for a subsidy on content and/or network access fees provided to the consumer by chosen content providers—, a computing system may determine whether access to applications, services, and/or content not associated with the chosen content providers (“other content”) should be allowed or restricted. If restricted, the computing system might utilize various network access techniques and/or technologies to block the consumer's access to the other content, to allow access to the other content on a charge per access basis, or to allow access to the other content at reduced network access speeds. In some embodiments, an access provider (e.g., an Internet service provider, etc.) might perform both determination and implementation of content access and restriction.

Abstract: A server manager for detecting ransomware includes a server interface to retrieve, from a storage device, a backup of a plurality of files stored by a client device. A ransomware detection module includes a statistical filter to generate a standard pattern of file activities of the client device for a time period. A statistical behavior analysis is performed on the backup of the plurality of files based on the standard pattern to identify a portion of the backup corresponding to a statistical anomaly different from the standard pattern. The statistical anomaly corresponds to an abnormal file activity. An entropy detector generates an entropy score for the portion of the backup. The entropy score represents a randomness of a distribution of bits in a block of a file in the portion of the backup. It is determined whether the backup includes the ransomware based on the generated entropy score.

Abstract: Embodiments of the invention are directed to a system, method, or computer program product for cross-channel network security with tiered adaptive mitigation operations. In this regard, the invention is structured for dynamic detection of security events associated with network devices and resources, and triggering real-time mitigation operations across a plurality of resource channels. The invention provides a novel method for employing activity data to construct and implement mitigation actions for de-escalating authorization tiers that are adapted to the specific attributes of the activity data, in order to prevent security exposure associated with the activity. Another aspect of the invention is directed to determining whether to continue the tiered adaptive mitigation actions and/or trigger a security proceed signal.

Abstract: A computer-implemented method for provisioning an Internet of Things (IoT) device comprises receiving, at a device provisioning system, an event schema for the IoT device. The method further comprises comparing the one or more event types from the event schema with a plurality of combinations of one or more event types in a device type schema list to identify a match between the one or more event types in the event schema from the IoT device and one of the plurality of combinations of one or more event types in the device type schema list; in response to identifying a match, assigning a device type to the IoT device based on a correlation in the device type schema list for the device type and the matched combination of one or more event types; and provisioning the IoT device with validated credentials based on the assigned device type.

Abstract: The present disclosure relates to a machine-learning system, method, and computer program for ranking security alerts from multiple sources. The system self-learns risk levels associated with alerts by calculating risk probabilities for the alerts based on characteristics of the alerts and historical alert data. In response to receiving a security alert from one of a plurality of alert-generation sources, the alert-ranking system evaluates the security alert with respect to a plurality of feature indicators. The system creates a feature vector for the security alert based on the feature indicator values identified for the alert. The system then calculates a probability that the security alert relates to a cybersecurity risk in the computer network based on the created feature vector and historical alert data in the network. The system ranks alerts from a plurality of different sources based on the calculated cybersecurity risk probabilities.

Abstract: A computing device may authenticate a user of the computing device as an authorized user. The computing device may, in response to authenticating the user of the computing device as the authorized user, transition from a locked state to an unlocked state. The computing device may, in response to authenticating the user of the computing device as the authorized user, determine one or more computing devices that are proximate to the computing device. The computing device may, in response to determining the one or more computing devices that are proximate to the computing device, send to each of the one or more computing devices an indication of successful user authentication by the computing device to enable each of the one or more computing devices to transition from the locked state to the unlocked state without performing user authentication.

Abstract: A method of managing access to a network destination. The method includes establishing a first network zone for a user, the first network zone including a plurality of network destinations. The first network zone is monitored and one or more changes in the first network zone are determined. A first network destination in the first network zone is analyzed responsive to determining the one or more changes in the first network zone to determine a first threat. An attempt by the user to access the first network destination is detected, and access by the user to the first network destination is restricted based on the determining the first threat.

Abstract: A system for limiting access to a digital resource based on detection of unauthorized scraping of the digital resource includes one or more processors configured to execute the instructions to detect, over a network, first data representing a plurality of first interactions by a client device with the digital resource hosted on a host system; extract, from the hardware storage device, second data representing a plurality of second interactions with digital resources, with the second interactions satisfy conditions for an interaction to be authorized; determine a confidence score based on comparing the first and second data, with the confidence score indicating a likelihood that an interaction is unauthorized; based on the determined confidence score indicating that the first interactions are unauthorized, detect, by one or more processing devices, unauthorized scraping of the digital resource; and limit access of the client device to the digital resource.

Abstract: Systems and methods include establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between a local node including one or more processors and a remote node, and wherein the control channel includes a session identifier; establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier; performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier; and, subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier. The first encryption technique can be one of TLS and SSL, and the second encryption technique can be one of TLS and DTLS.

Abstract: Techniques are described herein that are capable of provisioning a trusted execution environment (TEE) based on (e.g., based at least in part on) a chain of trust that includes a platform on which the TEE executes. Any suitable number of TEEs may be provisioned. For instance, a chain of trust may be established from each TEE to the platform on which an operating system that launched the TEE runs. Any two or more TEEs may be launched by operating system(s) running on the same platform or by different operating systems running on respective platforms. Once the chain of trust is established for a TEE, the TEE can be provisioned with information, including but not limited to policies, secret keys, secret data, and/or secret code. Accordingly, the TEE can be customized with the information without other parties, such as a cloud provider, being able to know or manipulate the information.

Abstract: A method implements private categorization using shared keys. The method includes selecting an encryption key, encrypting a transaction vector, generated from a transaction record, with the encryption key to generate an encrypted transaction vector, and receiving an encrypted category vector generated by a classifier model, corresponding to the encryption key, from the encrypted transaction vector. The method further includes decrypting a category from the encrypted category vector with a decryption key corresponding to the encryption key and presenting the category.

Abstract: A virtual private network (VPN) security system obtains data regarding a VPN session including (i) for each of a plurality of first subnets, a number of allowed connection attempts by a computer system to that first subnet, (ii) for each of a plurality of second subnets, a number of blocked connection attempts by the computer system to that second subnet, (iii) for each of a plurality of first network ports, a number of allowed connection attempts by the computer system using that first network port, and (iv) for each of a plurality of second network ports, a number of blocked connection attempts by the computer system using that second network port. The security system determines, using a neural network, a metric representing an estimated likelihood that the VPN session is associated with a malicious activity, and controls the VPN session based on the metric.

Abstract: Methods, systems, and computer readable media for network security testing using at least one emulated server are disclosed. According to one example method, the method comprises: receiving, from a client device and at an emulated domain name service (DNS) server, a DNS request requesting an Internet protocol (IP) address associated with a domain name; sending, to the client device and from the emulated DNS server, a DNS response including an IP address associated with an emulated server; receiving, from the client device and at the emulated server, a service request using the IP address; sending, to the client device and from the emulated server, a service response including at least one attack vector data portion; and determining, by a test controller and using data obtained by at least one test related entity, a performance metric associated with a system under test (SUT).

Abstract: An initial risk of an electronic message is determined. Based on the initial risk, it is determined whether to modify the electronic message. In an event it is determined to modify the electronic message: the electronic message is modified; the modified electronic message is allowed to be delivered to an intended recipient of the electronic message; a secondary computer security risk assessment of the electronic message is automatically performed; and based on the secondary computer security risk assessment, the modified message is updated.