Abstract: The present disclosure describes systems and methods for hardware-assisted malware detection. One such system comprises a memory; and a hardware processor of a computing device operatively coupled to the memory. The hardware processor is configured to execute a software application suspected of being malware; monitor behavior of the software application at run-time; and acquire an input time sequence of data records based on a trace analysis of the software application, wherein the input time sequence comprises a plurality of features of the software application. The hardware processor is further configured to classify the software application as being a malicious software application based on the plurality of features of the software application; and output a ranking of a subset plurality of features by their respective contributions towards the classification of the software application as being malicious software.

Abstract: Systems and methods for automated actions for application policy violations are disclosed. For example, policy violation evaluation components may monitor requests and/or responses from one or more applications to identify content policy violations. When a violation is identified, an automated decision engine utilizes data representing the policy violation along with, in example, contextual information about the policy violation to identify a rule from a rules database that is associated with the policy violation. An action is determined from the selected rule, and a command is generated to perform the action in response to the policy violation.

Abstract: Aspects of the present disclosure involve systems, methods, computer program products, and the like, for an orchestrator device associated with a scrubbing environment of a telecommunications network that receives one or more announced routing protocol advertisements from a customer device under an attack. In response to receiving the announcement, the orchestrator may configure one or more scrubbing devices of the network to begin providing the scrubbing service to packets matching the received routing announcement. A scrubbing service state for the customer may also be obtained or determined by the orchestrator. With the received route announcement and the customer profile and state information, the orchestrator may provide instructions to configure the scrubbing devices of the network based on the received information to dynamically automate scrubbing techniques without the need for a network administrator to manually configure the scrubbing environment or devices.

Abstract: Disclosed herein are systems and method for anti-malware scanning, including identifying a plurality of objects in a backup archive that is connected to a first network comprising a plurality of computing devices; scanning the plurality of objects in the backup archive to generate a whitelist indicating a subset of the plurality of objects that do not need to be scanned at a subsequent time; performing, using the whitelist, a first malware scan in a computing device of the plurality of computing devices; detecting that the computing device has left the first network to join a second network; and performing a second malware scan on the computing device, wherein the second malware scan uses a different whitelist of the second network, and wherein the second malware scan comprises scanning a first object that is not in the different whitelist and was not scanned in the first malware scan.

Abstract: A security appliance monitors streams of events and detects anomalous behavior by users with respect to software defined infrastructure. The security appliance creates baselines of activities for each user. After generating baselines, the security appliance compares events to the activity baselines of users to detect deviations. If a deviation is detected, then a violation report is generated.

Abstract: Disclosed are various embodiments for implementing a key escrow system without disclosure of a client's encryption key to third parties. An encryption key is split into a plurality of key segments pursuant to a shared secret protocol. A plurality of peer client devices are then identified. Each peer client device in the plurality of peer client devices is then verified and the respective one of the plurality of key segments are sent to a respective one of the plurality of peer client devices. A response is then received from each respective one of the plurality of peer client devices, the response confirming receipt of the respective one of the plurality of key segments. A list identifying the plurality of peer client devices is finally provided to a key escrow service, the list comprising key-value pairs that identify each respective one of the plurality of peer client devices and the respective one of the plurality of key segments.

Abstract: A method for multi-source cloud-infrastructure vulnerability management includes receiving cloud-element information related to a cloud-based element in a cloud environment. The method also includes receiving first vulnerability information from a first vulnerability source and receiving second vulnerability information from a second vulnerability source. Cloud-element context information is also received about the cloud-based element from the cloud environment. A multiple-source vulnerability database is then generated from both the first vulnerability information and from the second vulnerability information. The cloud-element information and the cloud-element context information are then evaluated using the multiple-source vulnerability database to generate a vulnerability assessment.

Abstract: Systems and methods for enhanced OTP messaging, comprising: receiving a request from an application executing on a computing device of a user; generating the supplemental information based on the request; segmenting the supplemental information into a first part of the supplemental information and a second part of the supplemental information; transmitting the first part of the supplemental information to the computing device of the user via a first communication channel to another app executing on the computing device of the user; instructing the another app to allow the user to utilize one or more graphical user interface (GUI) elements of a GUI of the another app to transfer the first part of the supplemental information to the app; and transmitting the second part of the supplemental information to the computing device of the user via a second communication channel so as to provide the supplemental information to the app.

Abstract: The present disclosure describes defending against an attack execution operation. According to one aspect of the subject matter described in this disclosure, a method for generating a domain-specific language (DSL) file is disclosed. The method may comprise determining, a framework based on an attack repository, determining a first primitive based on the framework, and determining a second primitive based on the framework. In one implementation, the first primitive and the second primitive are fundamental structures or constructs within a DSL. The method further comprises combining the first primitive and the second primitive into a DSL file. In one implementation, the DSL file is executed to defend against a first attack execution operation executed by a threat-actor.

Abstract: Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident.

Abstract: The present describes simulating a threat-actor executing an attack execution operation. According to one aspect of the subject matter described in this disclosure, a method for generating a domain-specific language (DSL) simulant is disclosed. The method may comprise determining, a framework based on an attack repository, determining a first primitive based on the framework, and determining a second primitive based on the framework. In one implementation, the first primitive and the second primitive are fundamental structures or constructs within a DSL. The method further comprises combining the first primitive and the second primitive into a DSL simulant. In one implementation, the DSL simulant is executed to simulate a threat-actor executing an attack execution operation.

Abstract: A system, a method, and a computer program remediate a risk of a computing resource located in a computer network that has a plurality of other computing resource assets each having an associated risk. Data associated with a first computing resource is received, and a first risk framework is selected from among a plurality of risk frameworks. A risk score is calculated based on the received data and the selected first risk framework, and a first risk rating is determined based on the risk score. The first risk rating is compared against a zone risk rating to determine whether the first risk rating is greater than the zone risk rating, and the first risk rating is replaced by the zone risk rating when the zone risk rating is greater than the first risk rating. The cybersecurity risk of the first computing resource is remediated according to the first risk rating.

Abstract: Managed lifecycle roles are disclosed. Managed lifecycle roles may be used for secure credential vending or otherwise. For instance, an entity (e.g., administrator or other entity) requests, via an interface of a role manager, creation of a role associated with a lifecycle definition (e.g., an expression of an enforceable expiration of the role or similar characteristic). The role manager stores the role and role lifecycle definition to a data store. Another entity requests to use the role to perform some operation with respect to a resource. A credential service validates the request against a lifecycle definition for the role (and against an access control list, in some examples) and responds to valid requests with credentials useable to perform the operation with respect to the resource. The other entity uses the credentials to perform the operation with respect to the resource. A sweep process manages attributes of the roles.

Abstract: A bridge component is interposed between a content targeting portion of a computerized content management system and a security portion of the system. the content targeting portion has a plurality of targeting segments defined therein. The bridge component creates a plurality of corresponding security groups for at least a subset of the plurality of targeting segments for which pre-existing security groups have not been created. For the targeting segments, accessing, with the bridge component, underlying logic used by the content targeting portion to create the targeting segments, and use the logic to determine whether each potential group member matches the logic. Add at least those of the potential group members that match the logic, and are not already present, to an appropriate one of the corresponding security groups; remove those that do not match. Apply security to the resulting updated security groups with the security portion, and distribute content accordingly.

Abstract: Disclosed herein are methods, systems, and processes for distributed logging for securing non-repudiable transactions. Credentials, request information, response information, and action items generated and received by a requesting computing system and a responding computing system, and transmitted between the requesting computing system and the responding computing system are separately recorded and stored in a requestor log maintained by the requesting computing system and in a responder log maintained by the responding computing system.

Abstract: A server comprises a communications module; a processor coupled with the communications module; and a memory coupled to the processor and storing processor-executable instructions which, when executed by the processor, configure the processor to send, via the communications module and to a remote computing device, a signal causing the remote computing device to display a unique code and a telephone number; monitor at least one instant messaging account associated with the telephone number for the unique code; after determining that the unique code has been received at the at least one instant messaging account associated with the displayed telephone number, determine that authentication for a particular account has been successful; and in response to determining that authentication for the particular account has been successful, initiate an authenticated session.

Abstract: The disclosed technology teaches an implementation for leveraging self-sovereign credentials held on mobile devices to provision credentials that empower one party (“recipient” or “user”, used synonymously herein) to obtain credentialed access to information and resources on behalf of another party (“sender” or “administrator”, used synonymously herein), without either party exposing private key information to each other or to the cloud. The sender is able to revoke user credentials at any time. Parties are able to leverage commodity hardware to automatically mutually authenticate their credentials and access available relevant options and workflows.

Abstract: A network system to provide mutable access tokens for access requests that eliminate a need for token replacement. The system allows an access token to be changed to update data in the token. When data stored with the token changes, such as when a user or partner has a change in status, a new token is not required to be requested, generated, dispersed, or stored. Conventional systems refuse the API call request and require the new token be provided. The described system instead completes the request while simultaneously notifying the user to subsequently retrieve an updated access token. Requesting, generating, communicating, and presenting a new token requires additional time, bandwidth, computing capacity, and system interactions. While performing new token acquisition in conventional systems, devices are forced to perform additional interactions, which may result in a time delay or in one or more devices exceeding capacity, becoming overloaded, and seizing.

Abstract: A fully homomorphic white-box implementation of one or more cryptographic operations is presented. This method allows construction of white-box implementations from general-purpose code without necessitating specialized knowledge in cryptography, and with minimal impact to the processing and memory requirements for non-white-box implementations. This method and the techniques that use it are ideally suited for securing “math heavy” implementations, such as codecs, that currently do not benefit from white-box security because of memory or processing concerns. Further, the fully homomorphic white-box construction can produce a white-box implementation from general purpose program code, such as or C++.

Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.