Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of user interface competence adaptation and fraud detection. The innovation includes a user device that provides a user interface to receive user interactions. A monitoring component monitors user interactions by the user on the user device. The user interactions can be controlling, navigating, or inputting to the user interface. A determination component determines a user proficiency based on the monitored user interactions. A configurator determines and implements a device configuration for the user device based on the determined user proficiency. A security component determines a different user is accessing the user device based on a change in user proficiency exceeding a threshold change. The security component implements security measures upon determine a different user has access.

Abstract: Embodiments are directed to managing communication over one or more networks. An underlay network that couples a source gateway and a target gateway using underlay protocols may be provided such that the target gateway includes two or more port groups that may each be associated with a separate target node. An overlay network may be provided on the underlay network based on policy information such that the source gateway and the target gateway may each be assigned separate gateway identifiers (GIDs) that are associated with the overlay network. In response to the source gateway authorizing a source node to employ the overlay network to communicate one or more encrypted payloads to a target node, the one or more encrypted payloads may be provided to the target node based on the overlay network and the policy information.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Abstract: Aspects of the disclosure relate to monitoring virtual desktops accessed by devices at remote locations using machine-learning models to mitigate potential cyber-attacks. In some embodiments, a computing platform may monitor data associated with a series of activities from a virtual desktop accessed by a remote computing device. Subsequently, the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device, and evaluate the new activity data relative to the data associated with the series of activities, wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. In response to determining that the new activity data is indicative of a potential cyber-attack, the computing platform may initiate one or more security response actions.

Abstract: A system and method for setting alert thresholds related to cybersecurity ratings of one or more affiliate entities. An example method includes: obtaining entity data including cybersecurity event data for an affiliate entity; calculating a time-series cybersecurity rating for the affiliate entity based on the entity data; associating an alert reporting threshold with the time-series cybersecurity rating, wherein a comparison of the alert reporting threshold to the time-series cybersecurity rating determines a number of alerts reported for the affiliate entity; applying an alternative alert reporting threshold against the time-series cybersecurity rating to determine an alternative number of alerts reported for the affiliate entity; and updating the alert reporting threshold for the time-series cybersecurity rating to the alternative alert reporting threshold.

Abstract: Disclosed embodiments relate to systems and methods for correlating software pipeline events. Techniques include receiving first data representing at least one aspect of a first software pipeline event; identifying a value as a potential identifier of the first software pipeline event; storing the value in a data structure in an associative manner with the first software pipeline event; receiving second data representing at least one aspect of a second software pipeline event; identifying an additional value as a potential identifier of the second software pipeline event; comparing additional value to the value stored in the data structure; based on the comparison, determining whether a correlation exists between the first software pipeline event and the second software pipeline event; and based on a determination that a correlation exists, providing an indication of the correlation.

Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

Abstract: An electronic device for detecting threats within a server including a processor, and a memory communicatively coupled to the processor. The memory includes an inspection logic to receive a suspicious object for threat evaluation, and an analyzer logic including at least a first analyzer. The first analyzer, when processed by the processor, generates a virtual environment including a virtual client and a virtual server in communication over a virtualized communication link. The memory also includes a detonator logic configured to trigger the suspicious object. The analyzer logic loads and initializes the suspicious object into the virtual environment and further generates a first score based upon the triggering by the detonator logic that is indicative of a threat posed by the suspicious object. The memory may also include a reporting logic that compares a threat score to at least one threshold and in response may generate at least one remedial action.

Abstract: A policy-controlled access system comprising a client device running a local application, a secure tunnel between a client endpoint of the client device, and a mid-link endpoint of a mid-link server to provide network traffic from the client device to the mid-link server. The mid-link server monitors the network traffic, identifies a plurality of policies corresponding to the third-party content, the plurality of policies is based on parental control configuration set by a parent user, stores the plurality of policies corresponding to the third-party content in a local cache on the client device, and receives a request for data from the child user. After the request is made, the local application correlates the third-party content with the plurality of policies stored in the local cache, identifies a policy associated with the request for the data based on correlation, and authorizes the request for the data based on the identified policy.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Abstract: Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.

Abstract: Methods, non-transitory computer readable media, network traffic management apparatuses, and network traffic management systems that identify when a domain name identifier in a received request matches one of a plurality of domain names stored in a whitelist domain name storage. When the identification indicates the received domain name identifier fails to match one of the plurality of domain names stored in the whitelist domain name storage, then a determination is made on whether the received request is a suspicious request. Another storage is updated when the determination indicates the received request is the suspicious request or otherwise updating the received request as a valid request.

Abstract: A computer-implemented method, computer program product and computing system for: establishing connectivity with a plurality of security-relevant subsystems within a computing platform; defining a plurality of subsystem-specific queries on a unified platform concerning the plurality of security-relevant subsystems, wherein one or more of the plurality of subsystem-specific queries has a defined execution schedule; and providing the plurality of subsystem-specific queries to the plurality of security-relevant subsystems.

Abstract: A computer-implemented method at a data management system comprises receiving, at the system, a write made to a virtual machine from a virtual machine host; computing, at the system, a fingerprint of the transmitted write; comparing, at the system, the computed fingerprint to malware fingerprints in a malware catalog; repeating the computing and comparing; and disabling the virtual machine if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: A system and method for generating a digital cybersecurity artifact includes selectively executing an automated cybersecurity investigation workflow based on a probable cybersecurity threat type of a cybersecurity event, wherein an output of the automated cybersecurity investigation workflow includes one or more corpora of investigation findings data in response to executing the automated cybersecurity investigation workflow; selectively instantiating a digital cybersecurity artifact of a plurality of digital cybersecurity artifacts based on the probable cybersecurity threat type of the cybersecurity event, wherein the digital cybersecurity artifact includes a plurality of distinct regions electronically mapped to one or more threat type-specific content automations that, when executed, install investigation findings data into the plurality of distinct regions of the plurality of distinct regions of the digital cybersecurity artifact with selective subsets of investigation findings data of the one or more cor

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data. The gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The VM server can use the compliance profile and security data from the user device to determine a risk profile of the user device. The virtual session can be configured at the VM server based on the risk profile so as to allow access to a subset of available applications and functions within the applications for the virtual session.

Abstract: Domain Name System (DNS) security using process information is provided. An application accessing an internet service using a domain name is determined. Process information associated with the application along with an associated DNS query to identify an IP address associated with the domain name are identified. The process information and the associated DNS query to a DNS security service are sent. An action based on a response from the DNS security service is performed.

Abstract: System and methods are described for efficient monitoring of network traffic in a public cloud computing environment. In one implementation, a method comprises: generating flow log records of network traffic in the public cloud computing environment; identifying a data packet that presents a potential security risk; identifying a captured data packet (PCAP) record corresponding to the identified data packet; and transmitting the PCAP record to a computing device for network traffic analysis.

Abstract: Churn-aware training of a classifier which reduces the difference between predictions of two different models, such as a prior generation of a classification model and a subsequent generation. A second dataset of labelled data is scored on a prior generation of a classification model, wherein the prior generation was trained on a first dataset of labelled data. A subsequent generation of a classification model is trained with the second dataset of labelled data, wherein in training of the subsequent generation, weighting of at least some of the labelled data in the second dataset, such as labelled data threat yielded an incorrect classification, is adjusted based on the score of such labelled data in the prior generation.