Abstract: A method including collecting and aligning raw data from a plurality of network nodes, wherein dissimilar data types are aligned as input events; filtering the input events by discarding events and/or parts of events that are detected to be equal or similar to previously observed events or events and/or parts of events found to be redundant by using predetermined criteria; separating processing of the input events into event aggregation and event enrichment processes, wherein the event aggregation process includes processing all the input events for generating aggregated events, and the event enrichment process includes processing only events passed by the filtering and the aggregated events from the event aggregation process; and analysing the data received from the event enrichment process for generating a security related decision.

Abstract: The present disclosure generally relates to enabling efficient implementation of honeypot devices in a honeypot service environment. Each honeypot device can be implemented as a virtualized device, executing software modified from a production version of a device such that interactions with the honeypot device closely match interactions with a production device. By using virtualization, each honeypot device can be reset to a known good state when a potential security breach occurs. Because network-based attacks are often wide-spread, the honeypot service environment can deduplicate attacks that occur at a large number of devices, discarding duplicate attack traffic to reduce overall load on the environment. While deduplication can be inappropriate for production environments (given the corresponding data loss), deduplication in a honeypot environment can reduce load while still enabling detection of a network attack.

Abstract: Methods and systems for detecting and correcting anomalies include ranking sensors in a cyber-physical system according to a degree of influence each sensor has on a measured performance indicator in the cyber-physical system. An anomaly is detected in the cyber-physical system based on the measured performance indicator. A corrective action is performed responsive to the detected anomaly, prioritized according to sensor rank.

Abstract: Identifying cyber adversary behavior on a computer network is provided. Individual security events are received from multiple threat intelligence data sources. A security incident corresponding to an attack on at least one element of the computer network, the security incident being described by the individual security events received from the multiple threat intelligence data sources, is matched to a defined cyber adversary objective in a structured framework of a plurality of defined cyber adversary objectives and a related technique associated with the defined cyber adversary objective used by a cyber adversary in the attack. A set of mitigation actions is performed on the computer network based on matching the security incident corresponding to the attack on the computer network to the defined cyber adversary objective and the related technique.

Abstract: Technology for isolating suspicious activity on a plurality of servers for the purpose of mitigating damage (for example, unauthorized access to server data) to a network of computers and eliciting information about any suspicious clients involved in the suspicious activity. A suspicious client is identified, isolated, and permitted to continue interacting with the computer network to elicit information about the activity (for example, the identify of a suspicious client). Suspicious activity is defined by network administrators and determined using conventional techniques. The suspicious activity is isolated to prevent the suspicious client(s) from unauthorized and/or harmful actions on the network. The suspicious client(s) are permitted to resume network requests, in isolation, to covertly elicit information about the suspicious activity.

Abstract: Systems and methods are described for inception of suspicious network traffic to allow detection of the beginning of common attacks by network security devices, such as NGFWs, UTM appliances and IPS appliances. According to one embodiment, inception engine running on network security appliance protecting a private network monitors a session between an external computing device and a server device associated with the private network. In response to receipt of suspicious traffic from external computing device indicative of an attack sequence, the inception engine blocks the suspicious traffic from reaching the server device and incepts the attack sequence by providing one or more responses to the external computing device, which are selected based on the attack sequence. Further, when the attack is confirmed, the inception engine diverts the traffic to a more capable deception device.

Abstract: Systems, methods, and computer-readable media for protecting distributed data are provided. The data is distributed according to a time-based shard distribution scheme that splits data into multiple pieces to prevent an attacker who successfully breaches a terminal device from reassembling the pieces.

Abstract: Systems, methods, and computer-readable media for protecting distributed data are provided. The data is distributed according to a time-based shard distribution scheme that splits data into multiple pieces to prevent an attacker who successfully breaches a terminal device from reassembling the pieces.

Abstract: Disclosed herein are system, method, and computer program product embodiments for detecting cyber-attack. In an embodiment, a server receives a request to an application from a user device. The server determines that there is no cookie in the received request. The server then generates a new fingerprinting cookie and sends a verification request to the user device to verify the identity of a user. When the server receives the verification reply from the user device, the server determines that the verification reply is valid, marks the new cookie as a verified cookie, and transfers the request to the application for processing. The server can also unverify the verified cookie when the verified cookie is included in a malicious request. The server can determine that a request is malicious by analyzing functions the user wishes to perform using the request.

Abstract: Methods, apparatus, and processor-readable storage media for automated threat analysis of a system design are provided herein. An example method includes obtaining a design of a security architecture; analyzing the design to identify existing security controls in the architecture; in response to determining that the existing security controls fail to satisfy one or more mitigation criteria for mitigating at least one security threat: identifying one or more of at least one additional security control that mitigates the at least one security threat, and at least one change to at least one of the existing security controls that mitigates the at least one security threat; generating mitigation information indicative of one or more of the at least one additional security control and the changes; and revising the design based at least in part on the mitigation information.

Abstract: Provided is a method performed by a computing device for detecting abnormal behavior in a network. The method comprises obtaining a plurality of individual rules, wherein an individual rule of the plurality of individual rules is for extracting first output data from at least one input data set among a plurality of input data sets, the first output data satisfying a first extraction condition, obtaining a plurality of association rules, wherein an association rule of the plurality of association rules is for extracting second output data from at least one of the plurality of input data sets and the first output data, the second output data satisfying a second extraction condition and detecting abnormal behavior in a network based on third output data, the third output data being extracted using one of the plurality of individual rules and the plurality of association rules.

Abstract: A database protection system (DPS) is augmented to enable efficient handling of security-violating database client connections. To this end, when the DPS determines to suspend a suspect database client connection several actions are taken. The DPS drops the request and sends a database protocol-specific message to the database server; upon receiving an acknowledgment, the DPS closes the associated transport layer connection mechanism The DPS then initiates an interaction with the client, preferably an exchange of periodic messages (e.g., keep-alive messages) configured to maintain the client in a suspended state. While in this state, the client does not detect any problem with the application or the connection and thus does not try to reconnect to the database server. The DPS then performs an additional assessment/investigation of the violation even as the connection remains open, but suspended. Further action is then taken depending on the results of this evaluation.

Abstract: An approach is provided for vulnerability scanning that receives network access data from a secure network connection and stores the data in a memory. The set of network access data pertain to a set of network accessible resources. The set of network accessible resources are then accessed using the set of received network access data. A vulnerability scan is performed of the network accessible resources after which the access to the set of network accessible resources is released and the set of network access data is deleted from the memory.

Abstract: The disclosed computer-implemented method for managing endpoint security states using passive data integrity attestations may include (i) receiving passively collected network data from an endpoint device of a computing environment, (ii) determining a security state of the endpoint device using the passively collected network data from the endpoint device, (iii) determining that the security state of the endpoint device is below a threshold, and (iv) in response to determining that the security state of the endpoint device is below a threshold, performing a security action to protect the computing environment against malicious actions. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods to securely remediate a captive portal are provided. In these methods, a processor of a user device detects a connection, via a network, to a captive portal. Based on the detected connection to the captive portal, the processor launches a dedicated secure web browser, and selectively restricts access of the user device to the network in order to only allow, via the dedicated secure web browser, communications related to remediation with the captive portal.

Abstract: Various automated techniques are described herein for protecting computing devices from malicious code injection and execution by providing a malicious process with incorrect information regarding the type and/or version and/or other characteristics of the operating system and/or the targeted program and/or the targeted computing device. The falsified information tricks the malicious process into injecting shellcode that is incompatible with the targeted operating system, program and/or computing device. When the incompatible, injected shellcode attempts to execute, it fails as a result of the incompatibility, thereby protecting the computing device.

Abstract: A method is provided for performing a secure communication between a real-time operating system and a general purpose operating system. The systems are provided in a single computing apparatus and separated by a virtual machine monitor. The systems include a first and second open platform communications interfaces, respectively. The method includes: receiving a request with the virtual machine monitor from a user via the first or second open platform communications interface to access data of the real-time operating system from the general purpose operating system or to access data of the general purpose operating system from the real-time operating system; establishing a secure communication path via a software bus between the first and the second open platform communications interfaces according to the request; and performing a secure communication between the real-time operating system and the general purpose operating system via. the established secure communication path for accessing the data.

Abstract: Techniques are provided for identity assurance using a posture profile. One method comprises obtaining a posture profile of a user indicating a behavior of the user while sitting in a seat and/or standing on a mat; performing the following steps, in response to a request of the user to obtain access to a protected resource: receiving identity assurance information comprising: (i) configuration information about a configuration of the seat and/or the mat at a time of the request of the user; and/or (ii) user information about the user one or more of: sitting in the seat and standing on the mat at the time of the request of the user; determining if the identity assurance information satisfies a predefined identity assurance criteria; and providing an identity assurance result.

Abstract: There is disclosed a method for determining malicious files in a network traffic, the method executable by a server. The method comprises: receiving the network traffic from a data communication network, retrieving a plurality of files from the network traffic, analyzing the plurality of files in order to detect at least one suspicious file, running the at least one suspicious file in at least one virtual machine, the at least one virtual machine associated with a set of the status parameters, determining changes in the set of the status parameters of the at least of one virtual machine, analyzing the changes in the set of status parameters using a set of the analysis rules such that to classify the at least one suspicious file as a malicious file based on the changes in the set of status parameters being indicative of the at least one file being the malicious file.

Abstract: Disclosed herein are systems and methods of selecting security virtual machines (SVMs) for a virtual machine (VM) in a virtual infrastructure. In one aspect, an exemplary method comprises, forming a list of SVMs, wherein SVM performs security tasks for the VM, and VM includes a security agent configured to interact with the SVM, determining restriction requirements of the security agent and removing from the list SVMs not conforming to restriction requirements on limits of interaction area of the security agent, polling SVMs remaining on the list to determine network accessibility of said SVMs and removing inaccessible SVMs, for each accessible SVM remaining on the list, determining whether a marker of the SVM matches that of the security agent of the VM and removing SVMs whose markers do not match the marker of the security agent, and providing the list of remaining SVMs to the security agent of the VM.