Abstract: Endpoint devices for use, e.g., in distributed environments such as a healthcare institutions comprise, in various embodiments, (i) a processor, (ii) an operating system, (iii) a computer memory, and (iv) instructions stored in the memory and executable by the processor for defining a plurality of user applications, a plurality of sensors for monitoring calls to the operating system, a plurality of actuators for causing the processor to take specified actions for mitigating a threat or anomaly, and an intelligent controller for analyzing time-windowed data from the sensors based on a predictive response model to detect anomalous behavior, and upon detecting such behavior, instructing an actuator to take a specified mitigation action.

Abstract: Described embodiments provide systems and methods for anomaly detection and root cause analysis. A root cause analyzer receives a plurality of data samples input to an anomaly detection engine, and a corresponding plurality of anomaly labels output from the anomaly detection engine. The root cause analyzer trains a classification model using the plurality of data samples and the corresponding plurality of anomaly labels. The root cause analyzer determines, using the trained classification model and the plurality of data samples, relative contributions of anomalous features in a data sample of the plurality of data samples, to a prediction that the data sample is anomalous. The root cause analyzer provides the relative contributions of anomalous features to a device, to determine an action in response to the prediction that the data sample is anomalous.

Abstract: Systems and methods for improving security event classification by leveraging user-behavior analytics are provided. According to an embodiment, a UEBA-based security event classification service of a cloud-based security platform maintains information regarding historical user behavior of various users of an enterprise network. An endpoint protection platform running on an endpoint device that is part of the enterprise network performs an initial classification of the event, based on which the endpoint protection platform blocks activity by the process. The endpoint production platform requests input from the cloud-based security platform which causes the cloud-based security platform performs a reclassification of the event based on contextual information, multiple data feeds and the UEBA-based security event classification service.

Abstract: A computer-implemented method that receives at an apparatus a request from a first computing device for access to information related to a first user data set; determines, or receives an indication of a determination, whether the first computing device can access the information based on criteria for sharing information, the criteria based on one or more characteristics of the first user data set and a second user data set accessible by the first computing device; and provide a response based on the determination, the response preserving privacy of a user corresponding to the first user data set.

Abstract: A method for training a machine learning model using information pertaining to characteristics of upload activity performed at one or more client devices includes generating first training input including (i) information identifying first amounts of data uploaded during a specified time interval for one or more of multiple application categories, and (ii) information identifying first locations external to a client device to which the first amounts of data are uploaded. The method includes generating a first target output that indicates whether the first amounts of data uploaded to the first locations correspond to malicious or non-malicious upload activity. The method includes providing the training data to train the machine learning model on (i) a set of training inputs including the first training input, and (ii) a set of target outputs including the first target output.

Abstract: Systems and methods include implementing dynamic runtime code manipulation to modify application code associated with calls related to networking, with the calls implemented by application software executed as a serverless workload; intercepting the calls from the application software based on the modified application code; determining whether to permit the calls based on a set of policies; responsive to permitting a call, making the call to an operating system interface on behalf of the application software; and, responsive to not permitting the call, providing a failure notification to the application software.

Abstract: Domain Name System (DNS) security using process information is provided. An application accessing an internet service using a domain name is determined. Process information associated with the application along with an associated DNS query to identify an IP address associated with the domain name are identified. The process information and the associated DNS query to a DNS security service are sent. An action based on a response from the DNS security service is performed.

Abstract: An artefact is received. Features are later extracted from the artefact and are used to populate a vector. The vector is input into a classification model to generate a score. This score is then modified using a time-based oscillation function and is provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: A method for use with a computing device is provided. The method may include inputting an input data set into a first private artificial intelligence model generated using a first private data set and a second private artificial intelligence model generated using a second private data set. The method may further include receiving a first result data set from the first private artificial intelligence model and receiving a second result data set from the second private artificial intelligence model. The method may further include training an adaptive co-distillation model with the input data set and the first result data set. The method may further include training the adaptive co-distillation model with the input data set and the second result data set. The adaptive co-distillation model may not be trained on the first private data set or the second private data set.

Abstract: A method and system for characterizing application layer flood denial-of-service (DDoS) attacks are provided. The method includes receiving an indication on an on-going DDoS attack directed to a protected entity; generating a dynamic applicative signature by analyzing requests received during the on-going DDoS attack, wherein the dynamic applicative signature characterizes requests generated by an attack tool executing the on-going DDoS attack; and characterizing each incoming request based on the generated dynamic applicative signature, wherein the characterization provides an indication for each incoming request whether a request is generated by the attack tool.

Abstract: System and methods are described for efficient monitoring of network traffic in a public cloud computing environment. In one implementation, a method comprises: generating flow log records of network traffic in the public cloud computing environment; identifying a data packet that presents a potential security risk; identifying a captured data packet (PCAP) record corresponding to the identified data packet; and transmitting the PCAP record to a computing device for network traffic analysis.

Abstract: There are provided systems and methods for identifying patterns in computing attacks through an automated traffic variance finder. A service provider, such as an electronic transaction processor for digital transactions, may determine network traffic logs caused or generated by malicious web traffic and network communications, such as during a computing attack by a bad actor. The service provider may generate a log signature for the network traffic log based on a variance or uniqueness of the network traffic logs IP address from other network traffic logs for each field in the network traffic log over a time period, and a spread in the commonality of the network traffic log with other network traffic logs. An aggregate score for each field may be determined based on the variance and the spread. Once determined, the log signature may be used to identify other network traffic logs through a search function.

Abstract: A system, apparatus and product comprising: a multi-tenant layer that comprises shared resources, wherein the shared resources are accessible to multiple tenants of the storage system, wherein the shared resources comprise shared logic resources and shared data resources; and multiple single-tenant layers, wherein each single-tenant layer is associated with a respective tenant of the multiple tenants, wherein each single-tenant layer comprises a database and business logic of the respective tenant, wherein a multi-tenant encryption scheme is configured to enable secure communications with the multiple tenants without divulging sensitive information to the multi-tenant layer.

Abstract: Data security and privacy are improved by a client providing a hashed version of collected data to a remote analysis service, and having the analysis service determine the relevancy of the data from the hashes before requesting the plaintext of the data. In one example, a browser plug-in obtains data which is divided into overlapping three-character sequences, and the sequences are hashed to produce a sequence of hashes. The sequence of hashes is sent by the plug-in to the remote service, which uses the hashes to determine if the associated data is relevant to the analysis performed by the remote service, without requiring access to the associated plaintext. After making the determination, the remote service may request that relevant data be provided to the service in plaintext form, while data that is not relevant need not be sent to the remote service.

Abstract: A system and method for authenticating users of a digital device includes an authentication device attached to an authorized user. The authentication device includes one or more motion sensors and acts as a user identity token. To authenticate with a digital device, the user performs one or more interactions with the digital device using the hand associated with the authentication device. The digital device correlates the inputs received due to the interactions with the user's hand and/or wrist movement, as measured by the authentication device. Access to the digital device is allowed if the inputs and movements are correlated.

Abstract: The invention provides a method and corresponding system for controlling a blockchain transaction output and/or specifying the recipient of the output. It also provides a method of controlling and/or generating an electronic communication. The invention is a blockchain-implemented solution, which may or may not be the Bitcoin blockchain. In a preferred embodiment of the invention, the method may comprise the step of sending an electronic notification to a notification address which is provided as metadata within an unlocking script of an input of a transaction (Txi) on a blockchain. The unlocking script is provided in order to spend an output from a further transaction (Tx2) on the blockchain. The input of the transaction (Txi) and/or the output of the further transaction (Tx2) may be associated with a tokenised asset represented on, or referenced via, the blockchain.

Abstract: The present disclosure generally relates to managing access to credentials. In some examples, an electronic device authorizes release of credentials for use in an operation for which authorization is required. In some examples, an electronic device causes display of one or more steps to be taken to enable an input device for user input. In some examples, an electronic device disambiguates between commands to change the account that is actively logged-in on the device and commands to cause credentials to be released from the secure element.

Abstract: A license authentication device includes a memory that stores a license file including a license expiration date of an application that adjusts a parameter of a semiconductor manufacturing apparatus in a semiconductor factory; and a processor coupled to the memory. The processor acquires log data when the semiconductor manufacturing apparatus executes a processing; and determines whether or not a time included in the log data has passed the license expiration date stored in the license information storage.

Abstract: Disclosed is a system to optimize rule weights for classifying access requests so as to manage rates of false positives and false negative classifications. A rules suggestion engine may suggest a profile of classification rules to a merchant for access requests. The system can optimize weights for the profile of rules using a cost function based on a training set of historical access requests, for example using stepwise regression or machine learning (ML). The system can compute a profile score based on the optimized weights, for example by summing the weights. The system statistically analyzes the profile score using classification thresholds and the historical access requests. The system can perform receiver operating characteristic (ROC) analysis for various threshold values, enabling a user to select a suitable threshold. The system can further optimize by adding or removing rules from the profile of rules.

Abstract: A computer system including in-memory cache storage may be used to store collections of metadata that provide a semantic layer for a query of a data source. The computer system may provide multiple users access to the metadata collection, using different security policies for the users, without duplicating the metadata collection in the in-memory storage. For instance, the computer system may retrieve the metadata collection and provide the first user access to the metadata collection based on a first security policy of the first user. The computer system may then provide a second user access to the metadata collection based on a second security policy of the second user, without the metadata collection being duplicated in the in-memory cache storage.