Abstract: A method comprises: generating a first partial hash of the user identity information, transmitting a first query to a server computer, in response to transmitting the first query, receiving query metrics that indicate a set of counts of expected results, determining whether a count of expected results of the first partial hash satisfies a threshold count of expected results, in response to determining that the count of expected results of the first partial hash satisfies the threshold: generating and transmitting a second query, and in response, receiving and storing a set of user identity records that match at least the first partial hash, querying the set of user identity records using the user identity information and in response, receiving a result set of user identity records, the result set of user identity records comprising one or more user identity records that match the user identity information.

Abstract: Churn-aware training of a classifier which reduces the difference between predictions of two different models, such as a prior generation of a classification model and a subsequent generation. A second dataset of labelled data is scored on a prior generation of a classification model, wherein the prior generation was trained on a first dataset of labelled data. A subsequent generation of a classification model is trained with the second dataset of labelled data, wherein in training of the subsequent generation, weighting of at least some of the labelled data in the second dataset, such as labelled data threat yielded an incorrect classification, is adjusted based on the score of such labelled data in the prior generation.

Abstract: A malicious object detection system for use in managed runtime environments includes a check circuit to receive call information generated by an application, such as an Android application. A machine learning circuit coupled to the check circuit applies a machine learning model to assess the information and/or data included in the call and detect the presence of a malicious object, such as malware or a virus, in the application generating the call. The machine learning model may include a global machine learning model distributed across a number of devices, a local machine learning model based on use patterns of a particular device, or combinations thereof. A graphical user interface management circuit halts execution of applications containing malicious objects and generates a user perceptible output.

Abstract: Systems and methods provide a transient component limited access to data in a composition. One method includes receiving a request for the transient component to access data in the composition. The composition may include permanent components operable to utilize encryption keys generated at selected intervals from a seed value shared by the permanent components. The encryption keys utilized by the permanent components at each selected interval may be identical to one another. The method also includes generating a set of encryption keys from the seed value for a specified period of time. The set of encryption keys may be identical to the encryption keys to be utilized by the permanent components at the selected intervals to occur during the specified period of time. The method further includes granting the transient component access to data in the composition for the specified period of time via the set of encryption keys.

Abstract: Systems and methods for bypassing firewalls using a server management protocol is provided. In various embodiments, a proxy component serves as a “man-in-the-middle” between an edge client and a server client. The proxy component can receive a server connection request from the edge client to connect to a requested server client using a managed network name associated with the server client. The proxy component can establish a proxy connection with the requested server client, and routing data packets between the server client and the edge client. The edge client and the server client are connected without the public advertisement of the private addresses of the edge client and the server client.

Abstract: This invention relates generally to distributed ledger technology (including blockchain related technologies), and in particular the use of a blockchain in implementing, controlling and/or automating a task or process. It may relate to the use of a blockchain or related technology for recording or representing the execution of a portion of logic. This portion of logic may be arranged to implement the functionality of a logic gate, or plurality of logic gates, such as AND, XOR, NOT, OR etc. . . . .

Abstract: A method and system and computer program product for subscribing to action plans including a processing device for receiving an action plan transaction message having one or more data fields from an analyst node in a blockchain network and generating an action plan transaction in a blockchain including the one or more data fields of the action plan transaction message and a newly generated plan identification. The processing device may transmit an action plan notice to the blockchain network alerting the nodes of the blockchain network of the action plan transaction. The processing device may receive one or more client bids for the action plan transaction, determine a winning client bid of the one or more client bids, generate a winning bid transaction in the blockchain and transmit a winning bid notification to the client node of the winning client bid.

Abstract: Systems and methods for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform are provided. The SOAR platform captures information regarding execution of a sequence of actions performed by analysts responsive to a first incident of a first type. The captured information is fed into a machine-learning model. When a second incident, observed by the SOAR platform, is similar in nature to the first incident or the first type a recommended sequence of actions is generated based on the machine-learning model for use by an analyst in connection with responding to the second incident. In response to rejection of the recommended sequence by the analyst, revising the recommended sequence based on input provided by the analyst and storing the revised recommendation sequence in a form of a revised playbook for response to subsequent incidents that are similar to the second incident.

Abstract: A predetermined access control policy is generated with reference to a lineage table and a metadata table to be stored in a policy table, and an access control policy which should be applied or recommended to treated data is provided with reference to the policy table.

Abstract: A cyber security protection system includes a plurality of threat information updating devices; and a proactive suspicious domain alert system, which including: a domain information monitoring device; a domain information storage device; and a security threat analysis device, arranged to operably communicate data with the plurality of threat information updating devices through a network. If the domain information monitoring device detects that a domain mapping of a suspect domain is changed and the new domain mapping of the suspect domain points to a predetermined local address, the domain information monitoring device would further monitor a domain mapping variation frequency of the suspect domain. If the domain mapping variation frequency of the suspect domain exceeds a predetermined value, the security threat analysis device adds the suspect domain into an alert list to render the plurality of threat information updating devices to block their member devices from accessing the suspect domain.

Abstract: Systems and methods for using a kernel module to provide computer security are provided herein. In some embodiments, a method for providing computer security may include launching a kernel module at the kernel-level of a computing device, redirecting, using the kernel module, communications traffic away from a browser executing on the computing device, decoding, using the kernel module, the received traffic to create decoded traffic, analyzing the decoded traffic, using the kernel module, for content having particular characteristics and create analyzed traffic, encoding, using the kernel module, at least a portion of the analyzed traffic to create encrypted traffic, and directing the encrypted traffic to the browser.

Abstract: Techniques for providing network traffic security in a virtualized environment are described. A threat aware controller uses a threat feed provided by a threat intelligence service to establish a threat detection engine on virtual switches. The threat aware controller and threat detection engine work together to detect any anomalous or malicious behavior of network traffic on the virtual switch and established virtual network functions to quickly detect, verify, and isolate network threats.

Abstract: Embodiments are disclosed for a method for a security model. The method includes generating a Bloch sphere based on a system information and event management (SIEM) of a security domain and a structured threat information expression trusted automated exchange of indicator information. The method also includes generating a quantum state probabilities matrix based on the Bloch sphere. Further, the method includes training a security threat model to perform security threat classifications based on the quantum state probabilities matrix. Additionally, the method includes performing a machine learning classification of the security domain based on the quantum state probabilities matrix.

Abstract: Disclosed herein are systems and methods for granting access to data of a user. In one aspect, an exemplary method comprises, blocking the processing of data of a user, transferring the data of the user to a storage device, receiving a request for data processing from a collected data processor of a device, redirecting the received request to the storage device, determining, by the storage device, data access rights for the collected data processor of the device from which the request for data processing is received in accordance with data access rights established by a data access rights manager, and providing access to the data in accordance with the determined data access rights.

Abstract: The disclosed embodiments relate to a system that provides a selective encryption technique that encrypts all of the fields in a profile, and selectively enables consumers of the profile information to decrypt specific fields in the profiles. This is accomplished by encrypting each field in the profile using a randomly generated symmetric key, and then encrypting the symmetric key for each field with public keys belonging to individuals who are authorized to access each field. These encrypted public keys are stored in a header of the profile to enable individuals to use their corresponding private keys to decrypt symmetric keys for the specific fields that they are authorized to access.

Abstract: Embodiments of the present disclosure relate to a method, apparatus, and computer readable medium for providing a security service for a data center. According to the method, a packet terminating at or originating from the data center is received. At least one label is determined for the packet, each label indicating a security requirement for the packet. Based on the at least one label, a security service chain is selected for the packet, the security service chain including an ordered set of security functions deployed in the data center and to be applied to the packet. The packet is transmitted to the selected security service chain in association with the at least one label, the packet being processed by the ordered set of security functions in the security service chain.

Abstract: An abnormal traffic analysis apparatus includes receiving means for receiving traffic from a device, analysis means for analyzing whether or not traffic received from the device is abnormal traffic, analysis result recording means for recording a result of analysis performed by the analysis means, and device management means for managing movement of the device between edges. If it is determined by the device management means that a device that is a target of analysis performed by the analysis means moves to an edge, the receiving means creates information for continuing analysis of traffic received from the device and transmits the information to an apparatus for analyzing traffic that is included in the edge to which the device moves.

Abstract: A method and apparatus for generating a dynamic security certificate. The method creates an entropic element from user input, receives metadata from user input and generates a dynamic security certificate using the entropic element and the metadata. The dynamic security certificate is then trusted through user input.

Abstract: A method for predicting variables of interest related to a system includes collecting one or more sensor streams over a time period from sensors in the system and generating one or more anomaly streams for the time period based on the sensor streams. Values for variables of interest for the time period are determined based on the sensor streams and the anomaly streams. Next, a time-series predictive algorithm is applied to the (i) the sensor streams, (ii) the anomaly streams, and (iii) the values for the variables of interest to generate a model for predicting new values for the variables of interest. The model may then be used to predict values for the variables of interest at a time within a new time period based on one or more new sensor streams.

Abstract: Systems and methods for improving the catch rate of attacks/malware by a cooperating group of network security devices are provided. According to one embodiment, a security management device configured in a protected network, maintains multiple dynamic IP address lists including an NGFW deep detection list, a DDoS deep detection list, a NGFW block list and a DDoS block list. The security management device, continuously updates the lists based on updates provided by a cooperating group of network security devices based on network traffic observed by the network security devices. In response to receipt of a request from a NGFW device or a DDoS mitigation device associated with the protected network, the security management device provides the requestor with the requested dynamic IP address lists for use in connection with processing network traffic by the requestor.