Abstract: Techniques are described herein that are capable of detecting potential malicious use of a resource management agent using a resource management log. The resource management log is analyzed. The resource management log logs API requests that request that a resource management system cause the resource management agent to perform respective operations. An anomalous operation is detected among the operations based at least in part on an identified API request satisfying one or more criteria associated with anomalous behavior. The identified API request requests that the resource management system cause the resource management agent, which is loaded on a machine and which enables the resource management system to remotely manage resources associated with the machine, to perform the anomalous operation. An alert is generated to notify a user of the potential malicious use of the resource management agent based at least in part on detection of the anomalous operation.

Abstract: Techniques for deobfuscating and decloaking web-based malware with abstract execution is disclosed. In some embodiments, a system/process/computer program product for deobfuscating and decloaking web-based malware with abstract execution includes receiving a sample; performing an abstract execution of a script included in the sample; identifying the sample as malware based on the abstract execution of the script included in the sample; and generating a log of results from the abstract execution of the script included in the sample.

Abstract: An enterprise-wise means for determining monitoring requirements for technology resources, such as, software, hardware, firmware, network or the like and implementing the monitoring. Artificial Intelligence (AI) is implemented to determine monitoring requirements based on characteristics of the technology resource that is to be monitored. In this regard, the characteristics of the technology resource serve to define the problem(s), such as cyber threats and/or performance issues that the technology resource currently faces or will face in the future. By determining the monitoring requirements based on the technology resource's characteristics, including the technological environment, the invention serves to describe what needs to be monitored in terms of the problems that the technology resource currently faces or will face.

Abstract: Aspects described herein may relate to techniques for detecting login activity to a financial account during a knowledge-based authentication process. The login activity may be related to access to an online interface for the financial account. The detection of login activity during the authentication process my indicate that the integrity of the authentication process is compromised as login access may provide an individual with transaction data that may be used to answer transaction-based authentication questions. As a result of detecting login activity, an alternative authentication process may be initiated or an authentication request related to the financial account may be denied.

Abstract: An approach for blockchain transaction processing using generative cryptograms for bi-lateral and Multi-lateral transactions may be provided. The approach may include, the use of decentralization ledger storage, negating the need of repetitive storage while preserving the need for data redundancy. A generative cryptogram may provide verification of processed blocks and file handles or storage address schemes of the ledger storage. The approach creates a cryptogram which is added to transaction processing, post processing and commits to the ledger. In the approach, the cryptogram is the only version of storage pointer and is utilized in subsequent transaction processing without the need for extensive compute and latest cryptogram is all that would be needed for transaction processing.

Abstract: Described implementations obtain credential information including an encrypted digital identity (ID). The encrypted digital ID may include a public component of a credential and identity data. Furthermore, the credential information may include cryptographically obfuscated data based on the identity data and a private component of the credential. A proof is obtained that includes proof data. The proof data may confirm that the credential information was correctly generated. Verification of the proof data, and confirmation that the cryptographically obfuscated data is not associated in a collection of cryptographically obfuscated data, cause a computer-implemented service to issue a pseudonym. The pseudonym is usable to generate a relationship associated with a computer-implemented service.

Abstract: A method for protecting sensitive data from being exposed in graph embedding vectors. In some embodiments, a method may include generating first graph embedding vectors from an original graph and generating a proxy graph from the first graph embedding vectors. The proxy graph may include a plurality of proxy nodes and proxy edges connecting the proxy nodes. The proxy nodes may include one or more attributes of the original nodes that are included in the first graph embedding vectors. Second graph embedding vectors may then be generated by encoding the proxy graph and a reconstructed graph may be generated from the second graph embedding vectors. Finally, the reconstructed graph may be compared to the original graph and if a threshold level of similarity is met, a security action may be performed to protect sensitive data from being exposed.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: Systems and techniques provide activity monitoring and selective obfuscation of various fields or categories of information included in traffic between servers providing services and end-user devices accessing such services. The selective obfuscation may account for a user's role and one or more levels of authorization or permission assigned to such a role. More generally, the disclosed techniques provide the ability to selectively restrict end-user access to data included in server responses, such that desired portions of the data are not accessible while other portions of the data are still accessible. An administrator tool may configure the permissions and rules used to decide whether traffic to or from a particular server or service should be selectively obfuscated; and if so, how that traffic should be selectively obfuscated.

Abstract: A computer-implemented method, computer program product and computing system for: obtaining first system-defined platform information concerning a first security-relevant subsystem within a computing platform; obtaining at least a second system-defined platform information concerning at least a second security-relevant subsystem within the computing platform; combining the first system-defined platform information and the at least a second system-defined platform information to form system-defined consolidated platform information; and generating a security profile based, at least in part, upon the system-defined consolidated platform information.

Abstract: Embodiments of this application disclose a rule detection method, to increase rule anomaly detection coverage. The method in the embodiments of this application includes: determining, based on an obtained first initial priority corresponding to a first rule, an obtained second current priority corresponding to a second rule, and a determined inclusion relationship between the first rule and the second rule, a first current priority corresponding to the first rule; and then determining, based on a relationship between the first initial priority and the first current priority, whether an anomaly occurs on the first rule.

Abstract: A method, performed by one or more processors, including: receiving one or more event records; generating, using the one or more event records, an event descriptor object descriptive of one or more events occurring in a networked system, wherein the event descriptor object comprises a plurality of event properties; receiving one or more entity records; generating, using the one or more entity records, an entity descriptor object descriptive of one or more entities relevant to the security of the networked system, wherein the entity descriptor object comprises a plurality of entity properties; incorporating, into an object graph, the event descriptor object and the entity descriptor object; and associating, in the object graph, the event descriptor object with the entity descriptor object using at least one of the plurality of event properties and at least one of the plurality of entity properties.

Abstract: Methods and systems for implementing a moving target defense are described. The moving target defense can comprise obfuscating a protocol identifier within a packet. The protocol identifier can be replaced with a faux protocol identifier. Additionally, diversion headers can be inserted into to the packet, thereby creating additional layers of complexity.

Abstract: Methods, systems, and devices for data processing are described. Some systems may support data processing permits and cryptographic techniques tying user consent to data handling. By tying user consent to data handling, the systems may comply with data regulations on a technical level and efficiently update to handle changing data regulations and/or regulations across different jurisdictions. For example, the system may maintain a set of data processing permits indicating user consent for the system to use a user's data for particular data processes. The system may encrypt the user's data using a cryptographic key (e.g., a cryptographic nonce) and may encrypt the nonce using permit keys for any permits applicable to that data. In this way, to access a user's data for a data process, the system may first verify that a relevant permit indicates that the user complies with the requested process prior to decrypting the user's data.

Abstract: A request for access to a user's account is made to an authenticator. The authenticator sends a request for access to the user associated with the user's account. In response to user authorization, the authenticator sends an access link to a service engineer. The service engineer access the link to access the user's account with limited and restricted access. When a remote service session associated with the activated access link is terminated, the authenticator sends a termination of session notice to the user.

Abstract: Within a particular Top Level Domain (TLD), domain name allocation and domain name ownership may be subject to certain restrictions requiring verification. A processing platform and method is disclosed to process verification of a domain name and/or a domain name entity such as a registrant for domain name transactions with a domain name registry. The processing platform and domain name registry may be remotely located relative to one another.

Abstract: Systems, methods, and devices for privacy-protecting data logging that can log user behavior (e.g., web browsing) without creating a user-specific list of browsed URLs are disclosed. In one embodiment, in an information processing apparatus comprising at least a token server, a privacy service, and a data store, a method for privacy logging may include: (1) providing, by the token server, a token to a privacy application executed on an electronic device and to a privacy service; (2) receiving, by the privacy service, browsing traffic from a browser or application executed by the electronic device; (3) associating, by the privacy service, the browsing traffic with the token; and (4) storing, by the data store, the associated browsing traffic with the token.

Abstract: Techniques and mechanisms for verifying integrity of components within a management component transport protocol (MCTP) server system to detect man-in-the-middle (MITM) attacks and preventing data loss upon detection of MITM attacks. For example, a controller may perform an endpoint discovery process and authenticate endpoints within a rack server system. The controller may send requests to endpoints based on user actions and if no response is received from a particular endpoint, the controller may determine there is a MITM attack and block traffic to the particular endpoint. Additionally, the controller may periodically request measurements from endpoints that are related to the code and configuration area of the endpoints. If the received measurements from a particular endpoint do not match expected values, the controller may determine there is a MITM attack and block traffic to the particular endpoint.

Abstract: It is provided a method, comprising monitoring if a firewall receives a first packet and a second packet, wherein the first packet is directed to a IP address and a first port number; the second packet is directed to the IP address and a second port number; a hole through a firewall is punched for the IP address a hole port number different from the first port number and the second port number; the first packet has a first payload; the second packet has a second payload; and the method comprises checking if the first payload is substantially the same as the second payload; causing the firewall to block the first packet and the second packet if the firewall receives the first packet and the second packet and the first payload is substantially the same as the second payload.

Abstract: A network apparatus maintains a data repository comprising network traffic data related to a plurality of user devices, the network traffic data being collected from a plurality of Network Service Providers (NSPs). A subset of the plurality of user devices are detected to be communicating with one or more same endpoint devices based on analysing the network traffic data. A number of historical connections between each user device of the subset of the plurality of user devices and the one or more endpoint devices is determined based on analysing historical connection data maintained in the data repository, and in response to detecting that the number of historical connections between the subset of the plurality of user devices and the one or more endpoint devices exceeds a predetermined threshold, the one or more endpoint devices are identified as a suspected botnet.