Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: It is provided a method, comprising monitoring if a firewall receives a first packet and a second packet, wherein the first packet is directed to a IP address and a first port number; the second packet is directed to the IP address and a second port number; a hole through a firewall is punched for the IP address a hole port number different from the first port number and the second port number; the first packet has a first payload; the second packet has a second payload; and the method comprises checking if the first payload is substantially the same as the second payload; causing the firewall to block the first packet and the second packet if the firewall receives the first packet and the second packet and the first payload is substantially the same as the second payload.

Abstract: A network apparatus maintains a data repository comprising network traffic data related to a plurality of user devices, the network traffic data being collected from a plurality of Network Service Providers (NSPs). A subset of the plurality of user devices are detected to be communicating with one or more same endpoint devices based on analysing the network traffic data. A number of historical connections between each user device of the subset of the plurality of user devices and the one or more endpoint devices is determined based on analysing historical connection data maintained in the data repository, and in response to detecting that the number of historical connections between the subset of the plurality of user devices and the one or more endpoint devices exceeds a predetermined threshold, the one or more endpoint devices are identified as a suspected botnet.

Abstract: Method, product and apparatus for monitoring for security threats from lateral movements. A method comprises obtaining a graph of network lateral movements, that comprises nodes, representing network assets, and directed edges, representing a network lateral movement from a source asset to a target asset. An event that affects the graph of network lateral movements is detected. The event affects at least one of: the payload utility of the node and the probability of penetration to the node. The graph of network lateral movements is updated based on the event. The updated graph is analyzed to determine one or more mitigation actions to be applied. The one or more mitigation actions are applied automatically, manually or the like.

Abstract: Described herein are embodiments for transferring knowledge of intrusion signatures derived from a number of software-defined data centers (SDDCs), each of which has an intrusion detection system (IDS) with a convolutional neural network (CNN) to a centralized neural network. The centralized neural network is implemented as a generative adversarial neural network (GANN) having a multi-feed discriminator and a generator, which is trained from the discriminator. Knowledge in the GANN is then transferred back to the CNNs in each of the SDDCs. In this manner, each CNN obtains the learning of the CNNs in nearby IDSs of a region so that a distributed attack on each of the CNNs, such as a denial of service attack, can be defended by each of the CNNs.

Abstract: There is provided a method comprising: detecting a new process start at a network node of a computer network; determining that said process requires external code modules; observing the times at which one or more external code modules required by the new process are loaded relative to the process starting time; determining that the usage of an external code module required by the new process is anomalous when the time elapsed between the start of the process and loading of said external code module lies outside predetermined expected boundaries; and taking further action to protect the network node and/or the computer network based on determining that the usage of the external code module required by the detected new process is anomalous.

Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local notes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: An approach is proposed to support Internet traffic inspection to detect and prevent access to blocked websites or resources. First, access requests initiated by users to websites hosted on servers over a network are intercepted by an inspection agent, which identifies and caches a pair of the domain/host name of each website and its corresponding IP address on the Internet to a localized DNS cache. When a newly intercepted access request identifies the website by its IP address only without specifying its domain/host name, the inspection agent looks up the domain name by its IP address from the DNS cache. If no domain name is found, the inspection agent redirects the access request to a proxy server instead of forwarding it to the server hosting the website for further inspection. The proxy server then inspects the IP address to determine if it is a legitimate website or not.

Abstract: Methods and systems are presented for detecting and automatically blocking malicious traffic directed at a service provider. An IP address associated with a domain of the service provider is dissociated from the domain. Requests addressed to the IP address after it has been dissociated are identified as malicious and logged. IP addresses from which the malicious requests originated are blocked, and the log of malicious requests is used to train a model for determining pattern-based rules. Rules for managing traffic are determined based on the patterns and pushed to nodes of a proxy service, and the nodes may block or otherwise limit requests based on the rules.

Abstract: One embodiment of the present invention sets forth a technique for predicting fraud by correlating user behavior biometric data with one or more other types of data. The technique includes receiving cursor movement data generated via a client device and analyzing the cursor movement data based on a model to generate a result. The model may be generated based on cursor movement data associated with a first group of one or more users. The technique further includes receiving log data generated via the client device and determining, based on the result and the log data, that a user of the client device is not a member of the first group.

Abstract: In accordance with at least some aspects of the present disclosure, an illustrative method for authenticating a user is disclosed. A plurality of biometric modalities are displayed for authenticating the user. A selection of one or more of the biometric authentication modalities may be received. User authentication data may be received for each of the one or more selected authentication modalities. The user authentication data may be compared with previously-determined biometric data. An authentication score may be determined based on the comparison of the user authentication data with the previously-determined biometric data. A determination may be made whether to authenticate the user based on the authentication score.

Abstract: The disclosed computer-implemented method for preventing social engineering attacks using distributed fact checking may include (i) capturing one or more words or tones received by a party to a communication, (ii) extracting speech features associated with the words or tones to identify one or more alleged facts in the communication, (iii) generating one or more queries to verify the alleged facts in the communication, (iv) determining, utilizing distributed fact checking, whether the alleged facts are true based on the queries, and (v) performing a security action that generates an alert to protect against a potential social engineering attack on the receiving party when at least one of the alleged facts are determined to be false. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and systems are described operating a networking device comprising a data structure associating network packet signatures with network packet metadata, the data structure comprising a temporary storage pipeline and a hash table stored in a computer-readable memory. The method comprises upon determining that network packet metadata is to be inserted in the data structure, determining a location in the hash table at which the network packet metadata is to be inserted; if the location in the hash table is an empty cell, inserting the network packet metadata in the empty cell; if the location in the hash table is not an empty cell: transferring the pre-existing network packet metadata from the hash table to the temporary storage pipeline; inserting the network packet metadata at the location of the hash table; and operating a reinsertion routine.

Abstract: In certain embodiments, a token (e.g., a short-range wireless token or other token) may be provided to facilitate authentication. In some embodiments, the token may obtain a first challenge from a computer system. The token may determine which challenge type of multiple challenge types the first challenge corresponds. The token may cause a secure component to use a key associated with a first challenge type to generate a first challenge response for the first challenge based on the first challenge corresponding to the first challenge type, where the key associated with first challenge type may be selected by the secure component from multiple keys (for the generation of the first challenge response) based on the first challenge corresponding to the first challenge type. The first challenge response may be provided to the computer system.

Abstract: System, method, and software for detecting anomalies in data generated by microservices. In one embodiment, an anomaly detector collects performance metrics for a microservice deployed in a data center for an application. The anomaly detector transforms the performance metrics into a time-series structured dataset for the microservice, and feeds the structured dataset to a machine learning system to determine whether an anomaly exists in the structured dataset based on an anomaly detection model. The anomaly detector performs an anomaly classification with the machine learning system based on an anomaly classification model and the structured dataset when an anomaly is detected in the structured dataset, and performs an action based on the anomaly classification.

Abstract: Methods, systems, and devices for data processing are described. Some systems may support data processing permits and cryptographic techniques tying user consent to data handling. By tying user consent to data handling, the systems may comply with data regulations on a technical level and efficiently update to handle changing data regulations and/or regulations across different jurisdictions. For example, the system may maintain a set of data processing permits indicating user consent for the system to use a user's data for particular data processes. The system may encrypt the user's data using a cryptographic key (e.g., a cryptographic nonce) and may encrypt the nonce using permit keys for any permits applicable to that data. In this way, to access a user's data for a data process, the system may first verify that a relevant permit indicates that the user complies with the requested process prior to decrypting the user's data.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: Systems, methods, and storage media useful in a computing platform to automatically generate and deploy access control list (ACL) rules for one or more firewalls in a data center are provided. The computing platform is vendor-agnostic and generates ACL rules in multiple syntaxes depending on the firewall needing updating. The platform traverses a data center mapping structure to identify one or more firewalls to be updated for a destination IP address and source IP address and automatically generates the ACL rule in the syntax for the one or more firewalls identified.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, devices, and processes that securely distribute digital assets within a computing environment using permissioned distributed ledgers. For example, an apparatus may receive, from a computing system, an allocation request, a first digital signature applied to the allocation request, and a second digital signature applied to the allocation request and to the first digital signature. Based on a validation of the first and second digital signatures, the apparatus may approve the allocation request and allocate a digital asset to the first device in accordance with the approved allocation request. The apparatus may also perform operations that record a public key and asset data identifying a digital asset onto a distributed ledger, and may generate and transmit, to the first device, confirmation data indicative of the allocation of the digital asset to the first device.