Abstract: Systems and methods are provided for managing false positives in a network anomaly detection system. The methods may include receiving a plurality of anomaly reports; extracting fields, and values for the fields, from each of the anomaly reports; grouping the anomaly reports into a plurality of groups according to association rule learning, wherein each group is defined by a respective rule; for each group, creating a cluster based on common values for the fields; and marking each cluster as a possible false positive anomaly cluster.

Abstract: A system including a mobile terminal having an authenticator, a TPM with tamper resistance and a voice assistant. The voice assistant makes a process request corresponding to voice input of a user to a server in accordance with the input, receives a biometric authentication request from the server, makes a request for a biometric authentication process to the mobile terminal of the user in accordance with the request for biometric authentication via wireless communication, and transmits an authentication result from the mobile terminal to a server. The mobile terminal executes the biometric authentication process using biometric information stored in the authenticator and the TPM in accordance with the request for the biometric authentication process from the voice assistant, and transmits an authentication result to the voice assistant.

Abstract: Techniques are provided for distribution-based aggregation of scores across multiple events. One method comprises obtaining a plurality of individual scores associated with a plurality of events; obtaining an expected distribution for the plurality of individual scores; and generating an aggregate score for the plurality of individual scores based on a deviation of the plurality of individual scores from the obtained expected distribution for the plurality of individual scores. The aggregate score, for example, reflects how closely the individual scores follow the expected distribution. The aggregate score comprises, for example, an aggregate risk score that: (i) is compared across different vectors of an organization; (ii) is used to create a security policy and/or modify a security policy; and/or (iii) triggers an alert based on one or more predefined threshold criteria. The multiple aggregate risk scores can be visualized in one or more geographic regions and/or sub-networks of an organization.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: The disclosed subject matter provides authentication between a client device and a server. The server allocates a dynamic user ID contained within an authentication token that is provided to the client device. In response to each successful authentication with the server, a new dynamic user ID is generated and provided to the client device for use in a subsequent authentication session. In generating the new dynamic user ID for the client device, the server invalidates any previously-provided dynamic user IDs for the client device.

Abstract: An authentication system for detecting a phishing attack by a Man in Middle (MIM) on an end-user. The system includes a communicating device of the end-user and an authentication server for determining if a MIM (spoofing) or the end-user is communicating with the authentication server. The communicating device includes a bearer sensitive one-time password (BOTP) generator for generating a specific BOTP specifically associated with the communicating device where the BOTP is derived using a unique differentiating observable attribute (UDOA) of the communicating device. The communicating device sends the BOTP to the authentication server which uses the perceived UDOA of the received BOTP and calculates an authenticator server BOTP. The authentication server also determines if the received BOTP matches the BOTP calculated by the authenticating server and terminates/rejects the session if the BOTPs do not match. A similar system and method may be utilized to authenticate a digital object.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; instructions encoded within the memory to instruct the processor to: identify a downloaded file on a file system; inspect a metadata object attached to the downloaded file; parse the metadata object to extract an advertiser identification string from a GET code portion of a uniform resource locator (URL); query a reputation cache for a reputation for the advertiser identification string; receive a deceptive reputation for the advertiser identification string; and take a remedial action against the downloaded file.

Abstract: One example method includes transmitting, from a client, a remote procedure call (RPC) to a fileserver of a data protection system, the RPC including information identifying an export, then receiving, at the client, node information concerning the export, and the node information concerns a master pseudofs of the fileserver. Finally, the example method includes creating, at the client, a sparse client-specific pseudofs that is based on the node information received from the fileserver, and the sparse client-specific pseudofs includes fewer than all the master pseudofs nodes that the client is authorized to access.

Abstract: Method, product and apparatus for monitoring for security threats from lateral movements. A method comprises obtaining a graph of network lateral movements, that comprises nodes, representing network assets, and directed edges, representing a network lateral movement from a source asset to a target asset. An event that affects the graph of network lateral movements is detected. The event affects at least one of: the payload utility of the node and the probability of penetration to the node. The graph of network lateral movements is updated based on the event. The updated graph is analyzed to determine one or more mitigation actions to be applied. The one or more mitigation actions are applied automatically, manually or the like.

Abstract: A system for providing an application includes an interface and a processor. The interface is configured to receive an indication to provide an application to a device. The processor is configured to provide the application to the device. The application is configured to: receive a request for a list of valid credentials; determine a list of stored credentials; provide the list of stored credentials to a database system; receive an indication of revoked credentials from the database system; and determine the list of valid credentials based at least in part on the list of stored credentials and the revoked credentials.

Abstract: A method for setting up a subscriber identity module for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server includes generating one or several exchange keys from keys of the provisioning server and of the subscriber identity module on a production server and are transmitted into the subscriber identity module and stored, so that the subscriber identity module is put particularly into a state as though it had generated the exchange keys itself. In a method for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server, the subscriber identity module sends its public key to the provisioning server, which subsequently generates the exchange keys.

Abstract: A method for avoiding a Bluetooth device from being traced, which comprises the following steps: parsing, by a target Bluetooth device, a second dynamic address to obtain a second random number and a second data; and generating, by the target Bluetooth device, a plurality of the third data successively according to the identity parsed keys in the identity parsed keys list save by the target Bluetooth device and a second random number, and determining whether there exists any third data which is the same as the second data, if yes, determining that there exists the second identity parsed key which is authenticated successfully; otherwise, determining that there isn't the second identity parsed key which is authenticated successfully.

Abstract: In accordance with at least some aspects of the present disclosure, an illustrative method for authenticating a user is disclosed. A plurality of biometric modalities are displayed for authenticating the user. A selection of one or more of the biometric authentication modalities may be received. User authentication data may be received for each of the one or more selected authentication modalities. The user authentication data may be compared with previously-determined biometric data. An authentication score may be determined based on the comparison of the user authentication data with the previously-determined biometric data. A determination may be made whether to authenticate the user based on the authentication score.

Abstract: In a general aspect, a method can include: executing an operation of a program that loads an arbitrarily chosen value of an initial data item of a series of ordered data; executing a series of calculation operations distributed in the program, that calculate a current data item based on a preceding data item; performing a final calculation operation of the series of operations that calculates a final data item of the data series; and executing an operation of the program that detects a program execution error by comparing the current data item of the data series with an expected value of the current data item or the final data item, the final data item having an expected value that is independent of the number of data items in the data series and is calculated based on the current data item of the data series and a final compensation data item.

Abstract: A cloud-based data governance system includes a processing unit, a network adapter, and memory for storing data and code. The network adapter establishes a connection with a remote data storage system associated with a remote file system over a wide-area network (WAN). The code includes an event collection interface, a data governance service, and an enforcement service. The event collection interface is configured to capture an event from the remote data storage system. The event is indicative of a file system operation executed on a data object of the remote file system. The data governance service is configured to receive the event from the event collection interface and to process the event to determine whether the file system operation conflicts with a governance policy of the data governance system. The enforcement service executes a set of remediation actions if the file system operation does conflict with the governance policy.

Abstract: The present application discloses methods, apparatuses, and systems for acquiring local information. An exemplary method may include sending a first request for information acquisition to a network apparatus through a script in a browser. The method may also include monitoring, through the local application tool, a random number, sent by the network apparatus, corresponding to the first request for information acquisition. Moreover, the method may include acquiring, through the local application tool, the first request for information acquisition corresponding to the random number stored in the network apparatus. Furthermore, the method may include acquiring, through the local application tool, local information corresponding to the first request for information acquisition, and sending, through the local application tool, the local information to the network apparatus.

Abstract: A screen unlocking method and apparatus, and a storage medium are provided. The method includes: obtaining a message that carries identity identification information of the first terminal; matching the identity identification information of the first terminal with a preset identification information matching rule; and controlling the screen to be unlocked in response to determining that the identity identification information of the first terminal meets the preset identification information matching rule.

Abstract: A data processing method is performed at a computer system managing application programming interfaces (APIs) and mobile application entrances.

Abstract: Systems for performing a security assessment of a target computing resource, such as a virtual machine or an instance of a virtual machine, include a scanning service that facilitates duplication of all or a portion of the target computing resource, and then performs the security assessment on the duplicate computing resource to avoid consuming processing time, processing power, and storage space of the target computing resource. A snapshot of the target computing resource, containing the data necessary to reproduce the portion to be assessed, is captured and used to implement the duplicate computing resource in newly allocated resources. The snapshot can be an image of a logical volume implementing the target computing resource. To reproduce a target virtual machine, the snapshot may include a configuration used to instantiate the target virtual machine; the scanning service may implement a duplicate virtual machine that is instantiated with the same configuration.

Abstract: An example operation may include one or more of generating a data frame storing content of a simulation, compressing the simulation content within the data frame based on previous simulation content stored in another data frame to generate a compressed data frame, and transmitting the compressed data frame via a blockchain request to one or more endorsing peer nodes of a blockchain network for inclusion of the compressed data frame within a hash-linked chain of blocks of the blockchain network.