Abstract: Various embodiments of the present technology generally relate to management of big data storage and data access control systems. In some embodiments, a data access system for use in multiple application service and multiple storage service environments comprises a sandbox database for users, wherein the sandbox database is a virtual database environment via which a user may access datasets according to one or more access policies. In some embodiments, the data access system receives a user request to access a dataset stored in a database into the sandbox environment, wherein the database is associated with the data access system. In response to the request, the data access system may retrieve the corresponding data from the database, determine any associated sandbox access policies, and generate an anonymized data table in the sandbox environment.

Abstract: A BGP message sending method includes: determining, by a first network device, that a host identified by a first MAC address is an attacker; generating, by the first network device, a BGP message, where the BGP message includes the first MAC address and indication information, and the indication information is used to indicate that the host identified by the first MAC address is the attacker; and sending, by the first network device, the BGP message to a second network device.

Abstract: A multi-stage anomaly detector analyzes an anomalous process chain in real time and rapidly determines whether the process chain is indicative of a cyber threat on an endpoint computing device in a multi-host environment. The multi-stage anomaly detector is used in an analyzer module configured within a host endpoint agent on that device. The analyzer module generates an anomaly score to correlate a likelihood that the cyber threat detected is harmful to that device. The multi-stage anomaly detector includes multiple stages of anomaly detectors including a first stage, a second stage, and a third stage of the anomaly detectors. Each stage generates its own anomaly score to produce at least one rapidly determined anomaly score as well as one thoroughly determined anomaly score. Each anomaly score is generated from various computational processes and factors different from the computational processes and factors of the other stages of anomaly detectors.

Abstract: One or more computing devices, systems, and/or methods for end-to-end encryption for multiple recipient devices are provided. A first registration, comprising a first device public key, is created for a first device. A second registration, comprising a second device public key, is created for a second device. A first notify message of the second registration and second device public key is provided to the first device. A second notify message is provided to the second device of the first registration and first device public key. A secure communication invite is routed to the first device. An encrypted message, comprising a first device private key, is routed from the first device to the second device. End-to-end encrypted communication between a sender device and the first device and the second device using the first device private key is facilitated.

Abstract: A method and a system for detecting harmful content on a network are provided. The method comprises: receiving a URL; obtaining, from the URL, an HTML document associated therewith; converting the HTML document into a text; normalizing the text associated with the HTML document, thereby generating a plurality of tokens associated therewith; aggregating, each one of the plurality of tokens into a token vector associated with the HTML document; and applying, one or more classifiers to the token vector associated with the HTML document to determine a likelihood parameter indicative of the URL being associated with the harmful content; in response to the likelihood parameter being equal to or greater than a predetermined likelihood parameter threshold: identifying, the URL as being associated with the harmful content; and storing, the URL in a database of harmful URLs.

Abstract: Provided in some embodiments are systems and methods for determining a data flow path including a plurality of network devices for routing data from a first network device to a second network device; determining for the network devices one or more flow rules that specify an input for receiving data, an output for outputting data, and a role tag indicative of a role of a network device, where the role tag for one or more flow rules for a first network device of the network devices indicates a source role; distributing, to the network devices, the one or more flow rules; determining malicious activity on the data flow path; determining that the first network device is a source based at least in part on the role tag for the first network device; and sending, to the first network device, a blocking flow rule to inhibit routing of malicious data.

Abstract: An apparatus comprises at least one processing device that includes a processor and a memory coupled to the processor. The at least one processing device is configured to receive storage access protocol commands directed by one or more host devices to storage devices of a storage system over a storage area network, to generate statistics relating to the received storage access protocol commands, to process the generated statistics in a machine learning system trained to recognize anomalous access patterns to the storage devices over the storage area network, and to generate an alert indicative of an access anomaly based at least in part on the processing of the generated statistics in the machine learning system. A multi-path input-output (MPIO) driver of the one or more host devices may be provided with the alert and configured to initiate one or more remediation actions responsive to the alert.

Abstract: Aspects of the disclosure relate to dynamic message analysis using machine learning. A computing platform may monitor a messaging server associated with an enterprise organization. Based on monitoring the messaging server, the computing platform may identify bi-directional messaging traffic between enterprise domains associated with the enterprise organization and external domains not associated with the enterprise organization. Based on identifying the bi-directional messaging traffic, the computing platform may select external domains for a conversation detection process. The computing platform may compute an initial set of rank-ordered external domains by: determining, based on a number of messages sent to and received from each enterprise domain/external domain pair, weighted difference values and ranking the plurality of external domains selected for the conversation detection process based the weighted difference values.

Abstract: Techniques are described for providing users of a data intake and query system with pre-trained ML models capable of identifying malicious threats (e.g., malware, botnets, ransomware, etc.) in users' computing environments based on an analysis of Domain Name System (DNS) log data collected from DNS servers in users' environments. DNS log data is ingested by a data intake and query system and processed to obtain searchable timestamped event data. This event data can then be used as input to ML models provided by a security ML application described herein to detect potential occurrences of malicious activity within users' computing environments.

Abstract: Various embodiments provide novel tools and techniques for a threat mapping engine. A system includes a vertex discovery harvester subsystem, an edge extractor subsystem, a vertex correlator subsystem, and a recursive graph builder subsystem. The recursive graph builder subsystem includes a processor, and a computer readable medium in communication with the processor, the computer readable medium having encoded thereon a set of instructions executable by the processor to generate a map of one or more connections from the first known vertex to at least one related vertex of the one or more vertices via at least one edge, based on the one or more vertex correlations, determine a threat score indicative of a threat posed by at least one related vertex of the map, and generate a threat graph based on the map and the threat score of the at least one related vertex layered over the map.

Abstract: A method and apparatus for executing code in a container are described. In one embodiment, the method comprises generating code on a host computer system using a user interface; and executing the code inside a container on the host computer system, including performing access control based on one or more properties of the host computer system.

Abstract: Aspects of the disclosure relate to a data integrity system for transmission of data. A computing platform may detect transmission of data to a second enterprise computing device, and may intercept the data content in transmission. Then, the computing platform may convert the data content to an electronic file in a standardized textual format. Then, the computing platform may add an alert message to a message queue indicating that the electronic file is available for processing. Subsequently, the computing platform may cause one or more content processors to process the electronic file to identify a portion of the data content for review prior to transmission, and output a notification message to the message queue providing information related to the identified portion. Then, the computing platform may modify the data content, generate a link to the modified data content, and provide the generated link to the second enterprise computing device.

Abstract: The present invention relates to a method and a detection device for detecting a DGA domain generation algorithm in a computer communication network (106) comprising at least one server (104) for resolving DNS requests from at least one client terminal (102). The computer communication network (106) further includes a detection module (108) coupled to the resolution server (104) and configured to analyse DNS queries according to the following steps: for each DNS request, associate the requested domain name and the identity of the requesting client terminal to form a tuple; combine tuples into homogeneous partitions according to the tuple community detection technique; and deduce for each homogeneous partition all the client terminals using a same DGA.

Abstract: A system continuously stores metadata results associated with a plurality of ransomware attacks, a plurality of inspection class policy definitions, a plurality of data protection operations, and operational forensics data as machine learning training data, continuously monitors for one of a new security condition and event, detects one of the new security condition and event, determines an appropriate inspection class policy based on the one of the new security condition and event, based on the inspection class policy, determines one to implement of a class of inspection operation, a cyber security analysis, and a data protection operation, and executes one of the class of inspection operation, the cyber security analysis, and the data protection operation based on the machine learning training data.

Abstract: Techniques for building and maintaining cyber security threat detection models are described. The techniques include data selection, algorithm selection, risk score algorithm selection, model outcome selection, and model automation. During data selection, data is received from various sources and in various formats. The data is then tokenized into vector form and compared to preexisting vectors. If the vectors are equal, the tokenized vector is saved in the database. If the vectors are not equal, a new vector, in key value pair format, is formed. After which, algorithms can be selected to detect anomalies within the data and assign a risk score to the data. Subsequently, a matrix is formed with the vector, selected algorithm, and parameters of the data that were analyzed. The matrix is then stored for application with future data based on a predetermined rule. The output can be modeled in various user-friendly methods.

Abstract: Devices, systems, and methods are provided for cloud-based entity reputation scoring. A method may include determining, based on domain name service (DNS) data associated with entities of the cloud-based environment, a k-partite graph with nodes and edges, a node including a first elastic computing instance. The method may include generating features associated with the first elastic computing instance. The method may include determining, based on the features, a minimum value, a maximum value, and an average value, and generating a feature vector comprising the minimum value, the maximum value, and the average value. The method may include determining, based on the feature vector, a reputation score associated with the first elastic computing instance. The method may include communicating based on the reputation score.

Abstract: A server includes one or more processors, programmed to responsive to receiving, from a mobile device of a user, a hailing request that identifies the user as requesting to schedule a ride, select a vehicle to respond to the hailing request based on a capacity to accept an encryption key of the vehicle, the hailing request including a user profile, generate an encryption key to authenticate the mobile device of the user with the vehicle, send the encryption key to both the vehicle and the mobile device to schedule the ride.

Abstract: A method for phishing detection using uniform resource locators is discussed. The method includes accessing data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a suspect Uniform Resource Locator (URL). The method includes assigning a rule score based on partial rule scores of each portion of the suspect URL, the rule score indicating a phishing potential based on URL rules. The method includes determining a uniqueness score of the suspect URL, the uniqueness score indicating a degree of uniqueness of the suspect URL from a plurality of known phishing URLs. The method also includes determining a URL phishing score based, at least in part, on the rules scores and the uniqueness score for the suspect URL.

Abstract: Systems and methods for federated privacy management are disclosed. In one embodiment, a method for federated privacy management may include: (1) receiving, at a user management node, and from a client application executing on an electronic device, a device identifier; (2) receiving, by the user management node, and from a second layer node in a multi-layer federated privacy management network, data comprising at least one of browsing data and application data from a web host or a server, wherein the data is in response to an internet protocol request from the client application via a first layer node and the second layer node to the web host or the server, and the data is associated with the device identifier; (3) receiving, at the user management node, a request for the data from the client application using the device identifier; and (4) communicating the data to the client application.

Abstract: Various embodiments of apparatuses and methods for malware infection detection for edge devices, such as IoT (“Internet of Things”) devices, are described. In some embodiments, a malware infection detection service receives data from a plurality of edge devices of a remote network. It can identify a variety of different detection mechanisms to detect whether an edge device is potentially infected with malware, and determine confidence levels for the different detection mechanisms. Using the detection mechanisms with the received data, it can determine one or more findings that an edge device is potentially infected with malware. It can then determine a confidence level for each finding. It can then determine an accumulated confidence, based on the confidence levels of the detection mechanisms and the findings. The malware infection detection service might then identify one or more of the edge devices as potentially being infected by malware based on the accumulated confidence.