Abstract: A method of monitoring and protecting access to an online service from an Account Take Over attack may include: providing a Traffic Inspector in signal communication with at least one client device for Internet browsing and with a web server having the online service residing therein; providing a Traffic Analyzer in signal communication with the Traffic Inspector; identifying, by the Traffic Inspector, each browsing session of the at least one client device on the online service; extracting and identifying, by the Traffic Analyzer, one or more usernames when a user performs authentication to the online service, analyzing traffic exchanged between the at least one client device and the web server; and collecting, by the Traffic Inspector, first characteristic data concerning unique and/or non-unique technical parameters and associating, by the Traffic Analyzer, the first characteristic data with respective identified one or more usernames.

Abstract: Aspects of the disclosure relate to dynamic and automated spear phishing management. A computing platform may identify users to receive a simulated spear phishing message. In some instances, the computing platform may receive a very attacked persons (VAP) list and may identify the users to receive the simulated spear phishing message based on the VAP list. Based on historical message data associated with a first user, the computing platform may identify message features associated with the first user. Using a predetermined template and for a first user account linked to the first user, the computing platform may generate a first spear phishing message based on the message features. The computing platform may then send, to the first user account, the first spear phishing message.

Abstract: Embodiments of the present invention provide methods, apparatus, systems, computing devices, computing entities, and/or the like for permitting or blocking tracking tools used through webpages. In particular embodiments, the method involves: scanning a webpage to identify a tracking tool configured for processing personal data; determining a data destination location that is associated with the tracking tool; and generating program code configured to: determine a location associated with a user who is associated with a rendering of the webpage; determine a prohibited data destination location based on the location associated with the user; determine that the data destination location associated with the tracking tool is not the prohibited data destination location; and responsive to the data destination location associated with the tracking tool not being the prohibited data destination location, permit the tracking tool to execute.

Abstract: Disclosed herein is a fraud analysis data reduction technique. When reviewing a large set of data for potential fraudulent action there is often too much data for a human to reasonably analyze. A technique to reduce the overall amount of data associates entities that have duplicate values stored in corresponding data elements with one another and removes those entities that do not have at least one duplicate value. The entities with duplicate values are entered into a node graph and analyzed for connected components. The connected components analysis and a duplicate threshold analysis provide usable results to identify fraudulent activity.

Abstract: Systems and methods for controlling measurement units for a medical scale. One system includes a removable head unit configured to couple to a medical scale platform. The removable head unit includes a human machine interface (HMI) and an electronic processor coupled to the human machine interface. The electronic processor is configured to receive, via the HMI, a first user input selecting a permanent lock mode. The electronic processor is configured to, in response to receiving the user input, present a first authentication request and receive a second user input including a first authentication token. The electronic processor is configured to, when the first authentication token is valid, present a measurement unit selection prompt. The electronic processor is configured to receive a second user input selecting a measurement unit and, in response to receiving the second user input, activate the permanent lock mode based on the selected measurement unit.

Abstract: Methods, systems, and apparatuses to improve the handling of exceptions during the retrieval and processing of health records from various data sources are provided. During the retrieval and processing of health records, exceptions to typical behavior are recorded with context at the data extraction protocol level, at the health record level and at the level of elements with the document. Accordingly, insights may be developed and configurations, rules, or coding changes, based on the detected exceptions may be proposed. In some instances, an operator may be notified about the exceptions such that the operator may act on the insight. In some instances, the processing of extracted records (documents, messages) may be deferred until the operator has made appropriate changes to configuration, rules, or code. In some instances, the system may supplement and/or replace the operator with machine learning engines that act on the developed insights.

Abstract: Examples described herein relate to systems, apparatuses, methods, and non-transitory computer-readable medium for recovering a session object associated with a secure session established by a security protocol server, including receiving, by a recovery server, an encrypted session object from the security protocol server, wherein the encrypted session object is unique to the secure session, generating, by the recovery server, a recovery key based on a first initial key and a recovery key sequence number, wherein the recovery key sequence number corresponds to a number of times that secure sessions have been established since the first initial key is received by the security protocol server, and decrypting, by the recovery server, the encrypted session object using the recovery key to generate the session object associated with the secure session.

Abstract: A method, apparatus and computer system to identify threats on a TCP/IP-based network. The approach leverages a set of reference patterns (or “network spectrals”) associated with one or more defined Indicators of Compromise (IoCs). At least one reference pattern is time-bounded and profiles a network traffic pattern using a set of session data (e.g., volume, direction, traffic metadata) that is payload-neutral and may be derived in part by time-series compression of at least one non-varying encoding interval. Network traffic data associated with a traffic pattern under test is received and encoded to generate a test spectral. A stream-based real-time comparison is performed to determine whether the test spectral matches against any of the reference spectrals. Responsive to identifying a match, a given remediation or mitigation action is then taken. A reference spectral may represent a bi- or multi-directional flow, and the multi-directional flow may involve multiple entities.

Abstract: Disclosed herein are systems and methods for preventing malicious injections. In one aspect, a method includes monitoring active processes that are running in suspended mode. For each active process being monitored, the method includes injecting a dynamic link library (DLL) into the active process to hook an application programming interface (API) of an application corresponding to the active process, wherein the DLL is injected for tracking commands for suspension and resumption of the active process. The method includes monitoring file inputs and outputs of the application for anomalies while the active process is in the suspended mode, and when a command for resuming the active process is detected using the DLL, determining, based on the monitoring, whether a malicious process is inserted into the active process. The method includes allowing the suspended process to resume execution in response to determining that no malicious process is inserted in the active process.

Abstract: Methods, systems, and computer-readable storage media for receiving a AAG from computer-readable memory, generating from logical network ontology data, asset inventory data, and asset communication data, a logical topology of the enterprise network as a computer-readable data structure, defining, at least partially by executing community detection over the logical topology, a sub-set of groups within the enterprise network, each group representing a process of a plurality of process, each process being at least partially executed by one or more assets within the enterprise network, processing the AAG based on the sub-set of groups and data from one or more contextual data sources to provide the process aware AAG, the process aware AAG defining a mapping between an infrastructure-layer of the enterprise network and a process-layer of the enterprise network, and executing one or more remedial actions in the enterprise network in response to analytics executed on the process aware AAG.

Abstract: A system includes a centralized repository for tracking rule content and managing subscriptions to rule content by organizations and providers utilizing the system; a rule-evaluation server for receiving requests for rule-evaluations for specific patients, wherein the server determines content needing to be evaluated and retrieves the content to be used; a rule engine for performing the evaluations, wherein content, patient data, and rule evaluation parameters are provided to the engine, and the engine returns recommendations triggered by the evaluation, if any; an aggregator for aggregating recommendations from multiple sources, detecting and coordinating related recommendations, and applying configuration settings based on the patient and/or provider in context; and a client component for coordinating communication between an electronic health records system, the server, and the aggregator.

Abstract: An integrated circuit can include a communication endpoint configured to maintain a communication link with a host computer, a queue configured to receive a plurality of host commands from the host computer via the communication link, and a processor configured to execute a device runtime. The processor, responsive to executing the device runtime, is configured to perform validation of the host commands read from the queue and selectively execute the host commands based on a result of the validation on a per host command basis. The host commands are executable by the processor to manage functions of the integrated circuit. The queue is implemented in a region of memory that is shared by the integrated circuit and the host computer.

Abstract: Systems and techniques for detecting advertising fraudulent traffic, or invalid traffic, by correlating advertising traffic with cyber network defense events are described. For example, described techniques include querying cyber network traffic events, querying the metadata returned by the tag script placed in the displayed advertisement, and correlating times, internet protocol (IP) addresses, publisher domains, and referrer domains with domains and IP addresses flagged by network cyber security events.

Abstract: Example methods and systems for correlation-based security threat analysis are described. In one example, a computer system may obtain event information that is generated by monitoring a virtualized computing instance supported by a host; and network alert information that is generated by monitoring network traffic associated with the virtualized computing instance. The network alert information may specify security threat signature(s) detected based on the network traffic. The computer system may map the network alert information to threat information that specifies indicator(s) of compromise associated with the signature(s) and perform a correlation analysis based on the event information, network alert information and threat information. Based on the correlation analysis, it is determined whether there is a potential security threat associated with the virtualized computing instance.

Abstract: A client computing device has a storage device storing a plurality of files and a system agent. The system agent applies a hash function to binary data read from the plurality of files to generate a set of data signatures. A server computing device has a database interface to access a database representing a state of the network and storage for a set of exemplar data signatures resulting from a scan of one or more exemplar computing devices, each data signature generated by applying a hash function to binary data representing a file. The client computing device is configured to receive and compare the set of exemplar data signatures with the generated set of data signatures, and to transmit data to the server computing device based on the comparison. The server computing device is configured to obtain data received from the client computing device and update records in the database.

Abstract: Mechanisms for defending a computing system from attack are provided. The mechanisms include: maintaining a round counter that tracks a round number for a local host; determining a location in a graph for each of a plurality of hosts including the local host; determining monitor hosts of the plurality of hosts that are monitoring the local host; determining monitoree hosts of the plurality of hosts that are being monitored by the local host; sending a message to each of the monitor hosts identifying a value of the round counter; forwarding a first set of heartbeat messages from previous monitoree hosts to the monitor hosts; attempting to receive messages from the monitoree hosts; determining whether any messages were not received from the monitoree hosts; and in response to determining that one or more messages were not received from the monitoree hosts, generating an alert.

Abstract: The embodiments herein provide a secure computing resource set identification, evaluation, and management arrangement, employing in various embodiments some or all of the following highly reliable identity related means to establish, register, publish and securely employ user computing arrangement resources in satisfaction of user set target contextual purposes.

Abstract: Techniques for intelligently deciding the optimal authenticator(s) from amongst those supported by an electronic device are described. The authentication system according to some embodiments may include a dynamic machine learner that incorporates the attributes of: (i) user behavior attributes (e.g., preferred authenticator); (ii) device attributes (e.g., hardware and software specifications, applications, etc.); and (iii) operating environment attributes (e.g., ambient light, noise, etc.), as well as the interplay between the aforementioned attributes over time to make the decision. In some embodiments, the authentication activities and patterns of other users of similar type (e.g., users exhibiting similar behavior across different operating environments) can also be learned and employed to improve the decision making process over time.

Abstract: Provided is a method for transmitting data packets over a network from a sender to a receiver via a communication link consisting of at least one transmission section, via which the data packet is transmitted from a sender node to a receiver node, the method having the following steps for at least one transmission section: first security information, which includes information about a cryptographic protective function used in the transmission of the data packet via an adjacent transmission section, is assigned to the data packet by the sender node, the data packet having the assigned security information is transmitted to the receiver node of the transmission section, the security information is checked in the receiver node against a preset guideline, and at least one measure is provided in accordance with the result of the check.

Abstract: A multiclass classifier generates a probability vector for individual data units of an input data stream. The probability vector has prediction probability values for classes that the multiclass classifier has been trained to detect. A class with the highest prediction probability value among the classes in a probability vector is selected as the predicted class. A confidence score is calculated based on the prediction probability value of the class. Confidence scores of the class are accumulated within a sliding window. The class is declared to be the detected class of the input data stream when the accumulated value of the class meets an accumulator threshold. A security policy for an application program that is mapped to the class is enforced against the input data stream.