Abstract: A multiclass classifier generates a probability vector for individual data units of an input data stream. The probability vector has prediction probability values for classes that the multiclass classifier has been trained to detect. A class with the highest prediction probability value among the classes in a probability vector is selected as the predicted class. A confidence score is calculated based on the prediction probability value of the class. Confidence scores of the class are accumulated within a sliding window. The class is declared to be the detected class of the input data stream when the accumulated value of the class meets an accumulator threshold. A security policy for an application program that is mapped to the class is enforced against the input data stream.

Abstract: A synthetic identity network for detecting synthetic identities may receive a first request for credit including one or more user attributes, compare the one or more user attributes to one or more stored user identities, create a new user identity, flag the new user identity as a potentially synthetic identity based on comparing the one or more user attributes to the one or more stored user identities, receive a second request for credit including or more second user attributes, compare the one or more second user attributes to the one or more user attributes associated with the potentially synthetic identity, prepare a notice including the potentially synthetic identity and a credit request identifier, and transmit the notice to one or more servers.

Abstract: In one embodiment, a method implemented in a microprocessor, including receiving a fetched branch instruction; performing a privilege level test on a fetched branch instruction using a privilege level indicated by a first tag corresponding to a privilege level in a branch prediction table comprising plural entries, each of the plural entries comprising a tag corresponding to a privilege level; and providing a prediction branch miss for the fetched branch instruction based on a failure of the privilege level test.

Abstract: Described herein is a system that detects ransomware infection in filesystems. The system detects ransomware infection by using backup data of machines. The system detects ransomware infection in two stages. In the first stage, the system analyzes a filesystem's behavior. The filesystem's behavior can be obtained by loading the backup data and crawling the filesystem to create a filesystem metadata including information about file operations during a time interval. The filesystem determines a pattern of the file operations and compares the pattern to a normal patter to analyze the filesystem's behavior. If the filesystem's behavior is abnormal, the system proceeds to the second stage to analyze the content of the files to look for signs of encryption in the filesystem. The system combines the analysis of both stages to determine whether the filesystem is infected by ransomware.

Abstract: A computing system determines that a third party system has been exposed to a digital security violation. The computing system identifies a first user account of a user registered with the computing system that has a corresponding account associated with the third party system. The computing system determines that the first user account has stored a first set of user credentials for the corresponding account associated with the third party system at a storage location accessible by the computing system. The computing system launches a series of web browsers configured to access a first website associated with the third party system. The computing system executes, via a first web browser of the series of web browsers, a first automated script specific to the first website associated with the third party system. The computing system performs at least one of a plurality of remedial operations with respect to the corresponding account.

Abstract: A file integrity monitoring system supports monitoring of system-critical, enterprise-critical and user-critical data by reporting events to a threat management facility in response to changes in certain files, folders, registry keys and registry values of the computing environment in which the system is operating and/or monitoring. The file integrity monitoring system may dynamically create, adapt and apply context-based rules to improve the sensitivity and relevance of reported events to undesirable changes in the data footprint of a monitored device.

Abstract: Disclosed herein are methods, systems, and processes for granular and prioritized visualization of anomalous log data. Log data that includes several logs is accessed. A unique identifier is generated for each log by generating a single hash for one or more fields in each log. Based on the hashing, the several logs are converted into a series of unique identifiers. A timestamp for each log in the series of unique identifiers is appended to generate a list of timestamps for each unique identifier in the series of unique identifiers. The list of timestamps for each unique identifier is overlayed on a time series graph in a graphical user interface (GUI).

Abstract: Provided are a system, method, and computer program product for network anomaly detection. The method includes receiving event data associated with a plurality of events in a computer network. The method also includes determining nested groups of the event data representing tiers of an operational hierarchy. The method further includes generating display data to show a graphical representation of the event including a plurality of nested graphical nodes and at least one spline. Each graphical node is associated with a group or a computer node, each graphical node encompasses and/or is encompassed by another graphical node, a size of each graphical node is proportional to an aggregated parameter value of events associated therewith, each spline connects at least two graphical nodes and includes a curve that passes through a common graphical node, and each spline is associated with a communication between at least two computer nodes.

Abstract: Methods and apparatus for encrypting and decrypting data for wearable devices that are not based on authentication techniques, such as login/password or handshaking, are provided. A computing device receives a message. The message includes encrypted data and a cryptographic reference. The encrypted data includes physiological data of a wearer of the wearable device. The cryptographic reference includes a reference to a first cryptographic technique. The computing device determines the first cryptographic technique based on the reference to the first cryptographic technique. The computing device determines a cryptographic key. The computing device decrypts the encrypted data using the first cryptographic technique and the cryptographic key to obtain decrypted data. The computing device stores the decrypted data.

Abstract: The present invention relates to a method for managing IoT devices by a security fabric. A method is provided for managing IoT devices comprises collecting, by analyzing tier, data of Internet of Things (IoT) devices from a plurality of data sources, abstracting, by analyzing tier, profiled element baselines (PEBs) of IoT devices from the data, wherein each PEB includes characteristics of IoT devices; retrieving, by executing tier, the PEBs from the analyzing tier, wherein the executing tier is configured to control network traffic of IoT devices of a private network; generating, by the executing tier, security policies for IoT devices from PEBs of the IoT devices; and controlling, by the executing tier, network traffic of the IoT devices of the private network to comply with the security policies.

Abstract: Systems and techniques are described to detect and recover from ransomware infections. It may be determined if a ransomware attack is in progress based on analyzing read and write requests to a file system. Next, a mitigation action may be performed in response to determining that a ransomware attack is in progress.

Abstract: A system and method for detecting phishing cyberattacks. The method involves parsing a code segment retrieved using a suspect uniform resource locator (URL) to identify any links included in the code segment. From these links, additional code segments may be recovered in accordance with a code segment recovery scheme. Thereafter, analytics are performed on the retrieved and possibly recovered code segments. The analytics include determining whether any of the code segments is correlated with a code segment associated with a known prior phishing cyberattack. Upon completing the analytics, an alert message including meta-information associated with results from the analytics is generated to identify that the URL is associated with a known prior phishing cyberattack when one or perhaps a combination of code segments associated with the URL are correlated to any code segment associated with a known prior phishing cyberattack.

Abstract: A system and method for managing the security health of a network devices interconnected with each other in a service provided in an entity. The security health of the networked device is evaluated by determining a cyber risk score for the entity having a plurality of devices. A first set of data from individual network devices and a second set of data including risk data from an external data source are collected by a data collector. The collected data is normalized into a format which can be further correlated by a correlation engine. The correlating step enables to determine cyber risk scores for the individual network devices. The cyber risk score for the entity may further be determined by aggregating the individual cyber risk scores of the individual network devices. The risk scores are displayed by a web-based user interface which is enabled by an application programming interface.

Abstract: Detecting malware by linking Background Intelligent Transfer Service (BITS) and Scheduled Task Service (STS) activities to a source program. Using send Advanced Local Procedure Call (ALPC) messages and receive ALPC messages, source programs that initiate the creation of temporary files and perform defined operations may be identified. If the source programs responsible for the temporary files and defined operations are determined to be malware programs, a security action may be performed on the source programs.

Abstract: Described is a system for detecting adversarial activities based on detection of activity patterns in a multiplex network. The system detects one or more subnetworks that are matches to a template network of template nodes. The subnetworks are detected by filtering multiplex network nodes according to a filtering criteria that utilizes monotone function properties in the multiplex network. Nodes that do not meet the filtering criteria are eliminated, resulting in a list of candidate nodes in the multiplex network. The one or more subnetworks are formed from the list of candidate nodes. An activity pattern corresponding to a pattern of adversarial activity is identified in the one or more subnetworks. Based on the identified activity pattern, an alert of adversarial activity is generated and transmitted.

Abstract: Systems, methods, and computer-readable media are provided for generating a unique ID for a sensor in a network. Once the sensor is installed on a component of the network, the sensor can send attributes of the sensor to a control server of the network. The attributes of the sensor can include at least one unique identifier of the sensor or the host component of the sensor. The control server can determine a hash value using a one-way hash function and a secret key, send the hash value to the sensor, and designate the hash value as a sensor ID of the sensor. In response to receiving the sensor ID, the sensor can incorporate the sensor ID in subsequent communication messages. Other components of the network can verify the validity of the sensor using a hash of the at least one unique identifier of the sensor and the secret key.

Abstract: A method includes: identifying, by a runtime instrumentation agent of a web server, a plurality of attack surfaces of a web application executed on the web server; generating, by the runtime instrumentation agent, a plurality of hash values, where each hash value is generated based on one of the plurality of attack surfaces; and transmitting, by the runtime instrumentation agent, the plurality of hash values to an attack server external to the web server, where the attack server is to determine whether to scan each attack surface based on the plurality of hash values.

Abstract: Disclosed are apparatus and methods that facilitate analysis of events associated with network and computer systems. The methodology includes determining at least one lookup key in a host device for an event occurring in the host device and determining whether the at least one lookup key is used in a memory to determine if at least one key-value pair exists for the event. The methodology also includes appending the at least one key-value pair to the event, and storing the at least one key-value pair in the memory based on the at least one lookup key including replacing existing keys found for the at least one lookup key.

Abstract: A cyber threat defense system can incorporate data from a Software-as-a-Service (SaaS) application hosted by a third-party operator platform to identify cyber threats related to that SaaS application. The cyber threat defense module can have a SaaS module to collect third-party event data from the third-party operator platform. The cyber threat defense system can have a comparison module to compare third-party event data for a network entity to at least one machine-learning model of a network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. An autonomous response module can execute an autonomous response in response to the cyber threat.

Abstract: Systems and methods for detecting security threats using application execution and connection lineage tracing with embodiments of the invention are disclosed. In one embodiment, detecting suspicious activity in a network includes receiving at a collector server a first activity data including a first set of attributes, combining a first set of context information with the activity data to generate a first activity record, comparing the first activity record to a set of baseline signatures, incrementing a count of a first matching baseline signature when the first activity record has the same values for all attributes, receiving from a second activity data including a third set of attributes, combining a second set of context information with the second activity data to generate a second activity record, and generating an alert when the attributes of the second activity record differ from all baseline signatures.