Abstract: Techniques for performing cyber-security alert analysis and prioritization according to machine learning employing a predictive model to implement a self-learning feedback loop. The system implements a method generating the predictive model associated with alert classifications and/or actions which automatically generated, or manually selected by cyber-security analysts. The predictive model is used to determine a priority for display to the cyber-security analyst and to obtain the input of the cyber-security analyst to improve the predictive model. Thereby the method implements a self-learning feedback loop to receive cyber-security alerts and mitigate the cyberthreats represented in the cybersecurity alerts.

Abstract: A method, system, and computer-readable media for modeling cyberspace operations and the effects thereof. Network and connectivity data for an operational environment model may be retrieved from a network scan. Likelihood data that a network element takes a plurality of possible configurations may be mapped. Determination of a probability of effect of a capability acting on the network element may be based on the likelihood data and uncertainties associated with the capability. Multiple attacks within the operational environment model may be modeled to determine an attack path therethrough. Functional modeling techniques to model functional impacts of attacks on an operational environment model are also disclosed.

Abstract: A method and system for authenticating a device is provided. A noisy response is received from a physically unclonable function for a challenge. An error code is generated for correcting the noisy first response. An expected response is generated from the noisy first response and the error code. The expected response and corresponding first helper data is store. The helper data includes the first challenge and the error code. The helper data is provided to a device in response to an authentication request from the device, the first device including the physically unclonable function.

Abstract: Described embodiments provide systems and methods for generating a network space to perform mitigation actions on a plurality of users. At least one server may determine a plurality of users of one or more levels of riskiness in a network environment, and network locations of the users. Using a plurality of clustering features, the at least one server may generate a network space comprising a cluster of network locations corresponding to a subset of the users of at least a defined level of riskiness. The at least one server may perform a mitigation action on the subset of users corresponding to the generated network space.

Abstract: Machine-learning based user authentication using a mobile device (e.g., using a computerized tool) is enabled. For example, a non-transitory machine-readable medium can comprise executable instructions that, when executed by a processor, facilitate performance of operations, comprising: determining an input received via a mobile device, determining, based on the input and using an authentication model, whether the input threshold matches an input pattern associated with an authorized user profile authorized to access a feature of the mobile device, wherein the input pattern has been determined based on machine learning applied to past inputs at the mobile device other than the input, and wherein the authentication model has been generated based on the machine learning applied to the input pattern, and based on a determination that the input at the mobile device is associated with an authorized user profile, granting access to the feature of the mobile device.

Abstract: Systems and methods for cryptographic authentication are provided. A transport service may establish a connection with a login device, where a user is attempting to log in via a web browser. The login device may display a graphical code that encodes a unique URL provided by the transport service. A user may use an authenticator device to image the graphical code. A browser within the authenticator device may be opened and access the URL. The transport service may utilize the authenticator device to perform a proximity-based authentication.

Abstract: Systems and methods for predicting enterprise cyber incidents using social network analysis on the darkweb hacker forums are disclosed.

Abstract: Systems and methods for conference security based on user groups are disclosed. In examples, a set of attendees (e.g., in a collaboration group) may be allowed access to a meeting by a host user with a specified access permission. The collaboration group may be in the network hosting the meeting or outside of the network. An attendee requesting access to the meeting may be verified based on the attendee's identity and membership status of the collaboration group. If an attendee's identity is not identified or if the attendee is not a member of the collaboration group, the requesting attendee may be denied access to the meeting. If the requesting attendee's identity is verified and the attendee is a member of the collaboration group, the attendee is allowed access to the meeting with their specified access permission.

Abstract: A technique and method for detection and display of the cybersecurity risk context of a cloud environment initiates an inspection of cybersecurity objects within a cloud environment utilizing an inspection environment and stores information pertaining to discovered cybersecurity objects within the inspected cloud environment in a storage environment. The technique and method further generate a cybersecurity risk context for the inspected cloud environment based on the observations made concerning the cybersecurity objects contained within it. The technique and method further configure a web browser running on a client device to automatically display the generated cybersecurity risk context to a user, either through a web page overlay or through a toolbar plugin which has been installed in the web browser and configured to enable inspections of a cloud environment, once the user has navigated to a web page containing cybersecurity object identifiers.

Abstract: Systems and methods for defending against volumetric attacks, implemented in a cloud-based system. Embodiments include steps of, monitoring flows and a rate of requests to a Data Center (DC); receiving a request from an address to the DC, the request being for a service in a cloud-based system; determining if the address has been successfully authenticated within a past predetermined time period; responsive to the address not having been successfully authenticated within the past time period, and one of (i) the rate of requests being above a threshold or (ii) the number of flows being above a threshold, placing the address in a penalty box for a predetermined amount of time; and blocking requests from the address in the penalty box for the predetermined amount of time.

Abstract: An entity that creates an adaptive trust model, by a trust model adaptor of the apparatus, configured to establish a trust relationship with an other apparatus according to a composition of trust of the other apparatus derived from a trust evaluator of the other apparatus and a composition of trust of the apparatus derived from a trust evaluator of the apparatus. The entity authenticates the other apparatus based on the adaptive trust model and policies defined in the adaptive trust model; defines access control rules for the other apparatus based on the adaptive trust model and the policies defined in the adaptive trust model; builds a secure channel with the other apparatus based on the adaptive trust model and policies defined in the adaptive trust model; and records behaviors of the other apparatus on the apparatus.

Abstract: Provided are a control device and a program verification method capable of suppressing an operation load in a case where different keys are used for respective devices. The control device 1 stores a program to be verified, a plurality of verification expected values related to verification of the program to be verified, and registered verification expected value information 183 that identifies one of the verification expected values. The control device verifies whether the program to be verified is correct using the registered verification expected value information 183.

Abstract: Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Abstract: Techniques for calculating risk scores of entity assignments are discussed herein. The system generates a probability matrix using a collaborative filtering technique such as singular value decomposition. The probability matrix is populated with probability values for each entity representing a probability that, based on the various relationships or associations of that entity with other entities, the entity has been granted an assignment. Risk values are used to provide a weighting value to assignments, separating relatively higher risk assignments from relatively lower risk assignments. The system thereafter calculates a risk score for one or more of the entities using the information in the assignment matrix, the probability matrix, and the risk values. The system can flag or identity one or more entities whose risk scores do not meet various criteria.

Abstract: Methods and systems are provided for use in selectable data transmission. In a portable mobile computing device, a request to initiate an instant video communication with a remote portable multi-function computing device may be received, and in response to receiving the request to initiate the instant video communication, it may be determined, based on a stored authorization list, that the instant video communication connection to the remote portable multi-function computing device is authorized, and In response to such determining, stored connection information for the remote portable multi-function computing device may be accessed, and captured video communication data for the requested instant video communication may be transmitted according to the stored instant connection information such that the captured video communication data may be displayed at the remote portable multi-function computing device as it is received.

Abstract: System and method for detecting and curing a hollowing attack is disclosed herein. The method comprises monitoring real-time process memory parameters of a target process; retrieving real-time process memory parameters of the target process; comparing the real-time process memory parameters of the target process with reference process parameters of the target process stored in a system storage of the computing system and parameters of the process creation call-back notification; detecting a hollowing attack based on the comparison in previous step; in response to detecting the hollowing attack, determining a threat source file of malicious code; determining address space of the hollowed process on the computing system based on system log data; and curing the computing system by blocking execution of the threat source file and deleting threat resources associated therewith from the computing system.

Abstract: Techniques are disclosed relating to automating authentication decisions for a multi-factor authentication scheme based on computer learning. In disclosed embodiments, a mobile device receives a first request corresponding to a factor in a first multi-factor authentication procedure. Based on user input approving or denying the first request, the mobile device sends a response to the first request and stores values of multiple parameters associated with the first request. The mobile device receives a second request corresponding to a factor in a second multi-factor authentication procedure where the second request is for authentication for a different account than the first request. The mobile device automatically generates an approval response to the second request based on performing a computer learning process on inputs that include values of multiple parameters for the second request and the stored values of the multiple parameters associated with the first request.

Abstract: Systems and methods for validating transfers between cryptographic addresses is disclosed. The systems and methods can include receiving instructions to transfer a first plurality of tokens from a first cryptographic address to a second cryptographic address. The transfer can be validated with a portion of the distributed validation processors. The method can include transferring a first plurality of tokens to the second cryptographic address. The method can include transferring a second plurality of tokens to a first distributed validation processor of the plurality of distributed validation processors. After a predetermined period of time and/or subsequent validations by the first distributed validation processors, the method can include transferring an amount greater than the second plurality of tokens to the first cryptographic address.

Abstract: Malicious homoglyphic domain name (MHDN) generation and associated cyber security applications are described. MHDN generation may be performed by, for example, generating, based on training data, a set of operations for use in generating the one or more potential MHDNs, wherein each operation of the set of operations may be configured to modify a base domain name according to a respective homoglyphic characteristic. The set of operations may be used to generate one or more candidate MHDN mutators. The candidate MHDN mutators may be tested for fitness values corresponding to respective likelihoods of generating an MHDN and the candidate MHDN mutators may be applied to one or more base domain names to generate potential MHDNs.

Abstract: Systems and methods are described for contextualizing a simulated phishing communication based at least on one of language and locale. Initially, a template for a simulated phishing communication is created with content in a source language. Then one or more contextual parameters for a user are identified. The one or more contextual parameters identify at least one of a target language and a target locale. The content of the simulated phishing communication is modified according to at least one of the target language and the target locale and the simulated phishing communication is communicated to one or more devices of the user with the content modified for at least one of the target language and the target locale.