Abstract: Disclosed herein are methods, systems, and processes to distribute and disperse search loads to optimize security event processing in cybersecurity computing environments. A search request that includes a domain specific language (DSL) query directed to a centralized search cluster by an event processing application is intercepted. The event processing application is inhibited from issuing the search request to the centralized search cluster if a structured or semi-structured document matches the DSL query.

Abstract: A system has an evaluation server that includes at least one database storing a plurality of cybersecurity awareness evaluations, the database connected to the server, a plurality of clients connected to the server and configured to run at least one of the cybersecurity awareness evaluations for play by users on user devices, the users performing actions in the evaluation including offensive actions and defensive actions, and an evaluation dashboard including an interface configured to display scoring results of the cybersecurity awareness evaluations as determined by the server, the scoring results including a plurality of offensive component scores for at least one of the users, a plurality of defensive component scores for at least one of the users, at least one composite offensive score for at least one of the users and at least one composite defensive score for at least one of the users, the composite offensive score being determined based on a plurality of the component offensive scores and the composit

Abstract: A file copy is executed in a virtual runtime environment that tracks behavior using RNN taking runtime behavior of at least a first time into account with current runtime behavior at a second time. This is responsive to not finding a known signature for suspicious activity during virus scanning. A behavior sequence is identified on-the-fly during file copy execution that is indicative of malware, prior to completing the execution, the behavior sequence involving at least two actions taken at different times during file copy execution. Responsive to the identification, the execution is terminated and the virtual runtime environment is returned to the pool of available virtual runtime environments.

Abstract: A network interface device comprises a first area of trust comprising a first part of the network interface device, the first part comprising one or more first kernels. A second area of trust comprising a second part of the network interface device different to said first part is provided, the second part comprising one or more second kernels. A communication link is provided between the first area of trust and the second area of trust. At least one of the first and second areas of trust is provided with isolation circuitry configured to control which data which is passed to the other of the first and second areas via the communication link.

Abstract: Systems and methods for enforcing media access control (MAC) learning limits (MLLs) on multi-homed access ports comprise configuring MLL violation actions to be performed by a virtual extensible local area network (VxLAN) tunnel endpoint (VTEP). The VTEP is multi-homed to VTEPs and comprises an Ethernet segment (ES) access port. A BGP EVPN or similar protocol may be used to communicate MLL information across VTEPs participating in the multi-homed ES to keep MACs and MLL violation actions consistent. The violation actions may comprise initiating a shutdown message to shut down an ES. Once an MLL violation associated with a MAC that has been received at the VTEP is detected, the VTEP may enforce the MLL by performing one or more of the configured MLL violation actions and propagate the same to other VTEPs.

Abstract: The present invention is provided with a threat analysis processing unit that, on the basis of an analysis result from the vulnerability analysis unit, analyzes a threat to the system and outputs a threat analysis result; a countermeasure planning unit that, on the basis of the threat analysis result and vulnerability information, plans the countermeasure plan which reduces the impact of the vulnerability; a security test planning unit that plans the security test on the basis of the countermeasure plan; an evaluation calculation unit that performs an evaluation on the basis of the security test, and outputs an evaluation result; and a result processing unit that processes the evaluation result and generates a security countermeasure.

Abstract: A proximity based authentication system and method is described. The system includes a gateway, a cloud component, and a mobile device. The gateway is associated with a particular location and is communicatively coupled to a cloud component. The gateway includes a gateway short-range wireless radio capable of establishing a short-range wireless communication channel. The mobile device is also communicatively coupled the cloud component and includes a mobile device short-range wireless radio that communicates with the gateway using the short-range wireless communication channel when the mobile device is in proximity of the gateway. The mobile device receives a gateway key over the short-range wireless communication channel. The mobile device then communicates the gateway key to a cloud component database. The cloud component authenticates the particular location of the mobile device when the cloud component receives the gateway key from the mobile device.

Abstract: A computing system including a processor and a memory, which includes a first memory region operating as a kernel space and a second memory region operating as a user space. Maintained within the kernel space, a first logic unit receives a notification identifying a newly created thread and extracts at least meta-information associated with the newly created thread. Maintained within the user space, a second logic unit receives at least the meta-information associated with the newly created thread and conducts analytics on at least the meta-information to attempt to classify the newly created thread. An alert is generated by the second logic unit upon classifying the newly created thread as a cyberattack associated with a malicious position independent code execution based at least on results of the analytics associated with the meta-information associated with the newly created thread.

Abstract: This invention discloses a method for discovering vulnerabilities of operating system access control based on model checking. In this method, security attribute and security specifications of operating system access control module are analyzed to construct the access control model. To discover vulnerabilities in the model, security analysis is performed for access control functionality with theorem proving techniques, and consistency of abstract machine specification and correctness and completeness of the components are verified with model checking tools. This method provides theoretical and technical support for studies in the field of operating system security.

Abstract: A system for determining a calculation utilizing differential privacy including an interface and a processor. The interface is configured to receive a request to determine result data of a calculation using multitenanted data. The multitenanted data comprises tenant data associated with a plurality of tenants. The processor is configured to: determine the result data by performing the calculation on the multitenanted data; determine whether a deterministic modification is needed to ensure privacy based at least in part on whether a number of participants in the result data is less than a threshold; and in response to determining that the deterministic modification is needed to ensure privacy: determine the deterministic modification; numerically modify the result data using the deterministic modification to determine modified result data; and provide the modified result data.

Abstract: In some embodiments, a behavior classifier comprises a set of neural networks trained to determine whether a monitored software entity is malicious according to a sequence of computing events caused by the execution of the respective entity. When the behavior classifier indicates that the entity is malicious, some embodiments execute a memory classifier comprising another set of neural networks trained to determine whether the monitored entity is malicious according to a memory snapshot of the monitored entity. Applying the classifiers in sequence may substantially reduce the false positive detection rate, while reducing computational costs.

Abstract: The technology disclosed relates to a transparent inline secure forwarder for policy enforcement on IoT devices. In particular, the technology disclosed provides a system. The system comprises a plurality of special-purpose devices on a network segment of a network. The system further comprises a default gateway of the network segment configured to receive outbound network traffic from special-purpose devices in the plurality of special-purpose devices. The system further comprises an inline secure forwarder configured to share an Internet Protocol (IP) address with the default gateway in a transparent mode to intercept the outbound network traffic prior to the default gateway receiving the outbound network traffic, and route the intercepted outbound network traffic to a policy enforcement point for policy enforcement.

Abstract: Approaches for detecting and rectifying the malware in the computing systems are described. In an example, a request by a process or is intercepted by the malware detection module. Relevant information and characteristics pertaining to the request are extracted and on the based on the extraction, operational attributes are generated. These extracted operational attributes are analyzed and compared with the baseline attributes and if there are any anomalies present, the susceptible code or process originating from the intercepted request is ascertained as malicious.

Abstract: A system that communicates information is described. This system includes: a network interface, a proxy device coupled to the network interface, and an interface node coupled to the proxy device and configured to couple to a channel. Note that the network interface is configured to transmit outbound messages from the system to a location and to receive inbound messages to the system from the location, and the channel is configured to convey the outbound messages and the inbound messages. Moreover, the proxy device is configured to inspect a given message inbound or outbound based on a pre-determined profile of the location and pre-defined communication rules. Then, the proxy device is configured to restrict the given message based on a result of the inspection, where the restriction occurs after the system begins a communication session with the location and is performed for the duration of the communication session.

Abstract: This controller system includes: a program acquisition unit that acquires, by turning on the controller system, a control program from a server in which the control program is stored; a main storage device that stores the control program acquired by the program acquisition unit while electric power is supplied to the controller system; and a program execution unit that executes the control program stored in the main storage device.

Abstract: In a storage system that includes a plurality of storage devices configured into one or more write groups, quorum-aware secret sharing may include: encrypting a device key for each storage device using a master secret; generating a plurality of shares from the master secret such that a minimum number of storage devices required from each write group for a quorum to boot the storage system is not less than a minimum number of shares required to reconstruct the master secret; and storing the encrypted device key and a separate share of the plurality of shares in each storage device.

Abstract: A system administrator can specify NAT mappings to perform NAT translations in a switch. The administrator can specify an ACL to filter packets to be translated. Filter rules generated from the ACL are stored in a first memory store in a switch and NAT rules generated from the NAT mappings are stored in a second memory store separate from the first memory store. When a packet matches one of the filter rules a tag that identifies the ACL is associated with the packet. When the tagged packet matches one of the NAT rules, the packet is translated according to the matched NAT rule.

Abstract: A system for and a method of regulating the data interconnections between applications running on an infrastructure are provided. The system/method records access permission data into metadata embedded in the source code of each such application that regulates the data that can be received or transmitted by that application. In addition to regulating the receipt or transmission of data, the metadata can serve to provide instruction to firewalls and other regulating systems in order to configure those systems to allow the applications to receive and transmit data for which permissions have been recorded.

Abstract: Systems and methods for allocating a per-interface access control list (ACL) counter are disclosed. An ACL is applied to a data packet received at an interface of the network element. In response to matching the highest priority ACL rule, a counter value is obtained based on a combination of a base index and an expansion index value. The base index, expansion index, and counter values are stored in their respective tables. The counter value is uniquely associated with the specific ACL rule hit and the interface used to receive the data packet. Systems and methods also allocate a next set of expansion and counter tables when their storage capacity is exceeded. When the next set of tables are allocated, the older set of tables along with their index mappings and entries are preserved.

Abstract: A computer-implemented method of authenticating a memory of a gaming machine uses a computing device having a processor communicatively coupled to a memory. The method includes identifying a first subset of the memory including one or more operational data components associated with operating the gaming machine. The method also includes identifying a second subset of the memory. At least some of the second subset of the memory is distinct from the first subset of the memory. The method further includes authenticating the first subset of the memory while the gaming machine is in a disabled state. The method also includes enabling operation of the gaming machine after the authenticating the first subset of the memory if the authentication of the first subset of the memory is successful. The method further includes authenticating the second subset of the memory while the gaming machine is in an enabled state.