Abstract: Examples are disclosed herein to implement remote authentication and passwordless password reset. An example server includes: at least one processor to forward executable instructions to a client device, the executable instructions, when executed at the client device, to cause the client device to: authenticate a user of an account based on a biometric authentication factor; obtain a local storage key by decrypting an encrypted local storage key with a cloud key obtained from a remote authentication server, the cloud key associated with the client device; decrypt a key bag with the local storage key, the key bag including a content encryption key and an encrypted credential encrypted with the content encryption key, the encrypted credential associated with the user; and decrypt the encrypted credential with the content encryption key to obtain a credential without the user supplying a master password associated with the account.

Abstract: A server manager for detecting ransomware includes a server interface to retrieve, from a storage device, a backup of a plurality of files stored by a client device. A ransomware detection module includes a statistical filter to generate a standard pattern of file activities of the client device for a time period. A statistical behavior analysis is performed on the backup of the plurality of files based on the standard pattern to identify a portion of the backup corresponding to a statistical anomaly different from the standard pattern. The statistical anomaly corresponds to an abnormal file activity. An entropy detector generates an entropy score for the portion of the backup. The entropy score represents a randomness of a distribution of bits in a block of a file in the portion of the backup. It is determined whether the backup includes the ransomware based on the generated entropy score.

Abstract: Embodiments of the invention are directed to a system, method, or computer program product for cross-channel network security with tiered adaptive mitigation operations. In this regard, the invention is structured for dynamic detection of security events associated with network devices and resources, and triggering real-time mitigation operations across a plurality of resource channels. The invention provides a novel method for employing activity data to construct and implement mitigation actions for de-escalating authorization tiers that are adapted to the specific attributes of the activity data, in order to prevent security exposure associated with the activity. Another aspect of the invention is directed to determining whether to continue the tiered adaptive mitigation actions and/or trigger a security proceed signal.

Abstract: A system for limiting access to a digital resource based on detection of unauthorized scraping of the digital resource includes one or more processors configured to execute the instructions to detect, over a network, first data representing a plurality of first interactions by a client device with the digital resource hosted on a host system; extract, from the hardware storage device, second data representing a plurality of second interactions with digital resources, with the second interactions satisfy conditions for an interaction to be authorized; determine a confidence score based on comparing the first and second data, with the confidence score indicating a likelihood that an interaction is unauthorized; based on the determined confidence score indicating that the first interactions are unauthorized, detect, by one or more processing devices, unauthorized scraping of the digital resource; and limit access of the client device to the digital resource.

Abstract: Techniques are described herein that are capable of provisioning a trusted execution environment (TEE) based on (e.g., based at least in part on) a chain of trust that includes a platform on which the TEE executes. Any suitable number of TEEs may be provisioned. For instance, a chain of trust may be established from each TEE to the platform on which an operating system that launched the TEE runs. Any two or more TEEs may be launched by operating system(s) running on the same platform or by different operating systems running on respective platforms. Once the chain of trust is established for a TEE, the TEE can be provisioned with information, including but not limited to policies, secret keys, secret data, and/or secret code. Accordingly, the TEE can be customized with the information without other parties, such as a cloud provider, being able to know or manipulate the information.

Abstract: A virtual private network (VPN) security system obtains data regarding a VPN session including (i) for each of a plurality of first subnets, a number of allowed connection attempts by a computer system to that first subnet, (ii) for each of a plurality of second subnets, a number of blocked connection attempts by the computer system to that second subnet, (iii) for each of a plurality of first network ports, a number of allowed connection attempts by the computer system using that first network port, and (iv) for each of a plurality of second network ports, a number of blocked connection attempts by the computer system using that second network port. The security system determines, using a neural network, a metric representing an estimated likelihood that the VPN session is associated with a malicious activity, and controls the VPN session based on the metric.

Abstract: Methods, systems, and computer readable media for network security testing using at least one emulated server are disclosed. According to one example method, the method comprises: receiving, from a client device and at an emulated domain name service (DNS) server, a DNS request requesting an Internet protocol (IP) address associated with a domain name; sending, to the client device and from the emulated DNS server, a DNS response including an IP address associated with an emulated server; receiving, from the client device and at the emulated server, a service request using the IP address; sending, to the client device and from the emulated server, a service response including at least one attack vector data portion; and determining, by a test controller and using data obtained by at least one test related entity, a performance metric associated with a system under test (SUT).

Abstract: An initial risk of an electronic message is determined. Based on the initial risk, it is determined whether to modify the electronic message. In an event it is determined to modify the electronic message: the electronic message is modified; the modified electronic message is allowed to be delivered to an intended recipient of the electronic message; a secondary computer security risk assessment of the electronic message is automatically performed; and based on the secondary computer security risk assessment, the modified message is updated.

Abstract: An example operation may include one or more of receiving a blockchain request comprising a timestamp added by one or more endorsing nodes included within a blockchain network, identifying that the timestamp added by an endorsing node from among the one or more endorsing nodes is a modification to a previously added timestamp provided by the computing node, determining a reputation value for the endorsing node based on a difference between the timestamp added by the endorsing node and the previously added timestamp provided by the computing node, and transmitting the determined reputation value of the endorsing node to an ordering node within the blockchain network.

Abstract: Systems are provided for improving computer security systems that are based on user risk scores. These systems can be used to improve both the accuracy and usability of the user risk scores by applying multiple tiers of machine learning to different the user risk profile components used to generate the user risk scores and in such a manner as to dynamically generate and modify the corresponding user risk scores.

Abstract: In a method, a plurality of events is accessed, wherein an event of the plurality of events includes a portion of raw-machine data from a data source of a plurality of data sources. For at least one event of the plurality of events, a transaction phase of a computer security transaction is correlated with the at least one event based at least in part on a data source associated with the at least one event. The transaction phase of the at least one event is correlated with a particular asset of a plurality of assets.

Abstract: A method, system, and computer-implemented method to manage threats to a protected network having a plurality of internal production systems is provided. The method includes monitoring network traffic from the plurality of internal production systems of a protected network for domain names. For each internal production system, a first collection of each unique domain name that is output by the internal production system is determined over the course of a long time interval. For each internal production system, a second collection of each unique domain name that is output by the internal production system is determined over the course of a short time interval. Domain names in the first and second collections associated with the plurality of internal production systems are compared to determine suspicious domain names that meet a predetermined condition. A request is output to treat the suspicious the suspicious domain names as being suspicious.

Abstract: A content management system comprising one or more processing devices, a network interface, and a memory system configured to store programmatic instructions configured to cause the one or more processing devices to perform the following operations is described. An electronic document may be generated and rendered, where the content management system may configure the electronic document as a mesh document, with both forward links and backlinks to other electronic resources. The forward links and/or backlinks may be to local electronic resources or remote electronic resources. The mesh document may be transmitted to client device over an encrypted channel, and the client device may render the electronic document. In response to an activation of a forward or backlink, the corresponding resource may be accessed from a data store, transmitted via the encrypted channel to the client device, and the client device may render such resource.

Abstract: A method of utilizing a distributed ledger for a cloud service access control. The method may include receiving, by an identity and access management (IAM) service, an identifier of a client of a cryptographically protected distributed ledger; transmitting, to a proxy service, a subscription request for distributed ledger transactions initiated by the client; receiving, from the proxy service, a transaction notification comprising an identifier of the client, an identifier of an autonomous agent, and an identifier of a cloud service; receiving, from the cloud service, a validation request with respect to an action request submitted by the autonomous agent; validating, using the transaction notification, the action request; and notifying the cloud service of validity of the action request.

Abstract: A first correspondence table in a terminal device stores a first correspondence between an identifier of a process running on the terminal device and an identifier of a data stream created by the process. A second correspondence table stores a second correspondence between an identifier of an application and an identifier of a process created by the application. The terminal device receives an identifier of a first data stream from a network security device, finds, in the first correspondence table, a first record where the identifier of the first data stream is stored to obtain an identifier of a process in the first record, finds, in the second correspondence table, a second record where the identifier of the process in the first record is stored to obtain an identifier of an application from the second record, and sends the identifier of the application to the network security device.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Abstract: A method for determining an access right of a user terminal to a first network, wherein the user terminal (110) includes a subscription of a second network (150). The method includes: receiving (310) an access request message (240) including a data record for a user name and a data record for a password; determining (320) that the records are in a pre-determined format and that at least one of them includes data from which a subscriber identity for the second network is derivable; generating (330) an authentication request message from the access server (140) to a server (160) configured to perform authentication related tasks in the second network; receiving (340) information on the outcome of the authentication of the subscriber in the second network, generating (350) an acknowledgement to the user terminal (110) indicating right to access to the first network.

Abstract: This disclosure is directed to detecting cybersecurity attacks in data processing systems. Methods, systems, and computer program products perform operations including determining baseline event clusters using baseline event data obtained from deterministic target systems. The operations also include determining a baseline cumulative trajectory of an event over time based on the baseline event clusters. The operations further include determining operational event clusters using operational event data from the deterministic target systems. Additionally, the operations include determining an operational cumulative trajectory of the event over time based on the operational event clusters. Further, the operations include detecting a cyber-attack by comparing the baseline cumulative trajectory of the event with the operational cumulative trajectory of the event.

Abstract: Implementations include receiving flow data representative of communication traffic of the network, determining that at least one blacklisted Internet protocol (IP) address is present in the flow data, and in response: providing a set of high-dimensional flow representations of network traffic by processing historical flow data through a deep learning (DL) model, providing a set of low-dimensional flow representations of the network traffic based on the set of high-dimensional flow representations, and labeling at least a portion of the set of low-dimensional flow representations to provide a sub-set of labeled low-dimensional flow representations and a sub-set of unlabeled low-dimensional flow representations, and identifying a host associated with an unlabeled low-dimensional flow representation as a potentially malicious host, and in response, automatically executing a remedial action with respect to the potentially malicious host.