Abstract: Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.

Abstract: An interface element connected to a device and a security die-chip are fabricated in a single package. The security die-chip may provide a security authentication function to the interface element that does not have the security authentication function. The security die-chip may include a physically unclonable function (PUF) to provide a private key, and a hardware security module to perform encryption and decryption using the private key.

Abstract: Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.

Abstract: A network device detecting possible malicious traffic and enlists the help of a co-operative group of downstream routers to perform enhanced deep packet analysis and firewalling in parallel with the transport of the packet through the network. The routers may also use other remote computational resource to perform some of the analysis along or close to the route 80 of the packet through the network. The packets are cached at the exit edge router, which does not release the packet from the cooperative group until all analyzers report the traffic is safe, or deletes the traffic if identified as malicious. By buffering at the remote end the packet can be forwarded promptly if approved, but protects downstream components if the traffic is malicious.

Abstract: Provided is a method for automatically registering a user on a field device for the purpose of administering the field device, including a) providing user information on the basis of an identity of the user and an identity of the field device by a security device; b) transmitting the provided user information to a mobile device of the user; c) generating field-device-specific registration information on the basis of the transmitted user information by the mobile device; and d) registering the user on the field device by the generated registration information. This method has the particular advantage that a highly secure infrastructure can be used for administering access information for administering the field devices without problems arising during the registration process.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: A system comprising one or more computers implements a hardware feature access service. The hardware feature access service stores private keys that correspond to digital certificates embedded in chipsets of devices enrolled in the hardware feature access service. The hardware feature access service is configured to issue access or access revocation messages to the chipsets to “lock” or “unlock” associated hardware components. The hardware feature access service also implements a service interface that allows clients to request changes to enabled feature sets for devices enrolled in the hardware feature access service. In response to such requests, the hardware feature service automatically and wirelessly enables or disables feature sets by locking or unlocking relevant hardware components of a device relevant to enabling or disabling the requested feature sets.

Abstract: Based on the interaction data and response data, an interaction monitoring platform may determine a first known sentiment and a second known sentiment, identify a first pattern and a second pattern in the interaction data, and generate a first pattern-level sentiment and a second pattern-level sentiment based on the known sentiments and the identified patterns. A binary indicator may indicate which identified patterns are exhibited in a subset of the interaction data. The platform may train a gradient boosting model using known sentiment as a target variable and using binary indicators and pattern-level sentiments as input data. The platform may predict a sentiment corresponding to a subset of interaction data with unknown sentiment that exhibits one or more of the first pattern or the second pattern based on a binary indicator and the trained gradient boosting model.

Abstract: A cyber security system includes a plurality of event sensors to detect events, a plurality of inference servers, and a server in communication with the plurality of inference servers. Each inference server of the plurality is in communication with a subset of event sensors of the plurality of event sensors. Each inference server has a portion of an event lattice and is to compare the event detected by the subset of event sensors to the event lattice. Each inference server is to identify an originator having a behavior pattern indicative of an attack and communicating an identifier associated with the originator. The server is to provide an interface indicating the behavior pattern indicative of an attack and the identifier of the originator.

Abstract: Methods and systems for performing an electronic security assessment of a building automation system are provided. The building automation system includes a controller and a network of electronic devices connected in electronic communication. The method includes requesting, by the controller, an electronic security scan of the controller with a data set of the controller via a secured channel to a cloud-based service. The method also includes initiating the electronic security scan of the controller based on the data set of the controller. The method further includes electronically assessing security vulnerabilities of the building automation system. The method also includes electronically assessing, by the controller, security vulnerabilities of the network of electronic devices connected in electronic communication with the controller.

Abstract: Methods, systems, and media for recovering identity information in verifiable claims-based systems are provided.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: A method of allowing collaboration on an encrypted document stored in a cloud computing network, the encrypted document associated with a first user having a first user account in the cloud computing network, the method comprising: in response to a request from the first user to share the encrypted document, sending a link to a public network destination to a second user address of a second user; receiving a request via the link from an unconfirmed user to access the data in the encrypted document; requesting of the unconfirmed user to login to a second user account on the cloud computing network; authenticating the identity of the unconfirmed user as the second user; upon authenticating the identity of the unconfirmed user as the second user, decrypting the encrypted document to generate a decrypted document; storing the decrypted document in the first user account; granting the second user access to the decrypted file simultaneously to access granted to the first user; subsequent to the first user or the se

Abstract: A device configured to obtain a first user interaction data at a first time instance for user devices, to obtain a first set of clusters from a machine learning model based on the first user interaction data, and to determine a first cluster quantity for the first set of clusters. The device is further configured to obtain a second user interaction data at a second time instance for the user devices, to obtain a second set of clusters from the machine learning model based on the second user interaction data, and to determine a second cluster quantity for the second set of clusters. The device is further configured to determine the second cluster quantity is greater than the first cluster quantity, to identify a cluster that is not present in the first set of clusters, and to modify settings on a user device from within the cluster.

Abstract: Described herein are systems, methods, and software to enhance incident response in an information technology (IT) environment. In one example, an incident service identifies a course of action to respond to an incident in the IT environment. The incident service further identifies a particular step in the course of action associated with a credential requirement based on traits associated with the particular step, and generates a credential request to obtain credentials to support the credential requirement.

Abstract: A physical access control system enables acceptable portal entry codes upon receiving each physical access request by operating on the elapsed time from a previous physical access request to generate a temporal credential. The controller receives a plurality of physical access requests from a plurality of mobile application devices. Upon authenticating the first access request, the controller eliminates repetition from the space of acceptable successor requests from each mobile application device. Monotonic nonces advance the range of temporal code matches. Entry code generation is decentralized to distributed application devices and is inherently unknowable until a successor access request is initiated by the same application device.

Abstract: Systems and methods for receiving information on network firewall policy configurations are disclosed. Based on the received firewall configuration information, a configuration of a firewall and/or subnet of network devices is automatically provisioned and/or configured to control network traffic to and from the subnet.

Abstract: At least some embodiments are directed to a computer-based cyber-attack frequency tracking system that determines types and frequencies of cyber-attacks. In at least some embodiments, the method of a cyber-attack frequency tracking system may operate a processor in an enterprise computing environment for automatically conducting a process that comprises receiving, a plurality of data values that represent a plurality of cyber-attacks. Determining cyber-attack types, and then determining the frequency of attempts and contacts with assets. After that determining likelihood values. Aggregating these determinations to produce a quantifiable value of a likelihood values of each of the plurality of cyber-attack types.

Abstract: Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

Abstract: Methods and systems for processing interactions with account assertions are disclosed. A method includes receiving, by an assertions model manager, a first request from a resource provider computer for a set of assertions including an account assertion, related to a digital identity of a user. The method then includes responding, by the assertions model manager, to the first request with a response message, comprising a set of assertions, wherein one of the plurality of assertions is an account assertion. Then the method includes receiving, by the assertions model manager, a second request from the resource provider for a value interaction from the user and initiating, by the assertions model manager, the value interaction.