Abstract: Systems and methods for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform are provided. The SOAR platform captures information regarding execution of a sequence of actions performed by analysts responsive to a first incident of a first type. The captured information is fed into a machine-learning model. When a second incident, observed by the SOAR platform, is similar in nature to the first incident or the first type a recommended sequence of actions is generated based on the machine-learning model for use by an analyst in connection with responding to the second incident. In response to rejection of the recommended sequence by the analyst, revising the recommended sequence based on input provided by the analyst and storing the revised recommendation sequence in a form of a revised playbook for response to subsequent incidents that are similar to the second incident.

Abstract: The disclosed embodiments relate to a system that provides a selective encryption technique that encrypts all of the fields in a profile, and selectively enables consumers of the profile information to decrypt specific fields in the profiles. This is accomplished by encrypting each field in the profile using a randomly generated symmetric key, and then encrypting the symmetric key for each field with public keys belonging to individuals who are authorized to access each field. These encrypted public keys are stored in a header of the profile to enable individuals to use their corresponding private keys to decrypt symmetric keys for the specific fields that they are authorized to access.

Abstract: A method for predicting variables of interest related to a system includes collecting one or more sensor streams over a time period from sensors in the system and generating one or more anomaly streams for the time period based on the sensor streams. Values for variables of interest for the time period are determined based on the sensor streams and the anomaly streams. Next, a time-series predictive algorithm is applied to the (i) the sensor streams, (ii) the anomaly streams, and (iii) the values for the variables of interest to generate a model for predicting new values for the variables of interest. The model may then be used to predict values for the variables of interest at a time within a new time period based on one or more new sensor streams.

Abstract: Systems and methods for improving the catch rate of attacks/malware by a cooperating group of network security devices are provided. According to one embodiment, a security management device configured in a protected network, maintains multiple dynamic IP address lists including an NGFW deep detection list, a DDoS deep detection list, a NGFW block list and a DDoS block list. The security management device, continuously updates the lists based on updates provided by a cooperating group of network security devices based on network traffic observed by the network security devices. In response to receipt of a request from a NGFW device or a DDoS mitigation device associated with the protected network, the security management device provides the requestor with the requested dynamic IP address lists for use in connection with processing network traffic by the requestor.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. By recording path data representing interactions between an application and other components, it can be determined what data an attacker has received by the time malicious activity is detected. During a session with an application, queries made to a dataset by the application can be recorded. After the session is found to be malicious, the session is transferred to a cloned application session in which access to the dataset is blocked. Based on the recorded queries, an alternative dataset for queries made in the cloned application session is generated that includes a subset of the original dataset, thus limiting future queries of the attacker in the cloned application session to data already received before the malicious activity was detected.

Abstract: A network security system for detecting MAC'less/transparent devices, the system comprising a data repository aka DB, operative to accumulate “fingerprint” data indicative of expected physical level characteristics for each of plural types of switch-device links (aka link types) interconnecting a switch and a hardware device, wherein at least one pair of links of different types differ from one another at least with respect to the chipset residing in the respective device connected to the respective switch by each respective link; apparatus for reading physical level characteristics of links in at least one network to be protected; and an output device configured to generate alerts of possible presence of a transparent device along at least one link if the physical level characteristics of the at least one link, as read by the apparatus, is anomalous relative to the “fingerprint” data stored in the data repository.

Abstract: According to some aspects, disclosed methods and systems may comprise generating a profile that is based on monitoring a communication pattern associated with a device. Subsequent communications associated with the device may be monitored. Based on the profile and the subsequent communication, a security status may be associated with the device.

Abstract: The subject matter described herein includes methods, systems, and computer readable media for threat simulation and threat mitigation recommendations. A method for threat simulation and threat mitigation recommendations includes performing a first threat simulation using at least one attack vector, wherein performing the first threat simulation includes generating simulated network traffic associated with the at least one attack vector and sending, via at least one intermediate node, the simulated network traffic to a test agent in a target network, wherein the test agent is configured to simulate at least one protected asset in the target network; determining, using simulated network traffic arrival metrics, at least one threat mitigation recommendation; and providing, via a user interface, the at least one threat mitigation recommendation to a user.

Abstract: Methods and systems for assessing and evaluating vulnerabilities of a networked system are presented. A list of known vulnerabilities that have been disclosed in the public may be obtained. The networked system may be scanned from an external perspective to obtain network information of the networked system. A subset of the known vulnerabilities may be determined to be relevant to the networked system based on correlations between the vulnerabilities and the network information. The networked system may also be analyzed from an internal perspective to determine impacts of the relevant known vulnerabilities to the networked system. The impact of a vulnerability may be determined based on the type of data and/or the type of services that may be accessible in an attack that exploits the vulnerability. The vulnerabilities may then be ranked and addressed based on the impacts.

Abstract: Domains and IPs are scored using domain resolution data to identify malicious domains and IPs. A domain and IP resolution graph for a set of domains and IPs in a system. A seed set of known malicious domains and known malicious IPs is selected from a malicious domain and malicious IP database. A graphical probabilistic propagation inference from the domain and IP resolution graph and the seed set of known malicious domains and known malicious IPs is generated. A malicious score is calculated for each domain in the set of domains and each IP in the set of IPs, and the malicious domain and malicious IP database is updated.

Abstract: In an embodiment, a data processing method comprises receiving, from one or more service monitoring processes configured to monitor operations of one or more computer applications instantiated within one or more containers, operation datasets representing operations that have been performed by one or more processes associated with the one or more computer applications; generating a baseline dataset of operations having operation properties from the operation datasets; computing a score for each operation in the baseline dataset, from the operation datasets, the score indicating whether the operation is a candidate for generating a rule that defines one or more expected values for an operation property of the operation; automatically generating a set of baseline operations rules for only those operations in the baseline dataset that score more than a score threshold.

Abstract: A cyber-threat coordinator-component identifies devices and/or users that are in a breach state of a benchmark of parameters, utilized by AI models, that correspond to the normal pattern of life for the network. The cyber-threat coordinator-component sends an external communication to selected network devices in order to initiate actions with that network device in order to change a behavior of a detected threat of at least one a user and/or a device acting abnormal to the normal pattern of life on the network. The initiated actions are also targeted to minimize an impact on other network devices and users that are i) currently active in the network and ii) that are not in breach of being outside the normal behavior benchmark.

Abstract: Authentication processes to counter subscriber identity module swapping fraud attacks is disclosed. A method can comprise receiving location data representative of a tower device of a group of tower devices; receiving duration data representing a time period during which the mobile device has been traversing through a transmission region monitored by the tower device; as a function of the identification data, the location data, and the duration data, formulating a challenge query for the mobile device to answer; and sending the challenge query to the tower device.

Abstract: Examples described herein relate to a security system consistent with the disclosure. For instance, the security system may comprise a sensor interface bridge connecting a gateway to an input/output (I/O) card, a Field Programmable Gate Array (FPGA) to scan data to detect an anomaly in the data while the data is in the sensor interface bridge, where a learning neural network accelerator Application-Specific Integrated Circuit (ASIC) is integrated with the FPGA and send the data without an anomaly to the gateway.

Abstract: A system, a method, and a computer program for protecting data traffic from a communication device against fingerprinting or privacy leakage. The method can include receiving data traffic from a communication device connected to a network, analyzing the received data traffic to determine network activity or operational characteristics of the communication device, generating forged data traffic for the network based on the determined network activity or operational characteristic of the communication device, and transmitting the forged data traffic to an external communication device that is located outside the network. The forged data traffic can add an entropy factor to the data traffic from said communication device connected to the network.

Abstract: A network traffic anomaly detection method and apparatus is provided. The method includes: acquiring network flows generated by a network monitoring node within a set period of time; for any one of attributes in the network flows, aggregating the network flows at a set time interval according to the attribute to generate N time sequences with respect to the attribute; determining N samples to be detected corresponding to the network flows according to the N time sequence, calculating respective angular dissimilarity degrees between a first time sequence and N?1 second time sequences corresponding to a first attribute in the other N?1 samples to be detected, and determining a first detection result with respect to the first time sequence; and determining whether each of the samples to be detected is an abnormal data stream according to a detection result.

Abstract: Techniques are disclosed relating to automating permission requests, e.g., in the context of multi-factor authorization. A mobile device may allow a user to automate responses to future permission requests for multi-factor authorization procedures. The mobile device may automatically respond to subsequent permission requests based on one or more automation criteria. Authorized actions may include login, transaction approval, physical access, vehicle ignition, account recovery, etc. The automation criteria may include location, acceleration, velocity, wireless connectivity, proximity to another device, temperature, lighting, noise, time, biometrics, altitude, pressure, image characteristics, etc. Disclosed techniques may increase authorization security while reducing user interaction for multi-factor authorization, in some embodiments.

Abstract: An illustrative embodiment includes a method for protecting a machine learning model. The method includes: determining concept-level interpretability of respective units within the model; determining sensitivity of the respective units within the model to an adversarial attack; identifying units within the model which are both interpretable and sensitive to the adversarial attack; and enhancing defense against the adversarial attack by masking at least a portion of the units identified as both interpretable and sensitive to the adversarial attack.

Abstract: The disclosed computer-implemented method for protecting against password attacks by concealing the use of honeywords in password files may include (i) receiving a login request comprising a candidate password for a user, (ii) authenticating the login request by determining whether a hash of a true password for the user stored in a honeyserver matches a hash of the candidate password, (iii) determining whether the candidate password has matches a hash of a honeyword stored in a password file when the true password hash fails to match the candidate password hash, (iv) classifying the password file as being potentially compromised when the candidate password hash matches the honeyword hash stored in the password file, and (v) performing a security action that protects against a password attack utilizing the potentially compromised password file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method includes outputting with a first reader, presence signals to first smart devices, receiving responsive ephemeral ID signals, determining a first authorized device in response to the ephemeral ID signals, providing an ephemeral ID signal of the first authorized device to a second reader, directing a first peripheral to perform a user-perceptible action in response to the first authorized device, outputting with a second reader device, presence signals to second smart devices, receiving responsive ephemeral ID, determining a second authorized device in response to the ephemeral ID signals from the second smart devices, receiving the ephemeral ID signal of the first authorized device, determining a third authorized device in response to the ephemeral ID signal of the first authorized device, and directing a second peripheral device to perform a user-perceptible action in response to the second authorized device or the third authorized device.