Abstract: The present disclosure relates to a pre-5th-Generation (5G) or 5G communication system to be provided for supporting higher data rates Beyond 4th-Generation (4G) communication system such as Long Term Evolution (LTE). In accordance with an aspect of the present disclosure, a method of transmitting data in a device to device communication system is provided. The method includes determining whether a security feature is applied to one or more packet data convergence protocol (PDCP) data units, configuring the one or more PDCP data units based on the determined result, and transmitting the one or more PDCP data units to one or more receiving user equipments (UEs).

Abstract: Centralized systems execute one or more applications for monitoring and operating a plurality of network enabled medical devices. An indication to start a selected application at the centralized system or at a network enabled medical device is received at the centralized system/network enabled medical device. The selected application may require a license to operate and, at the time the indication is received, may have a first license available. Instead of using the first license, the centralized system/network enabled medical device may determine to inherit at least a portion of a second license to operate the selected application. The centralized system/network enabled medical device may inherit at least the portion of the second license to form an inherited license, where the inherited license enables features of the selected application. Using the inherited license, the selected application is started with the enabled features. Related apparatus, systems, techniques and articles are also described.

Abstract: Techniques for generating actionable indicators of compromise (IOCs) are disclosed. A set of potential sources for IOCs are received. One or more candidate IOCs are extracted from at least one source included in the set of potential sources. An actionable IOC is automatically identified from the one or more candidate IOCs. The actionable IOC is provided to a security enforcement service.

Abstract: This disclosure provides systems, methods and apparatuses for classifying traffic flow using a plurality of learning machines arranged in multiple hierarchical levels. A first learning machine may classify a first portion of the input stream as malicious based on a match with first classification rules, and a second learning machine may classify at least part of the first portion of the input stream as malicious based on a match with second classification rules. The at least part of the first portion of the input stream may be classified as malicious based on the matches in the first and second learning machines.

Abstract: Systems and methods for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform are provided. The SOAR platform captures information regarding execution of a sequence of actions performed by analysts responsive to a first incident of a first type. The captured information is fed into a machine-learning model. When a second incident, observed by the SOAR platform, is similar in nature to the first incident or the first type a recommended sequence of actions is generated based on the machine-learning model for use by an analyst in connection with responding to the second incident. In response to rejection of the recommended sequence by the analyst, revising the recommended sequence based on input provided by the analyst and storing the revised recommendation sequence in a form of a revised playbook for response to subsequent incidents that are similar to the second incident.

Abstract: A method of automatically determining operation rules for access control related to container operations on a plurality of computing nodes is disclosed. The method comprises receiving operation datasets representing operations that have been performed by one or more processes associated with one or more computer applications instantiated within one or more containers on the computing nodes; generating a baseline dataset of operations having operation properties from the operation datasets; computing a score for each operation in the baseline dataset, the score indicating whether the operation is a candidate for generating a rule that defines one or more expected values for an operation property of the operation; automatically generating a set of baseline operation rules for only those operations in the baseline dataset that score more than a score threshold; and causing modifying an orchestrator configuration file for the plurality of computing nodes based on the set of baseline operation rules.

Abstract: Remote instructions are received at a remote computing device from a requesting device through a firewall. The remote computing device resides in a secured data center. Access credentials are presented by the requesting device. A request is made to an assistant computing device to query a dataset in communication with the remote computing device. Encrypted access credentials and encrypted remote instructions are received from the assistant computing device. The encrypted access credentials are configured to allow the requesting computing device to access the remote computing device. The encrypted remote instructions are configured to enable the remote computing device to execute at least one of the following: at least one data query, or at least one data manipulation. The encrypted access credentials are decrypted. The encrypted remote instructions are decrypted. The remote instructions are executed to generate query results. The query results are communicated to the requesting device.

Abstract: A method for halting malware includes: monitoring plural file system events with a system driver to detect an occurrence of a file system event having a predetermined file type and log event type; triggering a listening engine for file system event stream data of a file associated with the detection of the file system event, the file system event stream data indicating data manipulation associated with the file due to execution of a process; obtaining one or more feature values for each of plural different feature combinations of plural features of the file based on the file system event stream data; inputting one or more feature values into a data analytics model to predict a target label value based on the one or more feature values of the plural different feature combinations and agnostic to the process; and performing a predetermined operation based on the target label value.

Abstract: A verifiable, redactable log, which, in some embodiments, may contain multiple hash values per entry in order to sever confidentiality of a log from verifiability. Logs may be verified using recalculation of hashes and verification of trusted digital signatures. In some embodiments, the log may be divided into segments, each signed by a time server or self-signed using a system of ephemeral keys. In some embodiments, log messages regarding specific objects or events may be nested within the log to prevent reporting omission. The logging system may receive events or messages to enter into the log.

Abstract: A method may include receiving data from a device within a network, wherein the data is associated with one or more features of the device, and determining a subset of the features of the device that is associated with a runtime behavior of the device. The method may also perform a univariate analysis on a feature dataset that is associated with the subset of the features of the device, perform a multivariate analysis on the feature dataset that is associated with correlated features in the subset of the features, and generate a device signature based on the univariate analysis and the multivariate analysis.

Abstract: Systems, methods, and related technologies for determining an issue based on a plurality of events. The determining of an issue may include accessing network traffic from a network and accessing a plurality of events associated with the network traffic. An issue can be determined based on a correlation of a portion of the plurality of events, where the issue represents an incident associated with the portion of the plurality of events. The correlation of the portion of the plurality of events is based on network specific information. Information associated with the issue including the portion of the plurality of events may then be stored.

Abstract: A database management system receives a request to process a database query on behalf of a security principal. The database management system determines that processing the database query requires access to an encrypted portion of a file containing data subject to access conditions. The database management system determines that the security principle is authorized to use a key that corresponds to the encrypted portion of the file. The database management system then completes processing of the query by using the key to access the encrypted portion of the file.

Abstract: Data-driven applications depend on training data obtained from multiple internal and external data sources. Hence poisoning of the training data can cause adverse effects in the data driven applications. Conventional methods identifies contaminated test samples and avert them from entering into the training. A generic approach covering all data-driven applications and all types of data poisoning attacks in an efficient manner is challenging. Initially, data aggregation is performed after receiving a ML application for testing. A plurality of feature vectors are extracted from the aggregated data and a poisoned data set is generated. A plurality of personas are generated and are further prioritized to obtain a plurality of attack personas. Further, a plurality of security assessment vectors are computed for each of the plurality of attack personas. A plurality of preventive measures are recommended for each of the plurality of attack personas based on the corresponding security assessment vector.

Abstract: An approach to predicting the outcome of a computer security response. The approach can analyze an unlabeled set of network data and based on the analysis, create a language model of the network. The approach can process the language model to predict a reduction factor associated with network availability. The approach can further process the language model and a malicious sequence to predict an effectiveness factor associated with blocking the malicious sequence. The approach can output bot the reduction factor and the effectiveness factor to a network administrator for determining the applicability of the computer security response.

Abstract: The technology includes a method performed by a security system of a 5G network to thwart a cyberattack. The security system is instantiated to monitor and control network traffic at a perimeter of the 5G network in accordance with a security model based on a vulnerability parameter, a risk parameter, and a threat parameter. The security system can process the network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the network traffic in relation to the parameters. Based on the VRT score, the system redirects the network traffic to a containment area that mimics an intended destination or related process of the network traffic to induce malicious VRT traffic. When malicious VRT traffic is detected, the security system can, for example, prevent the network traffic from being communicated the 5G network.

Abstract: Various methods, apparatuses/systems, and media for detecting a target behavior are disclosed. A processor implements a machine learning cadence model that implements an algorithm to obtain, on a per session basis, cadence data that indicates average time between each call and a standard deviation of times across each call across all active sessions of a desired target. The processor compares the cadence data to predefined background cadence data to identify whether the desired target is a new threat target or a background traffic; generates an internet protocol (IP) address of the new threat target; inputs the IP address of the new threat target into a machine learning behavior model that implements an algorithm to generate a fingerprint of all known places that the new threat target is operating; and applies a mitigation algorithm to all active sessions of the new threat target.

Abstract: This disclosure provides systems, methods and apparatuses for classifying traffic flow using a plurality of learning machines arranged in multiple hierarchical levels. A first learning machine may classify a first portion of the input stream as malicious based on a match with first classification rules, and a second learning machine may classify at least part of the first portion of the input stream as malicious based on a match with second classification rules. The at least part of the first portion of the input stream may be classified as malicious based on the matches in the first and second learning machines.

Abstract: A method, system, and medium used in unauthorized communication detection in an onboard network system having electronic control units connected to a network include: identifying, from information relating to an attack message on the onboard network system, a communication pattern indicating features of the attack message; determining whether a candidate reference message matches the communication pattern; and determining a reference message used as a reference in determining whether or not a message sent out onto the network is an attack message, using results of the determining of whether or not the candidate reference message matches the communication pattern identified in the identifying operation.

Abstract: Techniques for providing a smart proxy for a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a smart proxy for a large scale high-interaction honeypot farm includes receiving tunneled traffic at a smart proxy from a sensor for a honeypot farm that is executed in a honeypot cloud, wherein the tunneled traffic is forwarded attack traffic, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; and forwarding the tunneled traffic to an instance of the matching type of vulnerable service.

Abstract: Techniques for providing a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a large scale high-interaction honeypot farm includes sending traffic detected at a sensor to a smart proxy for a honeypot farm that is executed in a honeypot cloud, wherein the traffic is forwarded attack traffic that is sent using a tunneling protocol, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; forwarding the traffic to an instance of the matching type of vulnerable service; and executing a security agent associated with the instance of the matching type of vulnerable service to identify a threat by monitoring behaviors and detecting anomalies or post exploitation activities.