Abstract: The present invention relates to a method and system for monitoring webpages for detecting malicious contents. According to a preferred embodiment the method comprises A) providing a plurality of URLs provided by a subscriber, employing a crawler to visit a URL webpage of said plurality of URLs; B) retrieving an object from said URL webpage by said crawler; C) analyzing said object retrieved by said crawler from said URL webpage, and determining whether said object retrieved is malicious or not; and D) alerting the subscriber, when said retrieved object is deemed malicious. According to one embodiment, the method further comprises E) employing a crawler to visit a URL webpage of a following URL of the plurality of URLs, when the determination of step C) is deemed not malicious; and F) returning to step B).

Abstract: Embodiments of a cyberattack monitoring system are disclosed to identify successful attacks on a service based on benign activities of the attacker performed after the initial attack attempt. In embodiments, the system identifies the initial attack by matching client actions to known attack patterns. Clients observed with attempted attacks are remembered as suspected attackers. The system will then monitor subsequent actions of suspected attackers for signs that the initial attack attempt was successful. In embodiments, a successful attack is recognized when the system observes one or more subsequent benign actions by the suspected attacker. In embodiments, the presence of follow-on benign actions is used as a filter to filter out unsuccessful attacks and false positives detected by the system. The filtering enables the system to better focus system resources and human attention on a small set of client activities that are likely successful attacks.

Abstract: A system and a method for configuring resources over a network cloud are described. Attributes related to user roles i.e. categories of user roles, network cloud based services associated with each category, and a number of users associated with each category are received. Hardware capabilities and/or network capabilities corresponding to the attributes are determined from a mapping table stored in a repository. A service set capable of providing the hardware capabilities and the network capabilities is determined from the mapping table stored in the repository. The mapping table is based on previous implementations and instructions associated with one or more service sets. Resources are configured over the network cloud to implement the service set.

Abstract: An example apparatus includes target signal generator circuitry to generate a target signal having a first center frequency and a bandwidth. The example apparatus additionally includes companion signal generator circuitry to generate a companion signal having a second center frequency that is less than (a) the first center frequency adjusted by a first threshold and greater than (b) the first center frequency adjusted by a second threshold, the first threshold being a first multiple of the bandwidth, the second threshold being a second multiple of the bandwidth, the first multiple different than the second multiple. In some examples, the example apparatus includes adder circuitry to combine the target signal and the companion signal to form a composite signal. Additionally, the example apparatus includes transmitter circuitry to transmit the composite signal to a target device.

Abstract: A secret share value [q] of a quotient q of a/p is obtained through secure computation using a secret share value [a] and a modulus p and [a/d0]=[(a+qp)/d0]?[q]p/d0, . . . , [a/dn?1]=[(a+qp)/dn?1]?[q]p/dn?1 are obtained and output through secure computation using secret share values [a] and [q], divisors d0, . . . , dn?1, and a modulus p. Here, [?] is a secret share value of ?, a is a real number, n is an integer equal to or greater than 2, d0, . . . , dn?1 are divisors of real numbers, p is a modulus of a positive integer, and q is a quotient of a positive integer.

Abstract: The disclosure is directed towards the real-time detection and mitigation of security threats to a domain name system (DNS) for a communication network. A graph-theoretic method is applied to detect compromised DNS assets (e.g., DNS servers and web servers that DNS servers map domain names to). A graph is generated from domain name resolution (DNR) transactions. The nodes of the graph represent the DNS assets and edges between the nodes represent the DNR transactions. The graph is analyzed to detect features that signal compromised assets. The detection of such features serves to act as a binary classifier for the represented assets. The binary classifier acts to classify each node as non-compromised or compromised. The analysis is guided by supervised and/or unsupervised machine learning methods. Once the assets are classified, DNR transactions are analyzed in real-time. If the transaction involves a compromised asset, an intervention is performed that mitigates the threat.

Abstract: In one embodiment, a malware analysis method includes receiving a file on a virtual machine (VM). The VM includes, a web debugging proxy, a system resource monitor, and a file analysis tool. The method also includes performing, with the file analysis tool, a static analysis on the file. The static analysis includes determining a set of file properties of the file, and storing the determined file properties in a repository. The method further includes performing, with the web debugging proxy and the system resource monitor, a dynamic analysis on the file, the dynamic analysis. The dynamic analysis includes running the file on the VM, determining, with the web debugging proxy, web traffic of the virtual machine, determining, with the system resource monitor, executed commands and modifications to system resources of the VM originating from the file, and storing the determined traffic and executed commands in the repository.

Abstract: A security system detects and attributes anomalous activity in a network. The system logs user network activity, which can include ports used, IP addresses, commands typed, etc., and may detect anomalous activity by comparing users to find similar users, sorting similar users into cohorts, and comparing new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity. The hostname, username, IP address, and timestamp can be used to calculate aggregate scores and convoluted scores. The system extracts features from the logged anomalous network activity, and determines whether the activity is attributable to an actor profile by comparing the extracted features and attributes associated with the actor profile based upon previous activity attributed to the actor.

Abstract: A method for preventing a hardware wallet from being maliciously paired, comprising: a hardware wallet waiting to receive a connection request; when a connection request is received, determining whether a first terminal sending the connection request has been paired and connected; if so, waiting to receive an instruction of the first terminal; and when receiving a pairing transfer instruction sent by the first terminal, clearing terminal information stored in a whitelist of the hardware wallet. By means of the present technical solution, a hardware wallet can achieve pairing transfer only by means of the authorization of a previously paired terminal, thereby improving the security of the hardware wallet.

Abstract: Systems, apparatuses, and methods to establish a mapping between message identifications for messages transmitted on a communication bus and electronic control units transmitting the messages is provided. In particular, retransmission of a low priority message onto the bus is forced such that the retransmitted low priority message overlaps with a higher priority message to determine whether the messages originated from the same ECU.

Abstract: For validation of position, navigation, time (PNT) signals, a hash included in messages with PNT data is used to validate the source of the message without backhaul. Different tags from a hash chain are included in different messages. The receiver is pre-loaded with the root or later trusted hash tag of the chain as created. The hash of any received message may be hashed by the receiver. The result of the hashing will match the pre-loaded or trusted hash tag if the transmitter of the message is a valid source. The PNT data may be validated using a digital signature formed from the PNT data for one or more messages and the hash tag wherein a hash tag of the chain in a subsequently received message is used as the key. The digital signature may be formed from data across multiple messages.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious accounts. One of the methods includes identifying one or more potential clusters of malicious accounts; for each cluster, processing a collection of content associated with each account of the cluster, the processing comprising applying a plurality of models in series to determine whether the collection of content indicates a common pattern; and based on the respective determinations, classifying the accounts of each cluster as ordinary or suspicious.

Abstract: A security module (460) for a CAN node (402). The security module (460) comprises: a RXD input interface for receiving data from a CAN bus (404), and a TXD output interface for transmitting data to the CAN bus (404). The security module (460) is configured to: receive a CAN frame from the CAN bus via the RXD input interface; compare an identifier of the received CAN frame with at least one identifier associated with a local controller (410); and upon detection of a match between the identifier of the received CAN frame and the at least one identifier associated with the local controller (410), output an error signal to the CAN bus via the TXD output interface by setting a predetermined plurality of consecutive bits (682) in the CAN frame to a dominant value. The predetermined plurality of consecutive bits (682) identifies a security error to CAN nodes connected to the CAN bus (404) and is at least 10 consecutive bits.

Abstract: Systems and methods are disclosed for accessing protected data. A computing device may have a secured stared storage accessible by two or more applications operating on the mobile device. The computing device may obtain a first token from an authorization service to verify user identity for a first application. The first token may be stored in the shared storage area, and be accessible to one or more applications sharing the storage space. In response to a user attempt to access a web service using a second application, the user identity may be verified using the first token. The authorization service may verify user credentials, and send a second token to the computing device. The second token may be a proxy ticket authorizing access and exchange of protected data between the second application and a web service. The second token may also be stored in the secure storage area.

Abstract: Provided are a method and an apparatus for analyzing a malicious code by accurately and rapidly analyzing source code extracted from a set of a plurality of malicious codes, calculating a first degree of complexity of each of a plurality of malicious code binaries, select a root binary initially generated, by using the calculated first degree of complexity, and inferring an evolutionary order of the plurality of malicious code binaries, except for the root binary, based on the calculated first degree of complexity and a degree of distance between the plurality of malicious code binaries.

Abstract: A detection device includes: a monitoring unit configured to monitor, as target messages, an authorized message being periodically transmitted and the unauthorized message in the in-vehicle network; and a generation unit configured to generate a reference time to be used in a detection process of detecting the unauthorized message; a detection unit configured to perform detection process, based on time difference between a time corresponding to a transmission time of target message based on a monitoring result of the monitoring unit, and the reference time generated by the generation unit. When target message has been determined to be abnormal in the detection process, the generation unit, based on a value obtained by adding a latest statistical value to the reference time, generates a new reference time to be used in the detection process for a target message to be transmitted after the target message having been determined to be abnormal.

Abstract: Methods are described for protecting a cyber-physical system against a potential attacker of the system. The methods include a method of generating a plurality of examples for a training data set and training a system model using the training data set to generate a decoy configured to generate a synthetic output that mimics historical outputs generated by the system for a given historical system context. Also described is a method including receiving a system context of a cyber-physical system; receiving an inquiry into the system by a potential attacker; applying a system model to the system context and the inquiry; obtaining from the system model a synthetic output that mimics how a component of the system would respond to the inquiry given the system context; and providing the synthetic output to the potential attacker.

Abstract: A method, computer program product, and computer system for identifying social engineering activity associated with at least one of a first communication and a second communication based upon, at least in part, correlation to a predetermined rule. Characteristics of the communications are compared to the predetermined rule to determine if there is a correlation.

Abstract: A fraud detecting method for use in an in-vehicle network system including a plurality of electronic control units that communicate with each other via a network includes detecting whether a state of a vehicle satisfies a first condition or a second condition, and switching, upon detecting that the state of the vehicle satisfies the first condition or the second condition, an operation mode of a fraud-sensing electronic control unit connected to the network between a first mode in which a first type of detecting process for detecting a fraudulent message in the network is performed and a second mode in which the first type of detecting process is not performed. Moreover, in the second mode, a second type of detecting process having a different degree to which a fraudulent message is detectible than the first type of detecting process is performed.

Abstract: Example methods are provided a computer system to perform context-aware domain name system (DNS) query handling in a software-defined networking (SDN) environment. One example method may comprise detecting a DNS query to translate a domain name; identifying DNS record information that translates the domain name to a network address assigned to a virtualized computing instance; and identifying context information that is associated with the virtualized computing instance and mapped to the DNS record information. The method may also comprise: in response to detecting a potential security threat based on the context information, performing a remediation action to block access to the virtualized computing instance; but otherwise, generating and sending a DNS reply specifying the network address assigned to allow access to the virtualized computing instance.