Abstract: A method for the efficient use of Large Language Models (LLMs) in malicious code detection, the method including: assessing code and assigning a probability level of being malicious; and running code assessed to be above a predetermined probability level through an LLM to determine if the code is malicious.

Abstract: A method for data-flow analysis includes constructing a data-flow graph for a computing system that runs multiple software applications. The data-flow graph includes (i) vertices representing data locations in the computing system, and (ii) edges representing data movements performed by the software applications between the data locations. One or more multi-hop paths are identified in the data-flow graph, each multi-hop path including a sequence of two or more edges that represents multi-hop movement of data in the computing system. One or more of the identified multi-hop paths are acted upon.

Abstract: Systems and methods of the present disclosure enable reversible blockchain operations. An operation-reverse operation pair specifies an operation for exchange of a first token for a second token, and a reverse operation for return of the second token for the first token upon at least one condition being satisfied. A self-executing software container (SESC) executes the operation-reverse operation pair according to the condition by detecting a transfer of the first token into a first segregated data structure, and a transfer of the second token from a second token storage to a first token storage. The SESC initiates a transfer of the first token from the first segregated data structure to a second segregated data structure in response to the transfer of the second token. Upon detecting a reverse operation matching the condition, the SESC initiates a transfer of the first token back to the first segregated data structure.

Abstract: An architecture of a multi-cloud inspector for any computing device type is provided. According to an embodiment, a method for implementing multi-cloud inspection includes accessing an object list, determining which objects to inspect, determining which inspectors to use, creating object copies, providing and running inspectors for each object copy, receiving inspection report summaries, generating an enriched dataset, and adding the enriched dataset to a security graph database.

Abstract: An adversarial reinforcement learning system is used to simulate a spatial environment. The system includes a simulation engine configured to simulate a spatial environment and various objects therein. The system further includes a first model configured to control objects in the simulation and a second model configured to control objects in the simulation. The first model generates a threat-mitigation input to control one or more objects in the simulation, and the second model generates a threat input to control one or more objects in the simulation. The system then executes a first portion of the simulation based at least in part of the threat mitigation input and the threat input.

Abstract: Management of IoT devices through a private cloud. An IoT device is coupled to a gateway. A request from the IoT device to connect to a private cloud, wherein the private cloud is used to manage IoT devices, is received at a private cloud control center agent. An identification of the IoT device is determined. The IoT device is onboarded, using the identification, for management through the private cloud. A device profile of the IoT device is generated. The flow of data to and from the IoT device is regulated through application of IoT rules according to the device profile of the IoT device.

Abstract: Techniques described herein can allow users to share cached results of an original query with other users while protecting sensitive information. The techniques described herein can check whether the other users have access to the underlying data queried before allowing those users to see the stored query results. That is, the system may perform privilege checks on the shared users before giving them access to the stored query results but without having to re-run the original query.

Abstract: Data characterizing a prompt for ingestion by a first generative AI model is received. This received data is input into a second GenAI model to result in a second output. The first GenAI model is a different (e.g., fine-tuned, unrelated aligned model, etc.) version of the second GenAI model. When the second output indicates that guardrails associated with the second GenAI model have been triggered, one or more remediation actions are initiated. Related apparatus, systems, techniques and articles are also described.

Abstract: Systems and methods are disclosed for performing access control method by running a security software service as a localhost web service on an endpoint device; communicating with a system web server which manages licensing of the system and authentication of the endpoint device; creating a secure digital capsule that is controlled and can only be accessed by the system web server which authenticated the user and authorized the endpoint device; and placing on a distributed ledger messages and data files stored in the system in the secure digital capsules to detect and prevent alteration or manipulation of data.

Abstract: A computer-implemented method, computer program product and computing system for receiving a plurality of detection events concerning a plurality of security events occurring on multiple security-relevant subsystems within one or more computing platforms; storing the plurality of detection events to form an event repository; and processing the event repository using a machine learning model to identify attack patterns defined within the plurality of detection events stored within the event repository, thus defining one or more identified attack patterns.

Abstract: A method and apparatus for data collection to facilitate bot detection. According to this approach, and in lieu of conventional user agent-based fingerprinting, a client script is executed to attempt to identify one or more Javascript “landmark” features. In one embodiment, a landmark Javascript feature is a Javascript implementation that exists in a first browser type but not a second browser type distinct from the first browser type, and that also exists in one or more releases of the first browser type, but not in one or more other releases of the first browser type. By testing against landmark Javascript features as opposed to an unconstrained set of API calls and the like, the technique herein provides for much more computationally-efficient client-side operation.

Abstract: The present disclosure provides an approach of providing, to an artificial intelligence (AI) model, a malicious script that includes a malicious behavior. The AI model is configured to modify software code of the malicious script to produce modified software code that obfuscates the malicious behavior. The approach produces, by a processing device using the AI model, an adversarial script that includes the modified software code that obfuscates the malicious behavior. In turn, the approach initiates a malware detector to test the adversarial script.

Abstract: Disclosed are various examples for transferring device identifying information during authentication. An enrollment request is received from a management component executed by a client device. A management service generates a unique device identifier for the client device and embeds it within a certificate to generate a device-identifying certificate. The management service instructs a certificate authority service to generate a public key that includes the unique device identifier and a private key for the client device, and provides the device-identifying certificate and the private key to the client device.

Abstract: A computer stores, within a single user account, multiple supervised computing resources and multiple additional computing resources. The multiple supervised computing resources are associated with a security policy. The computer executes a first instance of a specified application that lacks read access and lacks write access to any and all of the multiple supervised computing resources. The computer executes, simultaneously with the first instance, a second instance of the specified application that accesses at least a portion of the multiple supervised computing resources. The computer applies rules from the security policy to the second instance of the specified application while foregoing applying the rules from the security policy to the first instance of the specified application.

Abstract: Methods and devices associated with providing access to a computing device are described. A method can include generating a real-time image including an attempted user, comparing the real-time image to a reference image of an authorized user, identifying an obstructed portion of the attempted user, comparing an unobstructed portion of the attempted user to a portion of the authorized user corresponding to the unobstructed portion of the attempted user, providing access to a computing device in response to the unobstructed portion of the attempted user matching the portion of the authorized user, and rejecting access to the computing device in response to the unobstructed portion of the attempted user being different from the portion of the authorized user.

Abstract: A method for facilitating identity and access management in a cloud environment based on a zero-trust configuration is provided. The method includes retrieving, via a job, a token from a corresponding identity provider, the job including a unit of work and a unit of execution that corresponds to a change; retrieving, via the job, a change authorization from a change management system, the change authorization including a signed change authorization; retrieving, via the job, a change artifact from an artifact repository, the change artifact including a signed change artifact; requesting, via the job, a change orchestrator to execute the change, the request including the token, the change authorization, and the change artifact; instructing, via the change orchestrator, a service broker to execute the change; and executing, via the service broker, the change within the cloud environment.

Abstract: Disclosed are a system for providing event data recorder (EDR) data of a vehicle and a method thereof. The system may include a user terminal and a server. The user terminal may determine a first hash value of a certificate, and transmit the first hash value to a server. The server may receive the certificate and encrypted EDR data from an autonomous driving controller, decrypt, using a public key included in the certificate, a digital signature of the certificate to obtain a second hash value, and, based on a comparison between the first and second hash values, decrypt, using a private key, the encrypted EDR data, and transmit the decrypted EDR data to the user terminal. The user terminal may receive the decrypted EDR data from the server, and provide the decrypted EDR data to a user.

Abstract: Dynamic Cipher Key Management (DCKM) of the present invention enables the protection of sensitive electronic data by assigning symmetric or asymmetric cipher keys using a process that delivers the cipher key to a network endpoint device by means of a key installation, delivery, and storage methodology. DCKM may negate the need to physically touch the network device under protection. Further, DCKM's process is based on a set of operating principles that maintains the highest levels of assurance that the cipher key pairs are issued with only devices that have the right and authorization to create a secure communication path. The DCKM process realizes the same level of security confidence that is only achieved today with conventional token based key management services with respect to the paired devices linked via a cipher key public and private relationship.

Abstract: A method for detecting an exploit in a processing instruction. The method may comprise steps of receiving processor instructions, analyzing the processor instructions to detect data flow instructions, trimming out the data flow instructions, comparing the data flow instructions to a pre-defined pattern for exploit behavior, and generating an exploit notification in response to detecting the pre-defined pattern for exploit behavior in the data flow instructions.

Abstract: The disclosed method includes: receiving first and second user requests; executing, using a traffic security system, a first security operation associated with a network; executing, using the traffic security system, a second security operation associated with the network; determining, using an API authorizer, whether the first user request associated with the first user originates from a first approved application; and determining, using the API authorizer, whether the second user request associated with the second user originates from the first approved application or a second approved application. In response to the API authorizer determining the first user request and the second user request originate from the approved applications, the method includes: directing, an API entry point, to activate APIs for responding to the first and second user requests; and coordinating or distributing, using a network load balancer, execution of the first and second user requests.