Abstract: There are provided systems and methods for a sentence based automated Turing test for detecting scripted computing attacks. A computing may request access to a service or data from a service provider, where the service provider may be required to determine that the device is used by a user and not a bot executing a scripted or automated process/attack against the service provider. To authenticate that the device is used by a user, the service provider may determine and output a challenge that queries the user to fill in one or more missing words from a sentence. Acceptable answers may be based on past messages and internal data that is specific to the service provider, as well as an external corpus of documents. The service provider may also further authenticate the user based on the user's response and a likely user response for that user.

Abstract: An indication is received that a first online platform has undergone/is undergoing a first electronic attack made by one or more actors engaged in online malicious actions with the first online platform. Responsive to the indication of the first electronic attack, one or more vulnerability characteristics of the first online platform are determined, where the vulnerability characteristics are associated with the first electronic attack. A plurality of other online platforms are analyzed to identify a second online platform that shares at least one of the vulnerability characteristics with the first online platform. Based on the determining and/or the analyzing, the second online platform is predicted to be a potential target for a second electronic attack having an attack vector in common with the first electronic attack that corresponds to the shared vulnerability characteristics. An action is performed to mitigate potential damage of the second electronic attack.

Abstract: Systems and methods of authenticating voice data using a ledger (blockchain). Examples include a scalable and seamless system that uses blockchain technologies to distribute trust of a conversation, authenticate persons in a conversation, track their characteristics and also to keep records of conversations. In some examples, smart phones, wearables, and Internet-of-Things (IoT) devices can be used to record and track conversations between individuals. These devices can each be used to create entries for the blockchain or a single device could be used to keep track of the entirety of the conversation. Fuzzy hashing may be used to compare newly created entries with previous entries on the ledger.

Abstract: Computer system security is often implemented using rules-based systems (e.g., allow traffic to this network port, deny it for those network ports; user A is allowed access to these files, but not those files). In enterprises, multiple such systems may be deployed, but fail to be able to intelligently handle anomalies that may technically be permissible but in reality represents a high possibility that there is an underlying threat or problem. The present disclosure describes the ability to build adaptive models using machine learning techniques that integrate data from multiple different domains (e.g. user identity domain, system device domain) and allow for automated decision making and mitigation actions that can provide greater effectiveness than previous systems allowed.

Abstract: Systems and methods for authenticating requests to use an Application Programming Interface (“API”) are described. In some embodiments, a request to use an API is issued from a client to a server. One or more credentials for a first-level authentication challenge are provided from the client to the server. Responsive to the server determining that the client deviates from an expected behavior based on comparing the request to use the API with a pattern of activity associated with the client, the client receives a second authentication challenge.

Abstract: Methods and systems for detecting webpages that share malicious content are presented. A first set of webpages that hosts a web account checker is identified. A baseline page structure score and a baseline language score are calculated based on the identified first set of webpages. Content from a second set of webpages is collected and analyzed based on the calculated baseline page structure and the calculated baseline language scores. One or more of the second set of webpages is flagged as malicious based on the analyzing of the content collected from the second set of webpages.

Abstract: Techniques are disclosed relating to determining whether geographic locations of a user computing device satisfy a location consensus threshold. A computer system receives results of a plurality of location determination operations, each of which specifies a geographic location of a computing device initiating an action. The computer system then makes a determination whether the received results satisfy a consensus threshold as to geographic location of the computing device. In some embodiments, the determination is usable to select, from a plurality of sets of rules for different geographic regions, a particular set of rules for processing the action. In some cases, the particular set of rules is usable to determine whether to process the action. Such techniques may advantageously allow a processing system to understand how to process actions initiated by a computing device associated with different geographic locations.

Abstract: Systems and methods for providing a threat intelligence system include a system provider device that downloads, through communication over a network and from one or more targeted websites, a plurality of images of a first environment. Based on an OCR process, the system provider device may extract a set of textual data corresponding to a subset of images of the plurality of images, where the subset of images depict text. The system provider device stores the set of textual data in an indexed and searchable database. The system provider device assigns a threat assessment score to each image based on the set of textual data, and the threat assessment score may be updated based on comparison of the set of textual data with other sets of textual data. Based on the threat assessment score being greater than a threshold value, the system provider device may generate a security alert.

Abstract: Systems and methods for authenticating requests to use an Application Programming Interface (“API”) are described. In some embodiments, a request to use an API is received. Based on a comparison of the request to use the API with a pattern of activity associated with the client, a determination is made whether the client deviates from an expected behavior. Once a determination that the client deviates from the expected behavior is made, an authentication challenge is generated and issued. In some embodiments, the comparison of the request to use the API with a pattern of activity involves comparing transactional attributes of the request to use the API with past client behavior.

Abstract: Methods and systems are presented for dynamically adjusting a risk classification of a risk source based on classifications of one or more other risk sources. The risk engine may first classify a first risk source as a first risk type based on an initial analysis of the first risk source. Subsequent to classifying the first risk source as the first risk type, the risk engine may determine that a second risk source is associated with a second risk type. Based on the determination that the second risk source is associated with the second risk type, the risk engine may re-classify the first risk source as the second risk type. The risk engine may then use the reclassification of the first risk source to improve network security of an online service provider.

Abstract: A method for phishing detection using uniform resource locators is discussed. The method includes accessing data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a suspect Uniform Resource Locator (URL). The method includes assigning a rule score based on partial rule scores of each portion of the suspect URL, the rule score indicating a phishing potential based on URL rules. The method includes determining a uniqueness score of the suspect URL, the uniqueness score indicating a degree of uniqueness of the suspect URL from a plurality of known phishing URLs. The method also includes determining a URL phishing score based, at least in part, on the rules scores and the uniqueness score for the suspect URL.

Abstract: Techniques are disclosed relating to determining a risk score for domains associated with a transaction. In some embodiments, a transaction computer system receives transaction details for a transaction between a consumer and a merchant, where the transaction details are received from the merchant real-time with the transaction and include a set of transaction URLs for subsequent use in the transaction. The computer system may receive, from a browser of the consumer that is used to initiate the transaction, URL referrer information real-time with the transaction, where the URL referrer information indicates a referring web page to the transaction computer system. The computer system may determine, using the set of transaction URLs and the URL referrer information, a set of domains for the transaction and then determine a risk score for the set of domains. The computer system may determine, based on the risk score, whether to allow the transaction.

Abstract: Systems and methods of authenticating voice data using a ledger (blockchain). Examples include a scalable and seamless system that uses blockchain technologies to distribute trust of a conversation, authenticate persons in a conversation, track their characteristics and also to keep records of conversations. In some examples, smart phones, wearables, and Internet-of-Things (IoT) devices can be used to record and track conversations between individuals. These devices can each be used to create entries for the blockchain or a single device could be used to keep track of the entirety of the conversation. Fuzzy hashing may be used to compare newly created entries with previous entries on the ledger.

Abstract: Methods and systems for assessing and evaluating vulnerabilities of a networked system are presented. A list of known vulnerabilities that have been disclosed in the public may be obtained. The networked system may be scanned from an external perspective to obtain network information of the networked system. A subset of the known vulnerabilities may be determined to be relevant to the networked system based on correlations between the vulnerabilities and the network information. The networked system may also be analyzed from an internal perspective to determine impacts of the relevant known vulnerabilities to the networked system. The impact of a vulnerability may be determined based on the type of data and/or the type of services that may be accessible in an attack that exploits the vulnerability. The vulnerabilities may then be ranked and addressed based on the impacts.

Abstract: Methods, systems, and computer program products for performing passive and active identity verification in association with online communications. For example, a computer-implemented method may include receiving one or more electronic messages associated with a user account, analyzing the electronic messages based on a plurality of identity verification profiles associated with the user account, generating an identity trust score associated with the electronic messages based on the analyzing, determining whether to issue a security challenge in response to the electronic messages based on the generated identity trust score, and issuing the security challenge in response to the electronic messages based on the determining.

Abstract: A method for using a malware and phishing detection and mediation platform is discussed. The method includes accessing data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a respective potential malware or a suspect phishing element (e.g., Uniform Resource Locator (URL)). The method includes selecting one of a plurality of detection engines for processing the data, where the selecting is based on previous results of previous processing by one or more detection engines. Each of the plurality of detection engines can be for performing one or more respective investigation actions on the plurality of data to determine a particular issue with one of the monitored data. The method also includes determining a mediation action based on a result of processing of the detection engine and the previous processing.

Abstract: A triaged approach is implemented to detect and prevent electronic attacks against online entities and to reduce latency. Transaction requests are classified into different tiers and are treated differently based on the tier status. For example, transaction requests to conduct transactions with an entity are received from a client system. Characteristics such as rate or amounts of transactions of the transaction requests are analyzed. The characteristics are compared against specified threshold limits to assess whether the specified threshold limits are exceeded. Based on an assessment that at least one of the specified threshold limits is exceeded, a set of computer instructions is selected from different sets of computer instructions for execution on the client system. A result of an execution is received from the client system. Based on the result of the execution, a determination is made whether the transaction requests appear to have originated from a machine-automated submission process.

Abstract: Device identification data, network connection data, and other related data may be analyzed to determine an account classification, particularly before the account has even been used (or before extensive use has occurred). Computer system security may be improved via an intelligent engine that detects certain device and network connection factors in association with particular user actions, such as account creation. Monitoring be performed over a period of time for subsequent analysis.

Abstract: Systems and methods of authenticating voice data using a ledger (blockchain). Examples include a scalable and seamless system that uses blockchain technologies to distribute trust of a conversation, authenticate persons in a conversation, track their characteristics and also to keep records of conversations. In some examples, smart phones, wearables, and Internet-of-Things (IoT) devices can be used to record and track conversations between individuals. These devices can each be used to create entries for the blockchain or a single device could be used to keep track of the entirety of the conversation. Fuzzy hashing may be used to compare newly created entries with previous entries on the ledger.

Abstract: A method for phishing detection using certificates associated with uniform resource locators (URLs) is discussed. The method includes accessing certificate portions of a certificate associated with a suspect URL, the certificate accessed at a database that includes certificates obtained by monitoring certificate logs. The method includes accessing a URL score for the suspect URL. The method includes assigning a certificate rule score based on partial certificate scores of certificate portions, the certificate rule score indicating a phishing potential for the certificate, each of the partial certificate scores indicating a likelihood of phishing of each portion based on certificate rules. The method includes using a machine learning model based on the URL score and the certificate to determine a uniqueness certificate score. The method also includes determining a phishing certificate score based on the certificate rule score and the uniqueness certificate score for the certificate.