Abstract: An indication is received that a first online platform has undergone/is undergoing a first electronic attack made by one or more actors engaged in online malicious actions with the first online platform. Responsive to the indication of the first electronic attack, one or more vulnerability characteristics of the first online platform are determined, where the vulnerability characteristics are associated with the first electronic attack. A plurality of other online platforms are analyzed to identify a second online platform that shares at least one of the vulnerability characteristics with the first online platform. Based on the determining and/or the analyzing, the second online platform is predicted to be a potential target for a second electronic attack having an attack vector in common with the first electronic attack that corresponds to the shared vulnerability characteristics. An action is performed to mitigate potential damage of the second electronic attack.

Abstract: Computer system security is often implemented using rules-based systems (e.g., allow traffic to this network port, deny it for those network ports; user A is allowed access to these files, but not those files). In enterprises, multiple such systems may be deployed, but fail to be able to intelligently handle anomalies that may technically be permissible but in reality represents a high possibility that there is an underlying threat or problem. The present disclosure describes the ability to build adaptive models using machine learning techniques that integrate data from multiple different domains (e.g. user identity domain, system device domain) and allow for automated decision making and mitigation actions that can provide greater effectiveness than previous systems allowed.

Abstract: Techniques are disclosed relating to determining a risk score for domains associated with a transaction. In some embodiments, a transaction computer system receives transaction details for a transaction between a consumer and a merchant, where the transaction details are received from the merchant real-time with the transaction and include a set of transaction URLs for subsequent use in the transaction. The computer system may receive, from a browser of the consumer that is used to initiate the transaction, URL referrer information real-time with the transaction, where the URL referrer information indicates a referring web page to the transaction computer system. The computer system may determine, using the set of transaction URLs and the URL referrer information, a set of domains for the transaction and then determine a risk score for the set of domains. The computer system may determine, based on the risk score, whether to allow the transaction.

Abstract: Computer system security is often implemented using rules-based systems (e.g., allow traffic to this network port, deny it for those network ports; user A is allowed access to these files, but not those files). In enterprises, multiple such systems may be deployed, but fail to be able to intelligently handle anomalies that may technically be permissible but in reality represents a high possibility that there is an underlying threat or problem. The present disclosure describes the ability to build adaptive models using machine learning techniques that integrate data from multiple different domains (e.g. user identity domain, system device domain) and allow for automated decision making and mitigation actions that can provide greater effectiveness than previous systems allowed.

Abstract: Techniques are disclosed relating to determining a risk score for domains associated with a transaction. In some embodiments, a transaction computer system receives transaction details for a transaction between a consumer and a merchant, where the transaction details are received from the merchant real-time with the transaction and include a set of transaction URLs for subsequent use in the transaction. The computer system may receive, from a browser of the consumer that is used to initiate the transaction, URL referrer information real-time with the transaction, where the URL referrer information indicates a referring web page to the transaction computer system. The computer system may determine, using the set of transaction URLs and the URL referrer information, a set of domains for the transaction and then determine a risk score for the set of domains. The computer system may determine, based on the risk score, whether to allow the transaction.

Abstract: There are provided systems and methods for a sentence based automated Turing test for detecting scripted computing attacks. A computing may request access to a service or data from a service provider, where the service provider may be required to determine that the device is used by a user and not a bot executing a scripted or automated process/attack against the service provider. To authenticate that the device is used by a user, the service provider may determine and output a challenge that queries the user to fill in one or more missing words from a sentence. Acceptable answers may be based on past messages and internal data that is specific to the service provider, as well as an external corpus of documents. The service provider may also further authenticate the user based on the user's response and a likely user response for that user.

Abstract: Methods and systems are presented for detecting malicious webpages based on dynamically configuring a device to circumvent one or more evasion techniques implemented within the malicious webpages. When a known malicious webpage is obtained, programming code of the known malicious webpage is analyzed to determine one or more evasion techniques implemented within the known malicious webpage. The one or more evasion techniques may cause a webpage classification engine to falsely classify the known malicious webpage as a non-malicious webpage. A software update is generated based on one or more feature parameters extracted from the one or more evasion techniques. The software update is used to for modify the webpage classification engine such that the webpage classification engine would correctly classify the known malicious webpage.

Abstract: Methods and systems are presented for providing enriched technical security data to a risk engine of an online service provider, and for adjusting security settings based on the enriched data. The enriched security data may be generated by recursively deriving additional security information from an initial security data input. The initial security data input may be associated with a risk source, such as a person or a device that submits an electronic request to the online service provider. Based on the initial security data input, the risk engine may recursively derive additional security information that enriches the initial security data input. The risk engine may then use the derived security information as well as the initial security data input to assess a risk level of the risk source, and then adjust a security setting of the online service provider based on the assessed risk level of the risk source.

Abstract: There are provided systems and methods for a sentence based automated Turing test for detecting scripted computing attacks. A computing may request access to a service or data from a service provider, where the service provider may be required to determine that the device is used by a user and not a bot executing a scripted or automated process/attack against the service provider. To authenticate that the device is used by a user, the service provider may determine and output a challenge that queries the user to fill in one or more missing words from a sentence. Acceptable answers may be based on past messages and internal data that is specific to the service provider, as well as an external corpus of documents. The service provider may also further authenticate the user based on the user's response and a likely user response for that user.

Abstract: Methods and systems are presented for dynamically adjusting a risk classification of a risk source based on classifications of one or more other risk sources. The risk engine may first classify a first risk source as a first risk type based on an initial analysis of the first risk source. Subsequent to classifying the first risk source as the first risk type, the risk engine may determine that a second risk source is associated with a second risk type. Based on the determination that the second risk source is associated with the second risk type, the risk engine may re-classify the first risk source as the second risk type. The risk engine may then use the reclassification of the first risk source to improve network security of an online service provider.

Abstract: An indication is received that a first online platform has undergone/is undergoing a first electronic attack made by one or more actors engaged in online malicious actions with the first online platform. Responsive to the indication of the first electronic attack, one or more vulnerability characteristics of the first online platform are determined, where the vulnerability characteristics are associated with the first electronic attack. A plurality of other online platforms are analyzed to identify a second online platform that shares at least one of the vulnerability characteristics with the first online platform. Based on the determining and/or the analyzing, the second online platform is predicted to be a potential target for a second electronic attack having an attack vector in common with the first electronic attack that corresponds to the shared vulnerability characteristics. An action is performed to mitigate potential damage of the second electronic attack.

Abstract: Systems and methods for authenticating requests to use an Application Programming Interface (“API”) are described. In some embodiments, a request to use an API is received. Based on a comparison of the request to use the API with a pattern of activity associated with the client, a determination is made whether the client deviates from an expected behavior. Once a determination that the client deviates from the expected behavior is made, an authentication challenge is generated and issued. In some embodiments, the comparison of the request to use the API with a pattern of activity involves comparing transactional attributes of the request to use the API with past client behavior.

Abstract: Methods, systems, and computer program products for performing passive and active identity verification in association with online communications. For example, a computer-implemented method may include receiving one or more electronic messages associated with a user account, analyzing the electronic messages based on a plurality of identity verification profiles associated with the user account, generating an identity trust score associated with the electronic messages based on the analyzing, determining whether to issue a security challenge in response to the electronic messages based on the generated identity trust score, and issuing the security challenge in response to the electronic messages based on the determining.

Abstract: A computer system detects an action corresponding to a resource page being rendered within a web view of an application. In response to the detecting the action corresponding to a resource page being rendered within the web view of the application, the computer system identifies information associated with the resource page and determines if one or more risk indications correspond to the identified information. In response to determining that one or more risk indications correspond to the identified information, the computer system implements one or more security measures.

Abstract: Methods and systems are presented for dynamically adjusting a risk classification of a risk source based on classifications of one or more other risk sources. The risk engine may first classify a first risk source as a first risk type based on an initial analysis of the first risk source. Subsequent to classifying the first risk source as the first risk type, the risk engine may determine that a second risk source is associated with a second risk type. Based on the determination that the second risk source is associated with the second risk type, the risk engine may re-classify the first risk source as the second risk type. The risk engine may then use the reclassification of the first risk source to improve network security of an online service provider.

Abstract: Images related to one or more attacks to a service provider system may be analyzed to improve the security of the service provider system. Each of the images may be segmented into multiple segments. Each of the segments is analyzed independently to determine whether the segment includes obfuscated data and if so, which one of the data obfuscation techniques was used to generate the obfuscated data. Additional information regarding the obfuscated data may be derived from other segments that include unobfuscated data and from the metadata of the image. A data restoration algorithm may be configured accordingly to restore the obfuscated data. The restored data, as well as a context derived for the image, may be used to adjust one or more security parameters of the service provider system to improve the security of the service provider system.

Abstract: Methods, systems, and computer program products for providing transaction verification through enhanced authentication are provided. A method performed by a computer system may include receiving an application programming interface (API) request from a client, detecting a change associated with the API request as compared to a prior use of the API by the client, generating an encrypted challenge to authenticate the API request based on detecting the change, and issuing the encrypted challenge to the client to authenticate the API request.

Abstract: A computer system determines that authentication information has been requested from a user device by a requesting device. In response to determining that authentication information has been requested by the requesting device, the computer system identifies information corresponding to the requesting device and determines if one or more risk indications correspond to the identified information corresponding to the requesting device. In response to determining that one or more risk indications correspond to the identified information corresponding to the requesting device, the computer system implements one or more security measures.

Abstract: A method for phishing detection based on modeling of web page content is discussed. The method includes accessing suspect web page content of a suspect Uniform Resource Locator (URL). The method includes generating an exemplary model based on an exemplary configuration for an indicated domain associated with the suspect URL, where the exemplary model indicates structure and characteristics of an example web page of the indicated domain. The method includes generating a suspect web page model that indicates structure and characteristics of the suspect web page content. The method includes performing scoring functions for the potential phishing web page content based on the suspect web page model, where some of the scoring functions use the exemplary model to perform analysis to generate respective results. The method includes generating a web page content phishing score based on results from the scoring functions.

Abstract: Techniques are disclosed relating to determining whether geographic locations of a user computing device satisfy a location consensus threshold. A computer system receives results of a plurality of location determination operations, each of which specifies a geographic location of a computing device initiating an action. The computer system then makes a determination whether the received results satisfy a consensus threshold as to geographic location of the computing device. In some embodiments, the determination is usable to select, from a plurality of sets of rules for different geographic regions, a particular set of rules for processing the action. In some cases, the particular set of rules is usable to determine whether to process the action. Such techniques may advantageously allow a processing system to understand how to process actions initiated by a computing device associated with different geographic locations.