Abstract: A method for phishing detection using certificates associated with uniform resource locators (URLs) is discussed. The method includes accessing certificate portions of a certificate associated with a suspect URL, the certificate accessed at a database that includes certificates obtained by monitoring certificate logs. The method includes accessing a URL score for the suspect URL. The method includes assigning a certificate rule score based on partial certificate scores of certificate portions, the certificate rule score indicating a phishing potential for the certificate, each of the partial certificate scores indicating a likelihood of phishing of each portion based on certificate rules. The method includes using a machine learning model based on the URL score and the certificate to determine a uniqueness certificate score. The method also includes determining a phishing certificate score based on the certificate rule score and the uniqueness certificate score for the certificate.

Abstract: A method for phishing detection using uniform resource locators is discussed. The method includes accessing data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a suspect Uniform Resource Locator (URL). The method includes assigning a rule score based on partial rule scores of each portion of the suspect URL, the rule score indicating a phishing potential based on URL rules. The method includes determining a uniqueness score of the suspect URL, the uniqueness score indicating a degree of uniqueness of the suspect URL from a plurality of known phishing URLs. The method also includes determining a URL phishing score based, at least in part, on the rules scores and the uniqueness score for the suspect URL.

Abstract: A method for using a malware and phishing detection and mediation platform is discussed. The method includes accessing data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a respective potential malware or a suspect phishing element (e.g., Uniform Resource Locator (URL)). The method includes selecting one of a plurality of detection engines for processing the data, where the selecting is based on previous results of previous processing by one or more detection engines. Each of the plurality of detection engines can be for performing one or more respective investigation actions on the plurality of data to determine a particular issue with one of the monitored data. The method also includes determining a mediation action based on a result of processing of the detection engine and the previous processing.

Abstract: Methods and systems for creating and analyzing encoded vector information from user activities relative to one or more services and/or devices are described. Sentiment analysis using natural language processing can be performed on user activity and a determination can be made as to whether the sentiment of a user account has fraudulent or benign sentiment. Should a fraudulent account sentiment be determined, mitigation measures may be taken including flagging and restricting a user account.

Abstract: Methods and systems for implementing keyboard linked authentication challenges are described. A visual representation of a first string of characters is provided for display on a client computing device. In response to the providing the visual representation for display, several keystrokes on the client computing device that produces a second string of characters are received. A determination that the second string of characters matches the first string of characters is made. A determination that no unauthorized keystrokes are included in the detected plurality of keystrokes is further made. Access is provided to the client computing device upon determining that the second string of characters matches the first string of characters, and determining that no unauthorized keystrokes are included in the detected plurality of keystrokes.

Abstract: A triaged approach is implemented to detect and prevent electronic attacks against online entities and to reduce latency. Transaction requests are classified into different tiers and are treated differently based on the tier status. For example, transaction requests to conduct transactions with an entity are received from a client system. Characteristics such as rate or amounts of transactions of the transaction requests are analyzed. The characteristics are compared against specified threshold limits to assess whether the specified threshold limits are exceeded. Based on an assessment that at least one of the specified threshold limits is exceeded, a set of computer instructions is selected from different sets of computer instructions for execution on the client system. A result of an execution is received from the client system. Based on the result of the execution, a determination is made whether the transaction requests appear to have originated from a machine-automated submission process.

Abstract: Device identification data, network connection data, and other related data may be analyzed to determine an account classification, particularly before the account has even been used (or before extensive use has occurred). An account with direct or indirect access to databases may be created by a user, where a service provider may wish to assess the account's creation to detect if a bad actor is generating the account to engage in malicious computing actions or fraud. The account's creation data may be scored by an intelligent engine that detects malicious or fraudulent account creations, for example, based on whether a virtual private network is used to create the account, whether a VoIP phone number is being used, etc. The account may be monitored over a period of time and the account activities analyzed again to determine whether technical data associated with the account indicates a particular risk classification is appropriate.

Abstract: Techniques are disclosed relating to determining a risk score for domains associated with a transaction. In some embodiments, a transaction computer system receives transaction details for a transaction between a consumer and a merchant, where the transaction details are received from the merchant real-time with the transaction and include a set of transaction URLs for subsequent use in the transaction. The computer system may receive, from a browser of the consumer that is used to initiate the transaction, URL referrer information real-time with the transaction, where the URL referrer information indicates a referring web page to the transaction computer system. The computer system may determine, using the set of transaction URLs and the URL referrer information, a set of domains for the transaction and then determine a risk score for the set of domains. The computer system may determine, based on the risk score, whether to allow the transaction.

Abstract: Systems and methods for providing a threat intelligence system include a system provider device that downloads, through communication over a network and from one or more targeted websites, a plurality of images of a first environment. Based on an OCR process, the system provider device may extract a set of textual data corresponding to a subset of images of the plurality of images, where the subset of images depict text. The system provider device stores the set of textual data in an indexed and searchable database. The system provider device assigns a threat assessment score to each image based on the set of textual data, and the threat assessment score may be updated based on comparison of the set of textual data with other sets of textual data. Based on the threat assessment score being greater than a threshold value, the system provider device may generate a security alert.

Abstract: Methods, systems, and computer program products for performing passive and active identity verification in association with online communications. For example, a computer-implemented method may include receiving one or more electronic messages associated with a user account, analyzing the electronic messages based on a plurality of identity verification profiles associated with the user account, generating an identity trust score associated with the electronic messages based on the analyzing, determining whether to issue a security challenge in response to the electronic messages based on the generated identity trust score, and issuing the security challenge in response to the electronic messages based on the determining.

Abstract: Methods and systems for detecting webpages that share malicious content are presented. A first set of webpages that hosts a web account checker is identified. A baseline page structure score and a baseline language score are calculated based on the identified first set of webpages. Content from a second set of webpages is collected and analyzed based on the calculated baseline page structure and the calculated baseline language scores. One or more of the second set of webpages is flagged as malicious based on the analyzing of the content collected from the second set of webpages.

Abstract: Methods and systems are presented for detecting malicious webpages based on dynamically configuring a device to circumvent one or more evasion techniques implemented within the malicious webpages. When a known malicious webpage is obtained, programming code of the known malicious webpage is analyzed to determine one or more evasion techniques implemented within the known malicious webpage. The one or more evasion techniques may cause a webpage classification engine to falsely classify the known malicious webpage as a non-malicious webpage. A software update is generated based on one or more feature parameters extracted from the one or more evasion techniques. The software update is used to for modify the webpage classification engine such that the webpage classification engine would correctly classify the known malicious webpage.

Abstract: Techniques are disclosed relating to detecting that a client system is an emulated computer system based on its computational performance of one or more challenge problems. In some embodiments, a server computer system may receive, from a client system, a request to access a web service. The server computer system may determine reported technical features of the client system and select a particular challenge problem to provide to the client system. The server computer system may determine an expected response time of the particular challenge problem for the client system. The server computer system may receive a challenge response from the client system that includes a proposed solution to the particular challenge problem. The server computer system may then determine whether to authorize the request based on a measured response time by the client system and the expected response time of the particular challenge problem for the client system.

Abstract: Methods and systems for assessing and evaluating vulnerabilities of a networked system are presented. A list of known vulnerabilities that have been disclosed in the public may be obtained. The networked system may be scanned from an external perspective to obtain network information of the networked system. A subset of the known vulnerabilities may be determined to be relevant to the networked system based on correlations between the vulnerabilities and the network information. The networked system may also be analyzed from an internal perspective to determine impacts of the relevant known vulnerabilities to the networked system. The impact of a vulnerability may be determined based on the type of data and/or the type of services that may be accessible in an attack that exploits the vulnerability. The vulnerabilities may then be ranked and addressed based on the impacts.

Abstract: Systems and methods for providing a threat intelligence system include a system provider device that downloads, through communication over a network and from one or more targeted websites, a plurality of images of a first environment. Based on an OCR process, the system provider device may extract a set of textual data corresponding to a subset of images of the plurality of images, where the subset of images depict text. The system provider device stores the set of textual data in an indexed and searchable database. The system provider device assigns a threat assessment score to each image based on the set of textual data, and the threat assessment score may be updated based on comparison of the set of textual data with other sets of textual data. Based on the threat assessment score being greater than a threshold value, the system provider device may generate a security alert.

Abstract: Systems and methods of authenticating voice data using a ledger (blockchain). Examples include a scalable and seamless system that uses blockchain technologies to distribute trust of a conversation, authenticate persons in a conversation, track their characteristics and also to keep records of conversations. In some examples, smart phones, wearables, and Internet-of-Things (IoT) devices can be used to record and track conversations between individuals. These devices can each be used to create entries for the blockchain or a single device could be used to keep track of the entirety of the conversation. Fuzzy hashing may be used to compare newly created entries with previous entries on the ledger.

Abstract: Methods and systems for detecting webpages that share malicious content are presented. A first set of webpages that hosts a web account checker is identified. A baseline page structure score and a baseline language score are calculated based on the identified first set of webpages. Content from a second set of webpages is collected and analyzed based on the calculated baseline page structure and the calculated baseline language scores. One or more of the second set of webpages is flagged as malicious based on the analyzing of the content collected from the second set of webpages.

Abstract: Computer system security is often implemented using rules-based systems (e.g., allow traffic to this network port, deny it for those network ports; user A is allowed access to these files, but not those files). In enterprises, multiple such systems may be deployed, but fail to be able to intelligently handle anomalies that may technically be permissible but in reality represents a high possibility that there is an underlying threat or problem. The present disclosure describes the ability to build adaptive models using machine learning techniques that integrate data from multiple different domains (e.g. user identity domain, system device domain) and allow for automated decision making and mitigation actions that can provide greater effectiveness than previous systems allowed.

Abstract: An indication is received that a first online platform has undergone/is undergoing a first electronic attack made by one or more actors engaged in online malicious actions with the first online platform. Responsive to the indication of the first electronic attack, one or more vulnerability characteristics of the first online platform are determined, where the vulnerability characteristics are associated with the first electronic attack. A plurality of other online platforms are analyzed to identify a second online platform that shares at least one of the vulnerability characteristics with the first online platform. Based on the determining and/or the analyzing, the second online platform is predicted to be a potential target for a second electronic attack having an attack vector in common with the first electronic attack that corresponds to the shared vulnerability characteristics. An action is performed to mitigate potential damage of the second electronic attack.

Abstract: Techniques are disclosed relating to detecting that a client system is an emulated computer system based on its computational performance of one or more challenge problems. In some embodiments, a server computer system may receive, from a client system, a request to access a web service. The server computer system may determine reported technical features of the client system and select a particular challenge problem to provide to the client system. The server computer system may determine an expected response time of the particular challenge problem for the client system. The server computer system may receive a challenge response from the client system that includes a proposed solution to the particular challenge problem. The server computer system may then determine whether to authorize the request based on a measured response time by the client system and the expected response time of the particular challenge problem for the client system.