Abstract: Disclosed herein are system, method, and computer program product embodiments for detecting cyber-attack. In an embodiment, a server receives a request to an application from a user device. The server determines that there is no cookie in the received request. The server then generates a new fingerprinting cookie and sends a verification request to the user device to verify the identity of a user. When the server receives the verification reply from the user device, the server determines that the verification reply is valid, marks the new cookie as a verified cookie, and transfers the request to the application for processing. The server can also unverify the verified cookie when the verified cookie is included in a malicious request. The server can determine that a request is malicious by analyzing functions the user wishes to perform using the request.

Abstract: Disclosed herein are method, system, and computer-readable storage medium embodiments for reinforcement learning applied to application responses using deception technology. An embodiment includes configuring at least one computer processor to perform operations that include detecting an unauthorized access attempt associated with an attacker, and recording an input log that includes inputs received from the attacker. An embodiment may further include operations of generating a state representation corresponding to an execution state of at least one software application, computing one or more predicted inputs, based at least in part on the input log and the state representation, and modifying, via at least one software agent, the execution state of at least the software application, based at least in part on the one or more predicted input.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. The multi-factor fingerprints allow attackers to be distinguished from authorized users and allow different types of attacks to be distinguished. The multi-factor fingerprint can include, for example, a session identifier component, a software information component, and a hardware information component. The different components can be separately compared to components of stored fingerprints to determine whether an application session request is malicious, and if so, what type of attack, such as session cookie theft or a spoofing attack, is occurring.

Abstract: Systems, methods, and computer media for collaboratively securing software applications are provided herein. Through a collaborative approach, the described examples allow detection and management of unauthorized users across applications and application suites. By communicating details regarding cyber-attacks among applications, threats to applications can be managed pre-emptively. For example, applications can use attacks on other applications to implement new honeytokens, threat detection points, and blacklisted usernames or other identifiers to limit data access in future attacks.

Abstract: Systems, methods, and computer media for securing data accessible through software applications are provided herein. By capturing path data such as returned results for a query and displayed results provided by an application (e.g., to or by a web browser) for an operation, it can be determined if the query returned more data than was needed for what was displayed. The query can be refined to limit the data returned and reduce the security risk of such over-provisioning of data.

Abstract: Systems, methods, and computer media for securing data accessible through software applications are provided herein. By capturing path data such as returned results for a query and displayed results provided by an application (e.g., to or by a web browser) for an operation, it can be determined if the query returned more data than was needed for what was displayed. The query can be refined to limit the data returned and reduce the security risk of such over-provisioning of data.

Abstract: Data is received that includes a plurality of fields. These fields are modified using at least one differential privacy algorithm to result in fake data. This fake data is subsequently used to seed and enable a honeypot so that access to such honeypot and fake data can be monitored and/or logged. Related apparatus, systems, techniques and articles are also described.

Abstract: Disclosed herein are system, method, and computer program product embodiments for detecting cyber-attack. In an embodiment, a server receives a request to an application from a user device. The server checks the request and determines that there is no cookie in the received request. The server generates a new fingerprinting cookie for the user and sends a verification request to the user device to verify the identity of the user. When the server receives the verification reply from the user device, the server checks and determines that the verification reply is valid and, accordingly, the user device is verified successfully. The server marks the new cookie as a verified cookie and transfers the request to the application for processing. The disclosed system encourages attackers to keep working within a single session with a single fingerprinting cookie to avoid consuming resources via the verification process by forcing every user including attackers to have a cookie.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. Through the use of an identifier such as a digital fingerprint, application sessions or session requests that use the same credentials can be distinguished, and malicious users can be detected and managed. A request to establish a session with an application can be received. Based on a digital fingerprint associated with the request, it can be determined that although a credential included in the request is valid, the request is unauthorized by comparing the digital fingerprint to known malicious fingerprints. When the fingerprint is found to be malicious, a cloned application session having at least partially fake data can be established instead of the requested application, thus limiting an attacker's access to real application data without revealing to the attacker that the attack has been detected.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. By recording path data representing interactions between an application and other components, it can be determined what data an attacker has received by the time malicious activity is detected. During a session with an application, queries made to a dataset by the application can be recorded. After the session is found to be malicious, the session is transferred to a cloned application session in which access to the dataset is blocked. Based on the recorded queries, an alternative dataset for queries made in the cloned application session is generated that includes a subset of the original dataset, thus limiting future queries of the attacker in the cloned application session to data already received before the malicious activity was detected.

Abstract: Systems and methods, as well as computing architecture for implementing the same, for decoy injection into an application. The systems and methods include splitting a standard test phase operation into two complementary phases, and add new unit tests to the process, dedicated to testing the proper coverage of the decoys and avoiding non-regression of the original code.

Abstract: Data is received that includes a plurality of fields. These fields are modified using at least one differential privacy algorithm to result in fake data. This fake data is subsequently used to seed and enable a honeypot so that access to such honeypot and fake data can be monitored and/or logged. Related apparatus, systems, techniques and articles are also described.

Abstract: Systems and methods, as well as computing architecture for implementing the same, for decoy injection into an application. The systems and methods include splitting a standard test phase operation into two complementary phases, and add new unit tests to the process, dedicated to testing the proper coverage of the decoys and avoiding non-regression of the original code.

Abstract: A set of data is received for a data analysis. The set of data includes personal identifiable information. The set of data is anonymized to protect the privacy information. Risk rates and utility rates are determined for a number of combinations of anonymization techniques defined correspondingly for data fields from the set of data. A risk rate is related to a privacy protection failure when defining first anonymized data through applying a combination of anonymization techniques for the data fields. A utility rate is related to accuracy of the data analysis when applied over the anonymized data. Based on evaluation of the risk rates and the utility rates, one or more anonymization techniques from the number of anonymization techniques are determined. The set of data is anonymized according to a determined anonymization techniques and/or a combination thereof.

Abstract: Disclosed herein are system, method, and computer program product embodiments for mitigating offline decryption attacks of ciphertext. An embodiment operates by inputting plaintext into an encryptor, writing ciphertext output from the encryptor into memory, inputting the ciphertext from memory into a noise generator, outputting ciphertext from memory to an output device in response to receiving a first timing signal from a timer, and outputting noise data generated by the noise generator to the output device in response to receiving a second timing signal from the timer. The output device may be a node in a distributed ledger, in some embodiments. The distributed ledger may include a blockchain, for example. Using techniques disclosed herein, encryption may be strengthened to thwart attempts by untrusted third-party attackers to crack encryption, e.g.

Abstract: Disclosed herein are system, method, and computer program product embodiments for intrusion detection and response. An embodiment operates by receiving one or more events corresponding to one or more user actions performed during a connectivity session to a computer system. The received one or more events are compared to one or more intrusion parameters associated with the computer system. It is determined that the received one or more events correspond to the intrusion event and that the user actions are performed on a first version of the computer system. The connectivity session is switched from the first version of the computer system to a second version of the computer system responsive to the determination of the intrusion event.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving parameters defining a detection technique, an attack scenario, and detection logic, receiving configuration data that is specific to a target system that is to be monitored, providing an attack pattern based on the parameters and the configuration data, monitoring the target system based on the attack pattern and data provided by one or more logs of the target system, and selectively generating, based on monitoring, an alert indicating a potential end-to-end intrusion into the target system.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for providing secure mobile data sharing. Actions can include: receiving, by the one or more processors, a request for secure mobile data sharing, the request being received from a mobile device and comprising a security definition; obtaining, by the one or more processors, based at least in part on the security definition of the request: a decryption key, a recipient identifier, and a security policy; receiving, by the one or more processors, a decryption request from a third-party device, the decryption request comprising an identifier distinguishing the third-party device as a recipient of an encrypted message corresponding to the decryption key; and providing the decryption key to the third-party device in response to validating the decryption request.

Abstract: Embodiments are configured for automating security design in IoT systems. The achievable security level for any given IoT system may be assessed based on the capabilities of each of the entities involved in its data path to generate a set of security policies for the IoT system. The capabilities of each entity involved in the IoT data path can be evaluated together with the capabilities of the communication links between entities. Based on these capabilities and user security preferences, the security policies can be generated to achieve a target level security. Based on this approach, security designs of IoT architectures can be developed through automated information collection.

Abstract: Disclosed herein are system, method, and computer program product embodiments for intrusion detection and response. An embodiment operates by receiving one or more events corresponding to one or more user actions performed during a connectivity session to a computer system. The received one or more events are compared to one or more intrusion parameters associated with the computer system. It is determined that the received one or more events correspond to the intrusion event and that the user actions are performed on a first version of the computer system. The connectivity session is switched from the first version of the computer system to a second version of the computer system responsive to the determination of the intrusion event.