Abstract: Application slicing can be applied to a web application with web application endpoints so that only the endpoints accessible by a given role are present in a given slice. Thus, role-based application slicing can be implemented. Subsequently, when requests for access to endpoints are received, the requests can be directed to a slice associated with a role of the user identifier making the request. Vulnerability chaining can thus be avoided because functionality in the slice is limited to that appropriate for the role of the user. The technologies can also be leveraged by extracting removed endpoints that can be used to detect intrusion in an active defense scenario.

Abstract: A system and method include execution of program code within an enclave of a trusted execution environment to receive a query identifying an analytic, retrieve an analytic profile corresponding to the analytic from a first distributed ledger, the analytic profile identifying input data and including first code executable to compute the analytic from the input data, retrieve the input data from a second distributed ledger, retrieve cryptographic information associated with the retrieved input data from one or more other enclaves of the trusted execution environment, decrypt the retrieved input data using the cryptographic information, and execute the first code to compute the analytic from the decrypted input data.

Abstract: A tainting engine can work in conjunction with a syntax attack detection template to identify when a threat actor attempts a malicious attack in a cloud application scenario. Non-intrusive instrumentation can be used to provide detection of an attempted attack regardless of whether the cloud application is vulnerable to such attacks. Detection of attempted attacks can be an important part of maintaining network security, even in cases where an application itself is not vulnerable to such attacks. Further details about the attempted attack can be assembled, and a variety of actions can be taken in response to detection.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. Through an enhanced authentication token, an application session request can be deceptively authenticated. When a malicious session request is detected, an enhanced authentication token can be generated that appears to successfully authenticate the session but contains information indicating that the session is malicious. The attacker believes that the session has been authenticated, but the information in the token indicating that the session is malicious causes an application clone session to be established instead of an actual application session. The clone session appears to be an actual application session but protects the valid user's account by including fake data instead of the user's actual data.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. Through an enhanced authentication token, an application session request can be deceptively authenticated. When a malicious session request is detected, an enhanced authentication token can be generated that appears to successfully authenticate the session but contains information indicating that the session is malicious. The attacker believes that the session has been authenticated, but the information in the token indicating that the session is malicious causes an application clone session to be established instead of an actual application session. The clone session appears to be an actual application session but protects the valid user's account by including fake data instead of the user's actual data.

Abstract: The source code of an HTML form can be analyzed to derive parameter rules that are subsequently enforced when apparent content of the HTML form is received. Such parameter rules can be drawn from client-side restrictions that are extracted from the HTML source, which are then enforced to prevent content violating the rules from reaching the backend. A proxy can sit between the application and the apparent browser. Dynamically generated HTML can be supported via a headless browser that mirrors HTML that would be present at a browser. Useful for preventing HTML form-based attacks and identifying clear cases of malicious HTML form requests.

Abstract: A trained machine learning model can determine whether a portion of programming code contains a security event. The determination can be included in a security assessment. The category of security event can also be determined. During training, observed portions of programming code labeled according to whether they contain a security event and the category of security event can be tokenized. Vectors can be generated from the tokens. The machine learning model can generate a new vector for an incoming portion of programming code and compare against combined vectors for the observed portions of programming code. A security assessment can indicate whether the incoming portion of programming code contains a security event, the category of the event, or both. For training purposes, security logging statements can be removed from training code.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. Using deceptive endpoints, attacks directed to API endpoints can be detected, and attackers can be monitored or blocked. Deceptive endpoints can be automatically generated by modifying valid endpoints for an application. Deceptive endpoints are not valid endpoints for the application, so if a deceptive endpoint is accessed, it is an indication of an attack. When a deceptive endpoint is deployed, accessing the deceptive endpoint can cause an alert to be generated, and an account, user, or device associated with accessing the deceptive endpoint can be blocked or monitored.

Abstract: Systems, methods, and computer media for securing software applications against unauthorized access through global lockout and capture are provided herein. For each request to access an application (whether pre- or post-authentication), a passive fingerprint, an active fingerprint, and a cookie are generated. The passive fingerprint represents characteristics of the requester's computing device that are provided with the request, such as source IP address, user agent, etc. The active fingerprint includes the information in the passive fingerprint as well as information that the computing device provides upon request, such as language or display information for the device. The passive fingerprint, active fingerprint, and cookie for a request are then associated together and stored. Access to the application can be managed based on the stored fingerprints and cookies.

Abstract: Systems, methods, and computer media are described for accelerated fact checking using distributed storage platforms (e.g., a blockchain or other distributed ledger) and trusted software providers. A claim for fact checking is received from a user (e.g., organization) of a software application managed by the trusted software provider. User-specific data associated with both the user and the application that is related to the claim can then be accessed (e.g., retrieved from a data store through queries). It can then be determined whether the claim is supported based on the user's own data. If the claim is supported, verification data for the claim can be generated and stored in a distributed storage platform (e.g., blockchain), where the verification data is available for others to use in fact checking.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. By recording path data representing interactions between an application and other components, it can be determined what data an attacker has received by the time malicious activity is detected. During a session with an application, queries made to a dataset by the application can be recorded. After the session is found to be malicious, the session is transferred to a cloned application session in which access to the dataset is blocked. Based on the recorded queries, an alternative dataset for queries made in the cloned application session is generated that includes a subset of the original dataset, thus limiting future queries of the attacker in the cloned application session to data already received before the malicious activity was detected.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. The multi-factor fingerprints allow attackers to be distinguished from authorized users and allow different types of attacks to be distinguished. The multi-factor fingerprint can include, for example, a session identifier component, a software information component, and a hardware information component. The different components can be separately compared to components of stored fingerprints to determine whether an application session request is malicious, and if so, what type of attack, such as session cookie theft or a spoofing attack, is occurring.

Abstract: Disclosed herein are method, system, and computer-readable storage medium embodiments for reinforcement learning applied to application responses using deception technology. An embodiment includes configuring at least one computer processor to perform operations that include detecting an unauthorized access attempt associated with an attacker, and recording an input log that includes inputs received from the attacker. An embodiment may further include operations of generating a state representation corresponding to an execution state of at least one software application, computing one or more predicted inputs, based at least in part on the input log and the state representation, and modifying, via at least one software agent, the execution state of at least the software application, based at least in part on the one or more predicted input.

Abstract: Systems, methods, and computer media for collaboratively securing software applications are provided herein. Through a collaborative approach, the described examples allow detection and management of unauthorized users across applications and application suites. By communicating details regarding cyber-attacks among applications, threats to applications can be managed pre-emptively. For example, applications can use attacks on other applications to implement new honeytokens, threat detection points, and blacklisted usernames or other identifiers to limit data access in future attacks.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. Through the use of an identifier such as a digital fingerprint, application sessions or session requests that use the same credentials can be distinguished, and malicious users can be detected and managed. A request to establish a session with an application can be received. Based on a digital fingerprint associated with the request, it can be determined that although a credential included in the request is valid, the request is unauthorized by comparing the digital fingerprint to known malicious fingerprints. When the fingerprint is found to be malicious, a cloned application session having at least partially fake data can be established instead of the requested application, thus limiting an attacker's access to real application data without revealing to the attacker that the attack has been detected.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. Using deceptive endpoints, attacks directed to API endpoints can be detected, and attackers can be monitored or blocked. Deceptive endpoints can be automatically generated by modifying valid endpoints for an application. Deceptive endpoints are not valid endpoints for the application, so if a deceptive endpoint is accessed, it is an indication of an attack. When a deceptive endpoint is deployed, accessing the deceptive endpoint can cause an alert to be generated, and an account, user, or device associated with accessing the deceptive endpoint can be blocked or monitored.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. Through an enhanced authentication token, an application session request can be deceptively authenticated. When a malicious session request is detected, an enhanced authentication token can be generated that appears to successfully authenticate the session but contains information indicating that the session is malicious. The attacker believes that the session has been authenticated, but the information in the token indicating that the session is malicious causes an application clone session to be established instead of an actual application session. The clone session appears to be an actual application session but protects the valid user's account by including fake data instead of the user's actual data.

Abstract: Disclosed herein are system, method, and computer program product embodiments for detecting cyber-attack. In an embodiment, a server receives a request to an application from a user device. The server determines that there is no cookie in the received request. The server then generates a new fingerprinting cookie and sends a verification request to the user device to verify the identity of a user. When the server receives the verification reply from the user device, the server determines that the verification reply is valid, marks the new cookie as a verified cookie, and transfers the request to the application for processing. The server can also unverify the verified cookie when the verified cookie is included in a malicious request. The server can determine that a request is malicious by analyzing functions the user wishes to perform using the request.

Abstract: Disclosed herein are method, system, and computer-readable storage medium embodiments for reinforcement learning applied to application responses using deception technology. An embodiment includes configuring at least one computer processor to perform operations that include detecting an unauthorized access attempt associated with an attacker, and recording an input log that includes inputs received from the attacker. An embodiment may further include operations of generating a state representation corresponding to an execution state of at least one software application, computing one or more predicted inputs, based at least in part on the input log and the state representation, and modifying, via at least one software agent, the execution state of at least the software application, based at least in part on the one or more predicted input.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. The multi-factor fingerprints allow attackers to be distinguished from authorized users and allow different types of attacks to be distinguished. The multi-factor fingerprint can include, for example, a session identifier component, a software information component, and a hardware information component. The different components can be separately compared to components of stored fingerprints to determine whether an application session request is malicious, and if so, what type of attack, such as session cookie theft or a spoofing attack, is occurring.