Abstract: A method includes, at a processor-controlled device of a network, identifying a first portion of a data transmission transmitted via the network that is indicative of an anomaly. A second, different, portion of the data transmission including personal data is identified. The data transmission is modified to generate a modified data transmission, the modifying the data transmission comprising selectively anonymizing one or more portions of the data transmission such that at least the second portion of the data transmission is anonymized. The modified data transmission is sent to a remote system for identification of whether the first portion of the data transmission is indicative of malicious behavior.

Abstract: A security system in a network connected computing device, the device executing a software component that receives information stored in a matrix barcode, the information including a reference to a resource accessible via the network, the system including: a service bar that blocks the software component from accessing services of the computing device; and a logic unit that determines services of the computing device needed by the software component to access the resource, wherein the service bar is adapted to, responsive to a verification of permission of the software component to access the determined services, unblock the software component in order that the software component can access the resource and accesses the determined services.

Abstract: A device identification method, a device identification system and a device prediction component. The method can include determining, based on first power consumption data indicative of a first power consumption associated with a premises within a first time period, a predicted identity of an active device at the premises within a second time period subsequent to the first time period. A detected identity of the active device at the premises within the second time period is determined, based on second power consumption data indicative of a second power consumption associated with the premises within the second time period. A determined identity of the active device at the premises within the second time period is determined, based on at least one of the predicted identity and the detected identity.

Abstract: Systems and methods of protecting data in a message for communication from a sender to a receiver, the sender and receiver sharing a secret including splitting the message into a number of ordered message blocks, the order being a proper order such that an aggregation of the blocks in the proper order constitutes the message; generating an encoded indication of a position of the block in the proper order of blocks, the encoding being reversible and based on at least a hash value for the block, a secret shared between the sender and the receiver, and a position of the block in the proper order; communicating the blocks and the encoded indications to the receiver, the blocks being communicated in an order different to the proper order so as to obfuscate the message, such that the blocks can be reassembled by the receiver in the proper order on the basis of the shared secret.

Abstract: A computer implemented method to detect anomalous behavior of a software container having a software application executing therein, the method including receiving a sparse data representation of each of a: first set of container network traffic records; a first set of application traffic records; and a first set of container resource records, and training an hierarchical temporal memory (HTM) for each first set, wherein the container network traffic records correspond to network traffic communicated with the container, the application traffic records correspond to network traffic communicated with the software application, and the container resource records correspond to the use of computer resources by the container; receiving a sparse data representation of each of a: second set of container network traffic records; a second set of application traffic records; and a second set of container resource records; executing the trained HTMs based on each respective second set to determine a degree of recognition o

Abstract: A computer implemented security method operable with a communications network in a vehicle, the network communicatively connecting devices including sensors and actuators in the vehicle such that information provided by sensors and states of actuators are determinable by data communicated via the network, the method including defining a Markov decision process model for the vehicle, the model specifying states of the vehicle and actions constituting transitions between states, wherein a state of the vehicle is indicated by information provided by one or more sensors and a state of one or more actuators, and an action corresponds to a change in the information provided by one or more sensors and/or a change to a state of one or more actuators, each action having associated a probability of occurrence; determining, by accessing data communicated via the network, a current state of the vehicle in the model; accessing data communicated via the network; responsive to the accessed data indicating an action to chang

Abstract: A computer implemented method to determine a security configuration for a target virtual machine (VM) in a virtualized computing environment, the method including training a machine learning algorithm to determine a vector of security vulnerabilities for the target VM based on a vector of configuration characteristics for the target VM, the machine learning algorithm being trained using training examples each including a configuration for a training VM and an associated vulnerability vector based on an observed security occurrence at the training VM, wherein each training example further includes an identification of one of set of security configurations for the training VM; selecting at least a subset of the set of security configurations and, for each security configuration in the subset, executing the machine learning algorithm with the vector of configuration characteristics for the target VM and an identification of the security configuration, so as to generate a set of vulnerability vectors including a

Abstract: A computer-implemented method of automatically securing a computer system or network against a suspect binary file (SBF) by, in response to detection of the SBF, initiating an automatic defence strategy comprising an action known to mitigate a known threat posed by a closest known malicious binary file (KMBF). The method further includes identifying the closest KMBF from a plurality of KMBFs by comparing an SBF branch map generated in respect of the SBF with respective KMBF branch maps generated in respect of each of the plurality of KMBFs, the SBF and KMBF branch maps being generated by breaking each of the respective binary files down into a respective sequence of blocks and determining how each block of the sequence branches to one or more other blocks of the sequence. Further aspects of the present disclosure relate to corresponding data processing systems, computer programs, computer-readable data carriers and data carrier signals.

Abstract: A computer implemented method to generate training data for a machine learning algorithm for determining security vulnerabilities of a virtual machine (VM) in a virtualized computing environment is disclosed. The machine learning algorithm determines the vulnerabilities based on a vector of configuration characteristics for the VM.

Abstract: One aspect of the present disclosure provides a computer-implemented method of automatically securing a computer system or network against a suspect binary file (SBF) by, in response to detection of the SBF, initiating an automatic defence strategy. The automatic defence strategy includes a first action known to mitigate a known threat posed by a known malicious binary file (KMBF); and a further action predicted to mitigate a predicted threat posed by a discrepant function present in the SBF but not the KMBF. Further aspects of the present disclosure relate to corresponding data processing systems, computer programs, computer-readable data carriers and data carrier signals.

Abstract: A computer-implemented method of automatically securing a computer system or network against a suspect binary file (SBF) by, in response to detection of the SBF, initiating an automatic defence strategy comprising an action known to mitigate a known threat posed by a closest known malicious binary file (KMBF). The method further includes identifying the closest KMBF by comparing an SBF application programming interface (API) profile generated in respect of the SBF with respective KMBF API profiles generated in respect of each of a plurality of KMBFs, the SBF and KMBF API profiles being generated by: identifying any API calls in the respective binary file; and assigning each of said identified API calls to one of a plurality of API call categories defined by one or more actions known to be effective in mitigating one or more possible threats posed by the respective API call category.

Abstract: A method for identifying malicious encrypted network traffic associated with a malware software component communicating via a network, the method including, for the malware, a portion of network traffic including a plurality of contiguous bytes occurring at a predefined offset in a network communication of the malware; extracting the defined portion of network traffic for each of a plurality of disparate encrypted network connections for the malware; training an autoencoder based on each extracted portion of network traffic, wherein the autoencoder includes: a set of input units each for representing information from a byte of an extracted portion; output units each for storing an output of the autoencoder; and a set of hidden units smaller in number than the set of input units and each interconnecting all input and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units; selecting a set

Abstract: A computer implemented method of protecting data in a message for communication from a sender to a receiver, the sender and receiver sharing a secret, the method including splitting the message into a plurality of ordered message blocks, the order being a proper order such that an aggregation of the blocks in the proper order constitutes the message; generating a hash value for each message block, each hash value being generated on the basis of at least a content of the block and the secret; generating, for each block, an encoded indication of a position of the block in the proper order of blocks, the encoding being reversible and based on at least the hash value for the block and a position of the block in the proper order; communicating the blocks to the receiver in an order different to the proper order so as to obfuscate the message; and communicating the encoded indications to the receiver such that the blocks can be reassembled by the receiver in the proper order on the basis of the shared secret.

Abstract: A computer implemented method to detect a data breach in a network-connected computing system, the method including storing, at a trusted secure computing device, at least a portion of network traffic communicated with the computer system; the computing device generating a copy of data distributed across a network; the computing device identifying information about the network attack stored in the copy of the data; the computing device generating a signature for the network attack based on the information about the network attack, the signature including rules for identifying the network attack in network traffic; and identifying an occurrence of the network attack in the stored network traffic based on the signature.

Abstract: Improvements to publish-subscribe protocols are provided, including a method for communicating data in a network comprising publisher devices, a broker and subscriber devices, comprising one of the publisher devices: i-a. receiving a public key from the broker; i-b. determining, based on one or more attributes of data to be published to the broker, whether a sensitivity level of the data is low; and ii. following completion of both of steps i-a and i-b, publishing the data to the broker, wherein: when step i-b results in a determination that the sensitivity level of the data is low, step ii comprises transmitting the data to the broker unencrypted; and when step i-b results in a determination that the sensitivity level of the data is not low, step ii comprises encrypting the data then transmitting resulting encrypted data to the broker, wherein the step of encrypting the data uses the public key.

Abstract: A containerisation orchestrator (26) is controlled by an analysis system (20, 21, 22) which assesses an application and a device for compatibility to have a candidate application installed on the device using the orchestrator. The analysis includes an assessment of the vulnerability of the installed application to failure or malicious attack, and a risk assessment of the consequences of such an event. The candidate containerised configuration (20) for the application is also assessed for compatibilities and vulnerabilities.

Abstract: A computer implemented method of sharing a data message containing multiple data fields between a provider computer system and a consumer computer system, wherein the provider and consumer computer systems have mutual mistrust, is disclosed.

Abstract: A computer-implemented method of analysing anomalous network traffic in a telecommunications network, said telecommunications network comprising a plurality of network entities (120, 110) and a security analyser (130-3), wherein the method comprises the steps of: receiving at the security analyser a network communication from a first network entity; identifying the first network entity; by means of the security analyser: analysing the network communication and/or a performance of the first network entity thereby to identify the network communication as an anomalous communication (310); in response to identifying the network communication as an anomalous communication, communicating an instruction to the identified first network entity to respond with origin information regarding the anomalous communication, wherein the origin information identifies a preceding network entity from which the anomalous communication was directly received by the first network entity (320, 330); and commencing with the preceding n

Abstract: A method for detecting malware software in a computer system includes accessing a plurality of hostnames for a malware server from a computer system infected with malware and attempting to communicate with the malware server, each hostname including a plurality of symbols in each of a plurality of symbol positions; training an autoencoder based on each of the plurality of hostnames, wherein the autoencoder includes: a set of input units for each possible symbol and symbol position in a hostname; output units each for storing an output of the autoencoder; and a set of hidden units smaller in number than the set of input units and each interconnecting all input and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units; selecting a set of one or more symbol and symbol position tuples based on weights of interconnections in the trained autoencoder; and identifying infected computer systems

Abstract: Containerised computing processes are generated by an orchestration processor interpreting user commands and user profile data to build a deployment specification specifying functions to be run by a containerised process, using a shell script run on a host virtualisation container. External events such as security threats and computing resource overloads can be used to generate the virtualised process, allowing vulnerability detection, and apply countermeasures such as deployment or migration of containers during attacks to lesser prone infrastructure, and allows the orchestration of non-container tools to provide security and resilience.