Abstract: A computer implemented method to generate a signature of a network attack for a network-connected computing system, the signature including rules for identifying the network attack, the method including generating, at a trusted secure computing device, a copy of data distributed across a network; the computing device identifying information about the network attack stored in the copy of the data; and the computing device generating the signature for the network attack based on the information about the network attack so as to subsequently identify the network attack occurring on a computer network.

Abstract: A web server operating in a container has resource and network limits applied to add an extra layer of security to the web server. If a monitor detects that the container's resource usage is approaching one or more of these limits, which may be indicative of a DDoS attack, (step 210) or identifies traffic sources exhibiting suspicious behaviour, such as frequently repeated requests from the same address, or from a related set of addresses, a restrictor function caps the resources allowed by the original Webserver container to allow it to recover from buffer overflow and protect servers running in other containers from overwhelming any shared resources. A duplicator function starts up replica containers with the same resource limits to take overflow traffic, and a load balancing function then directs incoming traffic to these overflow containers etc.

Abstract: A malware detection system to detect malware in a client computer system includes a behavior profile generator adapted to generate a behavior profile specifying operational behaviors of a computer system indicative of the existence of malware in the computer system; an interface adapted to communicate the behavior profile to the client; and an identifier responsive to a message from the client that the behavior profile is exhibited by the client and adapted to identify a reaction instruction for performance by the client, wherein the interface is further adapted to communicate the reaction instruction to the client.

Abstract: A computer implemented method to detect a data breach in a network-connected computing system including generating, at a trusted secure computing device, a copy of data distributed across a network; the computing device accessing sensitive information for the network-connected computer system and searching for at least part of the sensitive information in the copy of the data; in response to an identification of sensitive information in the copy of the data identifying the sensitive information as compromised sensitive information.

Abstract: A computer implemented method of detecting malware in a received software component includes generating a profile for the malware by accessing machine code for the malware, identifying a subset of the machine code for the malware as a logical subroutine of the malware, and extracting one or more features of the logical subroutine of the malware as the profile. The method further includes accessing machine code for the received software component to identify a plurality of logical subroutines thereof and extracting one or more features of each logical subroutine of the received software component for comparison with the profile to detect the malware in the received software component.

Abstract: A computer implemented method to mitigate a security attack against a target virtual machine (VM) in a virtualized computing environment, the target VM having a target VM configuration including configuration parameters, and the security attack exhibiting a particular attack characteristic, is disclosed.

Abstract: A data storage device providing secure data storage for a software application executed by an operating system in a computer system including a file system operation interceptor that detects requests for file system operations in respect of data for the application; a file system operation analyzer that is responsive to the interceptor and that analyses an intercepted file system operation request to identify attributes associated with the file system operation; a comparator that compares the attributes with a predefined security policy definition; a cryptographic unit that encrypts and/or decrypts data using one or more cryptographic functions; wherein the cryptographic unit is operable in response to the comparator to perform an encryption or decryption operation on the data and effect the performance of the requested file system operation by the operating system.

Abstract: A computer implemented method of computer security for a network-connected device communicating via a computer network, by accessing one or more attributes of communication over the network by the device, the communication according with one or more service discovery protocols; classifying the device based on the attributes, the classification having associated a predetermined set of acceptable states of operation of the device; deploying security measures for the device responsive to a detection of a deviation of a state of operation of the device from the acceptable states of operation, wherein the classification is made using a supervised machine learning method trained using training data for a plurality of training network-connected devices each having associated one or more attributes of communication over a network according with the one or more service discovery protocols, and each device having associated a definition of a set of acceptable states of operation.

Abstract: A computer implemented method of detecting malicious electronic mail comprising: receiving an electronic mail message including an indication of a purported sender network domain and a Simple Mail Transfer Protocol identifier (SMTP ID); processing the SMTP ID with a classifier, wherein the classifier is implemented using a supervised machine learning method trained to classify the SMTP ID as originating from the purported sender domain based on a training data set including authentic electronic mail messages from the domain; and responsive to a classification, by the classifier, of the received message indicating that the received message originates from a sender other than the purported sender domain, identifying the received message as malicious.

Abstract: A method of detecting blockchain miner code executing in a web browser including receiving a profile for the browser identifying typical resource consumption by the browser in use; responsive to a detection of a deviation of the resource consumption by the browser from the profile, intercepting a communication with the browser including a cryptographic nonce, training a plurality of classifiers based on generated training examples, each training example being generated by applying a hashing algorithm to the nonce such that each classifier is trained with training examples generated using a different hashing algorithm; intercepting one or more second communications with the browser, each of the second communications including a hash value; executing at least a subset of the classifiers based on the hash value of each of the second communications; and identifying malicious miner code executing in the browser.

Abstract: Improvements to publish-subscribe protocols are provided, including a method for communicating data in a network comprising publisher devices, a broker and subscriber devices, comprising one of the publisher devices: i-a. receiving a public key from the broker; i-b. determining, based on one or more attributes of data to be published to the broker, whether a sensitivity level of the data is low; and ii. following completion of both of steps i-a and i-b, publishing the data to the broker, wherein: when step i-b results in a determination that the sensitivity level of the data is low, step ii comprises transmitting the data to the broker unencrypted; and when step i-b results in a determination that the sensitivity level of the data is not low, step ii comprises encrypting the data then transmitting resulting encrypted data to the broker, wherein the step of encrypting the data uses the public key.

Abstract: A method of computer security for a host computer system in communication with remote computer systems includes generating an attack map modelling individual events leading to an exploitation of the host computer system by collecting a log of each of a plurality of attack events occurring at the host, using stacked autoencoders to extract features from the log event in each attack, and generating a directed graph representation based on each of the extracted features. The method further includes determining a subset of nodes in the attack map corresponding to events in one or more attacks, determining a component of the host computer system involved in each attack event represented by each of the nodes in the subset, and deploying one or more security facilities at each of the determined components of the host computer system so as to mitigate attacks according to each of the attack patterns.

Abstract: A computer implemented method of converting a serialized virtual machine (VM) for a source virtualized computing environment, the serialized VM being stored in a data file having also metadata for instantiating the serialized VM in the source environment, the method including supplementing the data file with a software adapter including a plurality of executable disk image converters, each disk image converter being suitable for converting the serialized VM between disparate virtualized computing environments; a plurality of metadata mappings, each metadata mapping defining how the metadata is converted between disparate virtual computing environments; and executable code for effecting a conversion by executing an appropriate disk image converter and performing an appropriate metadata conversion to convert the data file for a target virtualized computing environment, such that the supplemented data file is operable to self-convert between the source virtualized computing environment and the target virtualized

Abstract: A computer implemented method of securing an application executing in a software container deployed in a computer system includes providing access to the application selectively in accordance with access control rules by sharing an encryption key with authorized accessors.

Abstract: A method of computer security for a host computer system in communication with remote computer systems, including generating an attack map as a directed graph data structure modelling individual events leading to an exploitation of the host computer system and collecting a log of each of a plurality of attack events occurring at the host including network packets involved in each attack event, the attack map being generated in a training phase of the host computer system in which the host is subjected to attacks by one or more attacking remote computer systems, using stacked autoencoders to extract features from the log event in each attack; generating a directed graph representation based on each of the extracted features, using the attack map to identify a sequence of events indicative of an attack, and responsive to the identification, deploying one or more security facilities to mitigate the attack.

Abstract: A method of computer security for a host computer system in communication with remote computer systems, including generating an attack map as a directed graph data structure modelling individual events leading to an exploitation of the host computer system and collecting a log of each of a plurality of attack events occurring at the host including network packets involved in each attack event, the attack map being generated in a training phase of the host computer system in which the host is subjected to attacks by one or more attacking remote computer systems; using stacked autoencoders to extract features from the log event in each attack; generating a directed graph representation based on each of the extracted features; and responsive to an occurrence of a new attack in the host computer system, triggering the regeneration of the attack map including additional events generated in respect of the new attack.

Abstract: A computer implemented method to mitigate a security attack against a target virtual machine (VM) in a virtualized computing environment, the target VM having a target VM configuration including configuration parameters, and the security attack exhibiting a particular attack characteristic, is disclosed.

Abstract: A computer implemented method for providing secure communication channels between a host computer system and a plurality of communicating endpoint computer systems, the host executing a plurality of application instances, the method including initiating a secure communications tunnel between the host computer system and each communicating endpoint on an application basis such that each application instance has a separate communications tunnel, wherein each communications tunnel has associated security parameters including at least one cryptographic key for securely encrypting communications via the tunnel; and responsive to a detection of a security event in respect of an application instance at the host computer system, generating new security parameters for the tunnel of the application instance to provide a continuity of secure communication.

Abstract: A computer implemented method of computer security for a host computer system in communication with remote computer systems, the method including generating an attack map as a directed graph data structure modelling individual events leading to an exploitation of the host computer system, the attack map being generated in a training phase of the host computer system in which the host is subjected to attacks by one or more attacking remote computer systems, and generating the attack map includes collecting a log of each of a plurality of attack events occurring at the host including network packets involved in each attack event; using stacked autoencoders to extract features from the log event in each attack; generating a directed graph representation based on each of the extracted features based on a temporal relationship between events for each extracted feature and a predefined definition of each of a plurality of attack patterns defining events and temporal relationships between events, determining a subse

Abstract: A computer implemented method of computer security for a host computer system in communication with remote computer systems, the method including generating an attack map as a directed graph data structure modelling individual events leading to an exploitation of the host computer system, the attack map being generated in a training phase of the host computer system in which the host is subjected to attacks by one or more attacking remote computer systems, and generating the attack map includes collecting a log of each of a plurality of attack events occurring at the host including network packets involved in each attack event; using stacked autoencoders to extract features from the log event in each attack; generating a directed graph representation based on each of the extracted features based on a temporal relationship between events for each extracted feature and a predefined definition of each of a plurality of attack patterns defining events and temporal relationships between events, using the attack ma