Abstract: A computer implemented method of computer security for a host computer system in communication with remote computer systems, the method including generating an attack map as a directed graph data structure modelling individual events leading to an exploitation of the host computer system, the attack map being generated in a training phase of the host computer system in which the host is subjected to attacks by one or more attacking remote computer systems, and generating the attack map includes collecting a log of each of a plurality of attack events occurring at the host including network packets involved in each attack event; using stacked autoencoders to extract features from the log event in each attack; generating a directed graph representation based on each of the extracted features based on a temporal relationship between events for each extracted feature and a predefined definition of each of a plurality of attack patterns defining events and temporal relationships between events, responsive to an oc

Abstract: Actuators and sensors in an intelligent system are controlled by setting encryption types and key lengths to individual applications based on the type of device and application being run. A server system (1) running in a communications gateway, selects an encryption policy for one or more devices under its control. This selection is controlled by an analysis function (11) using data relating to the type of device (13), and the applications to be run on the device (14), to generate an appropriate encryption policy (12) which can be deployed to the device (37). Controlling the analysis and deployment in a gateway device allows co-ordination between devices, and reduces processor time in the devices. An agent is sent to the device alongside the encryption policy data, to control the device according to the encryption policy.

Abstract: Systems and methods of protecting data in a message for communication from a sender to a receiver, the sender and receiver sharing a secret including splitting the message into a number of ordered message blocks, the order being a proper order such that an aggregation of the blocks in the proper order constitutes the message; generating an encoded indication of a position of the block in the proper order of blocks, the encoding being reversible and based on at least a hash value for the block, a secret shared between the sender and the receiver, and a position of the block in the proper order; communicating the blocks and the encoded indications to the receiver, the blocks being communicated in an order different to the proper order so as to obfuscate the message, such that the blocks can be reassembled by the receiver in the proper order on the basis of the shared secret.

Abstract: A computer implemented method for determining a plurality of data sources providing seed parameters for generation of an encryption key by a ransomware algorithm, the method including exposing a target computer system to the ransomware algorithm; monitoring application programming interface (API) calls made to an operating system of the target computer system to identify a set of API calls for retrieving data about one or more hardware components of the target computer system, the data about the hardware components being determined to constitute the seed parameters.

Abstract: A computer implemented method to identify malicious software in a computer system includes receiving an indication of a detection of malicious network traffic communicated via a computer network accessed by the computer system; identifying a software component involved in the malicious network traffic at the computer system; evaluating a measure of a correlation fractal dimension (CFD) for at least a portion of the software component; and storing the measure of CFD for subsequent comparison with a second measure of CFD for a corresponding portion of a second software component in the computer system to identify the second software component as a software component involved in malicious network communication.

Abstract: Systems and methods for identifying a computer security threat based on communication via a computer network.

Abstract: A computer implemented method to identify a computer security threat based on communication via a computer network including receiving a definition of acceptable network communication characteristics for each of a plurality of communication protocols; receiving a set of security events for the communication, each security event including network communication characteristics for the communication; for each security event in the set of security events: a) identifying a communication protocol associated with the event; b) detecting deviations of network communication characteristics of the event from the acceptable network communication characteristics for the identified communication protocol; and c) generating a record of each deviation identifying a communication characteristic for which the deviation is detected, and identifying a computer security threat for the communication based on the records generated for the set of security events.

Abstract: A method in a computer system having an operating system providing isolation between software processes executable in the operating system such that a first process executing in the operating system is prevented from accessing resources of a second process executing in the operating system, the method including receiving a software component for execution as an isolated process in the operating system; receiving a baseline profile for the software component defining one or more characteristics of the software component at a runtime for identifying performance of the software component; generating a runtime profile of the software component in execution in the operating system defining characteristics of the component in execution; and flagging the software component in execution based on a comparison of the baseline profile and the runtime profile so as to identify an undesirable performance of the software component.

Abstract: An access control method for a restricted resource in a computer system having an operating system providing isolation between software processes executable in the operating system such that a first process executing in the operating system is prevented from accessing resources of a second process executing in the operating system, the method including receiving a software component for execution as an isolated process in the operating system; receiving a baseline profile for the software component defining characteristics of the software component at a runtime for identifying performance of the software component; generating a runtime profile of the software component in execution in the operating system defining characteristics of the component in execution; and permitting access by the software component to the restricted resource based on a comparison of the baseline profile and the runtime profile such that the software component exhibiting undesirable performance is precluded from accessing the restrict

Abstract: A computer implemented method to identify a computer security threat based on communication of a network connected device via a computer network including receiving a plurality of blocks of network traffic from the device, each block including a sequence of network traffic data items being identifiable by a position in the sequence of the block; identifying a subset of positions occurring in every block for which a degree of variability of values of data items in each position of the subset meets a predetermined threshold; and generating executable code for performing a plurality of processing operations based on the identified subset of positions, the executable code consuming a determinate quantity of computing resources when executed for the received network traffic.

Abstract: A computer implemented method to mitigate a security attack against a target virtual machine (VM) in a virtualized computing environment, the target VM having a target VM configuration including configuration parameters, and the security attack exhibiting a particular attack characteristic, is disclosed.

Abstract: Actuators and sensors in an intelligent system are controlled by setting encryption types and key lengths to individual applications based on the type of device and application being run. A server system 1 running in a communications gateway, selects an encryption policy for one or more devices under its control. This selection is controlled by an analysis function 11 using data relating to the type of device 13, and the applications to be run on the device 14, to generate an appropriate encryption policy 12 which can be deployed to the device (37). Controlling the analysis and deployment in a gateway device allows co-ordination between devices, and reduces processor time in the devices. An agent is sent to the device alongside the encryption policy data, to control the device according to the encryption policy.

Abstract: A computer implemented method of sharing a data message containing multiple data fields between a provider computer system and a consumer computer system, wherein the provider and consumer computer systems have mutual mistrust, is disclosed.

Abstract: A computer implemented method to determine a security configuration for a target virtual machine (VM) in a virtualized computing environment, the method including training a machine learning algorithm to determine a vector of security vulnerabilities for the target VM based on a vector of configuration characteristics for the target VM, the machine learning algorithm being trained using training examples each including a configuration for a training VM and an associated vulnerability vector based on an observed security occurrence at the training VM, wherein each training example further includes an identification of one of set of security configurations for the training VM; selecting at least a subset of the set of security configurations and, for each security configuration in the subset, executing the machine learning algorithm with the vector of configuration characteristics for the target VM and an identification of the security configuration, so as to generate a set of vulnerability vectors including a

Abstract: A computer implemented method to generate training data for a machine learning algorithm for determining security vulnerabilities of a virtual machine (VM) in a virtualized computing environment is disclosed. The machine learning algorithm determines the vulnerabilities based on a vector of configuration characteristics for the VM.

Abstract: A computer implemented method to detect an anomalous change to a web application configuration, the web application executing with a web server, the method including receiving a first set of records for the web application operating in a training mode of operation, each record including characteristics of the web application; generating a sparse distributed representation of the set of records to form a training set for a hierarchical temporal memory (HTM); training the HTM based on the training set in order that the trained HTM provides a model of the operation of the web application in the training mode of operation; receiving a second set of records for the web application, each record including characteristics of the web application; generating a sparse distributed representation of the second set of records to form an input set for the trained HTM; executing the trained HTM based on the input set to determine a degree of recognition of the records of the input set; and responsive to a determination that

Abstract: Network-based applications and virtualized components are deployed according to a security analysis of the infrastructure to be used and applications to be run on it. A specification of requirements (201) is analysed (211), together with potential devices (212) and network nodes (213), to determine an appropriate level of security to be applied, and a deployment specification of applications, services, security countermeasures, and networks is prepared that will satisfy the customer requirement and with known characteristics and vulnerabilities of the services. This analysis is used to generate a deployment specification (22), and finally the actual control of an orchestrator (23) to deliver the service. The deployed system can be continually monitored to ensure that the service continues to operate within requirements. Should an incident such as a network attack or failure occur the system is re-analysed against the original requirements and re-configured or repaired.

Abstract: A computer implemented method of providing whole disk encryption for a virtualized computer system including providing a hypervisor having a data store and instantiating a disk image of the virtualized computer system as a first virtual machine (VM) having a virtual disk from which an operating system of the first VM can be booted; instantiating a second VM in the hypervisor including a software component executing therein, wherein the data store is a shared data store accessible by both the first and second VMs, the method further comprising: the software component accessing the first VM using privileged credentials to install a software agent in the first VM and to replicate the virtual disk of the first VM in the hypervisor data store as a duplicate disk, wherein the software agent is adapted to encrypt data written to, and decrypt data read from, the disk of the first VM at a runtime of the first VM; and the software component encrypting the duplicate disk and unmounting the copied disk and mounting the e

Abstract: A method for identifying malicious network traffic communicated via a computer network, the method including: evaluating a measure of a correlation fractal dimension for a portion of network traffic over a monitored network connection; comparing the measure of correlation fractal dimension with a reference measure of correlation fractal dimension for a corresponding portion of network traffic of a malicious network connection so as to determine if malicious network traffic is communicated over the monitored network connection.

Abstract: A method for securely accessing a hardware storage device connected to a computer system, the hardware storage device having a unique hardware identifier and the computer system including a processor, the method comprising: an agent software component receiving the identifier of the storage device to authenticate the storage device, wherein the agent executes in an unrestricted mode of operation of the processor such that the agent is a trusted software component; in response to the authentication, the agent accessing a secure data key for encrypting and decrypting data on the storage device, wherein the data key is accessible only to trusted agents executing in the unrestricted mode of the processor such that software executing in a user mode of the processor stores and retrieves data on the storage device only via the agent.