Abstract: An approach is proposed to support Internet traffic inspection to detect and prevent access to blocked websites or resources. First, access requests initiated by users to websites hosted on servers over a network are intercepted by an inspection agent, which identifies and caches a pair of the domain/host name of each website and its corresponding IP address on the Internet to a localized DNS cache. When a newly intercepted access request identifies the website by its IP address only without specifying its domain/host name, the inspection agent looks up the domain name by its IP address from the DNS cache. If no domain name is found, the inspection agent redirects the access request to a proxy server instead of forwarding it to the server hosting the website for further inspection. The proxy server then inspects the IP address to determine if it is a legitimate website or not.

Abstract: A service provider is configured to identify, register, and utilize a plurality of distributed computing resources/service nodes in the distributed computing platform to collectively provide/host a set of services to a plurality of service/application clients. Here, the plurality of service nodes are electronic devices owned or associated with a plurality of third-party service participants located at distinct geographical locations and are discoverable by the service provider over the Internet. The service provider is configured to intelligently route each request for a service from a service client to be served by one or more of the device nodes of a service participant. After the service has been delivered, the service provider tracks and generates one or more immutable proof-of-service receipts for the service provided by the service participant. A reward service then records and rewards the service participant for the service provided according to the proof-of-service receipts.

Abstract: An approach is proposed to support user-specific real time anti-phishing training of email recipients using real phishing attacks. When a recipient triggers an active content such as an URL link embedded in and/or opens an attachment to an email arrived at the recipient's account, the triggered active content is synchronously intercepted and examined in real time for potential malicious intent of a phishing attack. If the triggered active content is determined to be safe, the recipient is allowed to access the content. If the active content is determined to be malicious, the active content is blocked and the recipient is redirected a safe blocking mechanism. The recipient is then provided with an anti-phishing training exercise, which is specifically customized for the recipient based on the blocked active content in the payload of the email and/or the recipient's security posture and awareness.

Abstract: A new approach is proposed to support software update verification and malicious behavior detection. When a software update package is being delivered by a software vendor to an intended recipient, a software update registry intercepts the software update package and installs the software update on a software update sandbox regardless of the size of the software update package. All behaviors of the software update during unpacking, installation, and post-installation operations are monitored and analyzed by the software update sandbox to verify that there is no malicious behavior or component in the software update package. If the software update is verified to be safe, then the software update package is delivered to the intended recipient for installation. If the software update is determined to be unsafe, then the software update will be blocked.

Abstract: A new approach is proposed to support generating and presenting to a user cyber attack monetary impact estimation of a current or future cyber attack, which is used to stop monetary losses or to mitigate monetary impacts. First, both historic data and real time data on monetary impact of current and/or potential cyber attacks is continuously collected from a plurality of data pools. The collected data is then synchronized, correlated and filtered/cleansed once the data is available to create fidelity among the data from the plurality of data pools. The cyber attack monetary impact is calculated based on the correlated and cleansed data, and is presented to the user along with one or more suggested applications by the user in response to the cyber attack monetary impact, to mitigate the monetary impact of the current or future cyber attack.

Abstract: A new approach is proposed to support data filtering in machine learning (ML) to detect impersonation attacks. First, filters are applied to filter data or information collected from a user in order to extract features that are specific and/or unique for the identification of the user. The features extracted from the set of data are then used to train ML models configured to identify a set of key characteristics of electronic messages or web-based resources originated by the user. When a new electronic message or web-based resource purported to be from the user is intercepted, one or more of the trained ML models that are applicable are utilized to determine or predict if the newly intercepted electronic message or web-based resource is indeed originated by the user or is impersonated by an attacker under the same filtering criteria as training of the corresponding ML models.

Abstract: An approach is proposed to support Internet traffic inspection to detect and prevent access to blocked websites or resources. First, access requests initiated by users to websites hosted on servers over a network are intercepted by an inspection agent, which identifies and caches a pair of the domain/host name of each website and its corresponding IP address on the Internet to a localized DNS cache. When a newly intercepted access request identifies the website by its IP address only without specifying its domain/host name, the inspection agent looks up the domain name by its IP address from the DNS cache. If no domain name is found, the inspection agent redirects the access request to a proxy server instead of forwarding it to the server hosting the website for further inspection. The proxy server then inspects the IP address to determine if it is a legitimate website or not.

Abstract: A new approach is proposed that contemplates systems and methods to support scanning through a file of large size without having to load the entire file into memory of single file parser or scanner. The proposed approach is configured to divide a ginormous file to be parsed and scanned into a plurality of sections following a divide and conquer scheme. The plurality sections of the file are then parsed and loaded to a plurality of file scanners each configured to scan its allocated file section of a certain file type. Each of the plurality of file scanners is then configured to extract and evaluate from its allocated section file parts that can be harmful to a user of the file and/or expose sensitive/protected information of the user. The scan results are then collected, analyzed, and report to a user with a final determination on the malicious content and sensitive data.

Abstract: An approach is proposed to support neutralizing real cyber threats to training materials by intercepting, modifying and redistributing active content(s) of an email arrived at a recipient's email account. Specifically, when the recipient triggers an active content such as an URL link embedded in and/or opens an attachment to the email, the triggered active content is synchronously intercepted and examined in real time for potential malicious intent of a phishing attack. If the active content is determined to be malicious, the malicious active content in the email is then disassembled and deactivated while the payload is reconstructed with links and markings for training purposes. The recipient is then provided with an anti-phishing training exercise, wherein content of the training exercise is specifically customized for the recipient based on the reconstructed payload of the received email and/or the recipient's security posture and awareness.

Abstract: A new approach is proposed that contemplates systems and methods to support a sandboxed application plug-in distribution framework. An installation package containing a monitoring plug-in, a display plug-in, and/or third part components is received by a first application running on a first computing device. The first application installs the display plug-in and saves the monitoring plug-in to a centralized database. The first application sends an instruction to a second application running on a second computing device to retrieve the monitoring plug-in from the database and install the monitoring plug-in on the second computing device. Upon receiving a user request, the display plug-in of the first application sends a query to the monitor plug-in of the second application. In response to the query, the monitoring plug-in sends the requested monitored data collected by the second application to the display plug-in, which then formats and presents the monitored data to the user.

Abstract: An approach is proposed to support neutralizing real cyber threats to training materials by intercepting, modifying and redistributing active content(s) of an email arrived at a recipient's email account. Specifically, when the recipient triggers an active content such as an URL link embedded in and/or opens an attachment to the email, the triggered active content is synchronously intercepted and examined in real time for potential malicious intent of a phishing attack. If the active content is determined to be malicious, the malicious active content in the email is then disassembled and deactivated while the payload is reconstructed with links and markings for training purposes. The recipient is then provided with an anti-phishing training exercise, wherein content of the training exercise is specifically customized for the recipient based on the reconstructed payload of the received email and/or the recipient's security posture and awareness.

Abstract: A new approach is proposed that contemplates systems and methods to support human activity tracking and authenticity verification of human-originated digital assets. First, activities performed by a producer while he/she is constructing a digital asset, e.g., an electronic message, are captured. Information/metadata of the captured activities are then packaged/encapsulated inside the constructed digital asset, wherein such metadata includes but is not limited to mouse and/or keyboard activities, software tools used, and other digital traces of the captured human activities. Once the digital asset is transmitted and received by a consumer, the metadata included in the digital asset is unpacked and analyzed to determine various levels of authenticity of the digital asset with respect to whether the digital asset is originated manually by a human being or automatically by a software program. The consumer may then take actions accordingly based on the level of authenticity of the received digital asset.

Abstract: A new approach is proposed that contemplates systems and methods to support scanning through a file of large size without having to load the entire file into memory of single file parser or scanner. The proposed approach is configured to divide a ginormous file to be parsed and scanned into a plurality of sections following a divide and conquer scheme. The plurality sections of the file are then parsed and loaded to a plurality of file scanners each configured to scan its allocated file section of a certain file type. Each of the plurality of file scanners is then configured to extract and evaluate from its allocated section file parts that can be harmful to a user of the file and/or expose sensitive/protected information of the user. The scan results are then collected, analyzed, and report to a user with a final determination on the malicious content and sensitive data.

Abstract: A new approach is proposed that contemplates systems and methods to support a sandboxed application plug-in distribution framework. An installation package containing a monitoring plug-in, a display plug-in, and/or third part components is received by a first application running on a first computing device. The first application installs the display plug-in and saves the monitoring plug-in to a centralized database. The first application sends an instruction to a second application running on a second computing device to retrieve the monitoring plug-in from the database and install the monitoring plug-in on the second computing device. Upon receiving a user request, the display plug-in of the first application sends a query to the monitor plug-in of the second application. In response to the query, the monitoring plug-in sends the requested monitored data collected by the second application to the display plug-in, which then formats and presents the monitored data to the user.

Abstract: A new approach is proposed to support generating and presenting to a user cyber attack monetary impact estimation of a current or future cyber attack, which is used to stop monetary losses or to mitigate monetary impacts. First, both historic data and real time data on monetary impact of current and/or potential cyber attacks is continuously collected from a plurality of data pools. The collected data is then synchronized, correlated and filtered/cleansed once the data is available to create fidelity among the data from the plurality of data pools. The cyber attack monetary impact is calculated based on the correlated and cleansed data, and is presented to the user along with one or more suggested applications by the user in response to the cyber attack monetary impact, to mitigate the monetary impact of the current or future cyber attack.

Abstract: A new approach is proposed to support generating and presenting a single composite Cyber Security Threat Index (CSTI) to a user, wherein the CSTI provides the user with an indication of risk of cyber attacks globally and/or in the context of his/her current networking environment. First, various pools of operational data are collected over networks, systems, and/or products, wherein such data includes files being weaponized in the cyber attacks against computer systems and networks, the surfaces and contexts on which the cyber attacks are launched, and influential factors on these data. The data collected from various pools is then synchronized, correlated, and filtered/cleansed so that it can be used to assess risk of the cyber attacks. The CSTI is calculated based on the correlated data on the cyber attacks and interactively presented to the user, who then takes corresponding remediation actions to prevent a cyber attack from happening or spreading.

Abstract: A new approach is proposed that contemplates systems and methods to support a sandboxed application plug-in distribution framework. An installation package containing a monitoring plug-in, a display plug-in, and/or third part components is received by a first application running on a first computing device. The first application installs the display plug-in and saves the monitoring plug-in to a centralized database. The first application sends an instruction to a second application running on a second computing device to retrieve the monitoring plug-in from the database and install the monitoring plug-in on the second computing device. Upon receiving a user request, the display plug-in of the first application sends a query to the monitor plug-in of the second application. In response to the query, the monitoring plug-in sends the requested monitored data collected by the second application to the display plug-in, which then formats and presents the monitored data to the user.

Abstract: A device includes a database, a controller, and a PVN router. The database is configured to store network settings information and tracks devices connected to a network. The controller is configured to control access of devices to one another after establishing a connection to the network. The PVN router is configured to receive a provisioning request from a requesting to connect to the network. The PVN router is further configured to transmit a provisioning response to the requesting device based on instantiation of a PVN template received from the database. The PVN template is generated based on the network settings information and further based on the control access determined by the controller. The provisioning response establishes a connection between the requesting device and the network. The requesting device is inaccessible by a subset of devices already connected in the network after the connection is established and vice versa.

Abstract: An approach is proposed to support neutralizing real cyber threats to training materials by intercepting, modifying and redistributing active content(s) of an email arrived at a recipient's email account. Specifically, when the recipient triggers an active content such as an URL link embedded in and/or opens an attachment to the email, the triggered active content is synchronously intercepted and examined in real time for potential malicious intent of a phishing attack. If the active content is determined to be malicious, the malicious active content in the email is then disassembled and deactivated while the payload is reconstructed with links and markings for training purposes. The recipient is then provided with an anti-phishing training exercise, wherein content of the training exercise is specifically customized for the recipient based on the reconstructed payload of the received email and/or the recipient's security posture and awareness.

Abstract: An approach is proposed to support user-specific real time anti-phishing training of email recipients using real phishing attacks. When a recipient triggers an active content such as an URL link embedded in and/or opens an attachment to an email arrived at the recipient's account, the triggered active content is synchronously intercepted and examined in real time for potential malicious intent of a phishing attack. If the triggered active content is determined to be safe, the recipient is allowed to access the content. If the active content is determined to be malicious, the active content is blocked and the recipient is redirected a safe blocking mechanism. The recipient is then provided with an anti-phishing training exercise, which is specifically customized for the recipient based on the blocked active content in the payload of the email and/or the recipient's security posture and awareness.