Abstract: An information security method to detect, validate, source, and/or remediate propagated, maliciously generated, AI content is disclosed. Search-engine spider(s) to crawl the Internet to identify posted content, which is analyzed with signature-based detection, anomaly detection, and machine learning to identify suspect content, which is compared against validated content. A malicious-AI probability score is generated based on the results of the foregoing AI analysis and the content differences. Metadata corresponding to the suspect content is extracted. A malicious activity mapping is compiled from available data. Suspect content is attempted to be recreated by publicly available online AI bots to identify the AI engine that generated the malicious content. Metadata pertaining to the origination source that accessed the source AI bot. Metadata is used to trace the malicious content back to the originator. Proofs regarding the foregoing are generated. Notifications/demands may be generated.

Abstract: A network security computing system includes a steganographic communications analysis engine monitoring incoming and outgoing messages on a secure computing network. The steganographic communications analysis engine identifies a pattern of file transfers between a first computing device on the secure computing network and an internal or external message recipient. When a pattern is identified, the steganographic communications analysis engine quarantines an associated computing device from the secure network. The steganographic communications analysis engine analyzes files transferred between the computing device and the recipient for indications of steganographic information and causes display, based on an identified indication of steganography, an indication that the computing device had been compromised by command and control malware.

Abstract: A network traffic correlation engine monitors inbound and/or outbound connection information received from on each host computer system on a network. Each host device on the network store data logs corresponding to information corresponding to communications sent by the device and received by the device. The network traffic correlation engine correlates connections between different hosts throughout the network. If the network traffic correlation engine identified unmatched outbound and inbound connections, the network traffic correlation engine generates an alert to initiate further investigation and may also provide a mapping of the communications showing a possible start device for the connection and/or a type of access that the connections may now be providing.

Abstract: A network environment scanning engine may monitor electronic communications received via an external computing network and by an enterprise computing system. The network environment canning engine after receipt of an electronic message, analyze the electronic message to identify, by a network environment scanning engine using a machine learning algorithm, executable code for execution by a processor of computing device addressed as a recipient of the message. The network environment scanning engine further analyzes, using a machine-learning based algorithm in a virtual security environment, the executable code to identify whether the executable code comprises one or more environment variables.

Abstract: A real-time, information-security, border-endpoint system and process to block a zero-day threat is disclosed. Data, traffic, patterns, and payloads for incoming and outgoing border control devices (or edge devices) delineating protected from unprotected areas of a network, or close to the border of such, can be monitored, analyzed, compared, and processed by artificial intelligence (AI), which can be used to identify suspect traffic based on differences between the two and historical information compiled from prior Advanced Persistent Threats. Mitigation, countermeasures, reporting, quarantining, blocking, patching, and other features are disclosed as well.

Abstract: Aspects of the disclosure relate to preventing data loss using enhanced analysis of the URLs and URIs in webpage requests. A computing platform may receive a user request to access a webpage, and may determine whether the webpage is regularly accessed by the user and whether the user is permitted to access the webpage. Based on determining the user might not regularly access the website, but that the user is permitted to access the webpage, the computing platform may engage an artificial intelligence (AI) engine to parse the URL and URI from the webpage request. The AI engine may compare the URL to source code associated with the webpage to determine whether the URI was re-written. The computing platform may grant the webpage request based on determining the source code corresponds to the URL and based on determining the URI might not have been re-written.

Abstract: Aspects of the disclosure relate to email verification. A computing platform may receive an electronic message and identify one or more portions of content in the message. Then, the computing platform may generate and embed one or more message-specific identifiers into the electronic message and store electronic message information associating the one or more portions of content with the one or more embedded message-specific identifiers. Thereafter, the computing platform may receive an electronic message verification request to verify authenticity of an identified electronic message received by a computing device. The computing platform may prompt a user of the computing device to provide authentication information associated with one or more portions of content of the identified electronic message.

Abstract: An information security method to detect, validate, source, and/or remediate propagated, maliciously generated, AI content is disclosed. Search-engine spider(s) to crawl the Internet to identify posted content, which is analyzed with signature-based detection, anomaly detection, and machine learning to identify suspect content, which is compared against validated content. A malicious-AI probability score is generated based on the results of the foregoing AI analysis and the content differences. Metadata corresponding to the suspect content is extracted. A malicious activity mapping is compiled from available data. Suspect content is attempted to be recreated by publicly available online AI bots to identify the AI engine that generated the malicious content. Metadata pertaining to the origination source that accessed the source AI bot. Metadata is used to trace the malicious content back to the originator. Proofs regarding the foregoing are generated. Notifications/demands may be generated.

Abstract: A network environment scanning engine may monitor electronic communications received via an external computing network and by an enterprise computing system. The network environment scanning engine after receipt of an electronic message, analyze the electronic message to identify, by a network environment scanning engine using a machine learning algorithm, executable code for execution by a processor of computing device addressed as a recipient of the message. The network environment scanning engine further analyzes, using a machine-learning based algorithm in a virtual security environment, the executable code to identify whether the executable code comprises one or more environment variables.

Abstract: A network security computing system includes a steganographic communications analysis engine monitoring incoming and outgoing messages on a secure computing network. The steganographic communications analysis engine identifies a pattern of file transfers between a first computing device on the secure computing network and an internal or external message recipient. When a pattern is identified, the steganographic communications analysis engine quarantines an associated computing device from the secure network. The steganographic communications analysis engine analyzes files transferred between the computing device and the recipient for indications of steganographic information and causes display, based on an identified indication of steganography, an indication that the computing device had been compromised by command and control malware.

Abstract: A network system of pattern analysis includes a centralized AI-based pattern analysis engine and each computing device comprises a local AI-based pattern analysis engine. The pattern analysis engine(s) each analyze computing operations on a local machine basis or a on a network basis depending on where installed. The AI-based pattern analysis engines identify common activity patterns for each machine and exclude the common activity patterns from further analysis of the computing operations, leading to more efficient identification of activity patterns indicative of nefarious activity. Once detected, the AI-based pattern analysis engines trigger an incident response to counter the nefarious activities. The AI-based pattern analysis engines include AI models that are continually or periodically trained to update the baseline common activity patterns.

Abstract: A network system of pattern analysis includes a centralized AI-based pattern analysis engine and each computing device comprises a local AI-based pattern analysis engine. The pattern analysis engine(s) each analyze computing operations on a local machine basis or a on a network basis depending on where installed. The AI-based pattern analysis engines identify common activity patterns for each machine and exclude the common activity patterns from further analysis of the computing operations, leading to more efficient identification of activity patterns indicative of nefarious activity. Once detected, the AI-based pattern analysis engines trigger an incident response to counter the nefarious activities. The AI-based pattern analysis engines include AI models that are continually or periodically trained to update the baseline common activity patterns.

Abstract: Aspects of the disclosure relate to email verification. A computing platform may receive an electronic message and identify one or more portions of content in the message. Then, the computing platform may generate and embed one or more message-specific identifiers into the electronic message and store electronic message information associating the one or more portions of content with the one or more embedded message-specific identifiers. Thereafter, the computing platform may receive an electronic message verification request to verify authenticity of an identified electronic message received by a computing device. The computing platform may prompt a user of the computing device to provide authentication information associated with one or more portions of content of the identified electronic message.

Abstract: Various aspects of the disclosure relate to automated monitoring and detection of computing threats. A threat detection computing system is configured to monitor for security threats on a networked system. The threat detection system monitors process calls to detect otherwise benign activity that exceeds an expected threshold and identifies threat actor actions that would otherwise go un-noticed and be associated with normal computer activity.

Abstract: Artificial-intelligence (“AI”) based anti-phishing information-security processes and machines are disclosed. An AI engine analyzes emails to extract domain, embedded images, and company names. The domain is accessed from different IP addresses, the content is captured from each and compared, and extracted images are compared to email images. Reverse DNS searches check whether the company owns the domain. Reverse image lookups determine whether the email image or version(s) thereof are detected previously on the domain. Natural language processing (“NLP”) can compare the idiosyncrasies between the website content and the email text. Phishing-target characteristics that are common amongst recipients of the email can be determined. A phishing-risk score is computed based one or more of the image and content similarities, the reverse DNS, the reverse image lookup, the NLP similarity results, and/or common phishing-target characteristics.

Abstract: A network security computing system includes a steganographic communications analysis engine monitoring incoming and outgoing messages on a secure computing network. The steganographic communications analysis engine identifies a pattern of file transfers between a first computing device on the secure computing network and an internal or external message recipient. When a pattern is identified, the steganographic communications analysis engine quarantines an associated computing device from the secure network. The steganographic communications analysis engine analyzes files transferred between the computing device and the recipient for indications of steganographic information and causes display, based on an identified indication of steganography, an indication that the computing device had been compromised by command and control malware.

Abstract: A network traffic correlation engine monitors inbound and/or outbound connection information received from on each host computer system on a network. Each host device on the network store data logs corresponding to information corresponding to communications sent by the device and received by the device. The network traffic correlation engine correlates connections between different hosts throughout the network. If the network traffic correlation engine identified unmatched outbound and inbound connections, the network traffic correlation engine generates an alert to initiate further investigation and may also provide a mapping of the communications showing a possible start device for the connection and/or a type of access that the connections may now be providing.

Abstract: A lateral movement identification tool analyzes communications sent and received from a local host to identify potential instances of lateral movement. When the host-based lateral movement identification tool identifies a host to host connection, the tool processes one or more artificial intelligence algorithms to analyze information from local network resources including a directory service, a local network system such as a network basic input/output system, a domain name system, and event logs. The lateral movement identification tool correlates the aggregated information with identified host to host messaging and sends alerts when lateral movement is suspected. Alerts may be either presented locally or provided to a central console based on configuration information.

Abstract: A network security computing system includes a steganographic communications analysis engine monitoring incoming and outgoing messages on a secure computing network. The steganographic communications analysis engine identifies a pattern of file transfers between a first computing device on the secure computing network and an internal or external message recipient. When a pattern is identified, the steganographic communications analysis engine quarantines an associated computing device from the secure network. The steganographic communications analysis engine analyzes files transferred between the computing device and the recipient for indications of steganographic information and causes display, based on an identified indication of steganography, an indication that the computing device had been compromised by command and control malware.

Abstract: A network traffic correlation engine monitors inbound and/or outbound connection information received from on each host computer system on a network. Each host device on the network store data logs corresponding to information corresponding to communications sent by the device and received by the device. The network traffic correlation engine correlates connections between different hosts throughout the network. If the network traffic correlation engine identified unmatched outbound and inbound connections, the network traffic correlation engine generates an alert to initiate further investigation and may also provide a mapping of the communications showing a possible start device for the connection and/or a type of access that the connections may now be providing.