Abstract: Embodiments of the present systems and methods may provide data watermarking without reliance on error-tolerant fields, thereby providing for the incorporation of watermarks in data that was not considered suitable for watermarking. For example, in an embodiment, a computer-implemented method for watermarking data may comprise inserting watermark data into a field that requires format-preserving encryption.

Abstract: Embodiments of the present invention may provide the capability to identify security breaches in computer systems from clustering properties of clusters generated based on monitored behavior of users of the computer systems by using techniques that provide improved performance and reduced resource requirements. For example, behavior of users or resources may be monitored and analyzed to generate clusters and train clustering models. Labeling information relating to some user or resource may be received. When users or resources are clustered and when a cluster contains some labeled users/resources then an anomaly score can be determined for a user/resource belonging to the cluster. A user or resource may be detected to be an outlier of at least one cluster to which the user or resource has been assigned, and an alert indicating detection of the outlier may be generated.

Abstract: Embodiments of the present invention may detect, identify, and notify of email phishing attacks. For example, a method may comprise constructing at least one behavioral model for an organization based on features extracted from a plurality of email messages and based on information relating to the organization, including analyzing behavioral patterns of emails in the organization, analyzing a plurality of new email messages using the behavioral model to determine non-binary scores representing analysis of features of the messages, including behavioral patterns of the new emails in the organization with regard to the features, determining whether any of the plurality of new email messages are malicious email messages based on the non-binary scores for the new email messages indicating that the new email messages deviate from the behavioral patterns of emails in the organization included in the behavioral model, and transmitting a notification that a message is a malicious email message.

Abstract: Setting a budget of alerts for single or multiple risk score types, adjusting a working threshold based on the set budget, wherein adjusting the working threshold is done by defining an reference threshold for an alert, providing a history of recorded risk scores within a budget sliding interval window and adjusting the working threshold such that a number of alerts which would have been provided by the recorded risk scores is calculated to stay within the set budget, and using the adjusted working threshold to normalize and optionally combine incoming risk scores so as to determine whether an incoming risk score should receive an alert.

Abstract: A computer implemented method of authenticating a user based on comparison of biometric data authentication process parameters measured during a biometric authentication process against a biometric signature authentication process model of the user, comprising receiving sensory data captured by one or more sensors operated to capture biometric data of a user during a biometric authentication process conducted to verify a biometric signature of the user, calculating a deviation of values of a plurality of authentication process parameters measured during analysis of the sensory data from the values of corresponding reference authentication process parameters retrieved from a biometric signature authentication process model of the user and authenticating the user based on verification of the biometric signature and according to the deviation.

Abstract: Embodiments of the present systems and methods may provide techniques for encryption of location information, while preserving a format and semantics of the information. For example, in an embodiment, a computer-implemented method for encrypting data may comprise receiving location data and generating encrypted data from the received location data, wherein the encrypted data preserves the format and semantics of the received location data.

Abstract: Embodiments of the present systems and methods may provide data watermarking without reliance on error-tolerant fields, thereby providing for the incorporation of watermarks in data that was not considered suitable for watermarking. For example, in an embodiment, a computer-implemented method for watermarking data may comprise inserting watermark data into a field that requires format-preserving encryption.

Abstract: A system for detecting cyber security events can include a processor to generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users. The processor can also separate the set of users into a plurality of clusters based on the first set of the plurality of time series or aggregate statistics for each user and assign an identifier to each of the plurality of clusters. Additionally, the processor can generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid and detect an anomaly based on a new value stored in the second set of the time series. Furthermore, the processor can execute a prevention instruction.

Abstract: Embodiments of the present invention may detect, identify, and notify of email phishing attacks. For example, a method may comprise constructing at least one behavioral model for an organization based on features extracted from a plurality of email messages and based on information relating to the organization, including analyzing behavioral patterns of emails in the organization, analyzing a plurality of new email messages using the behavioral model to determine non-binary scores representing analysis of features of the messages, including behavioral patterns of the new emails in the organization with regard to the features, determining whether any of the plurality of new email messages are malicious email messages based on the non-binary scores for the new email messages indicating that the new email messages deviate from the behavioral patterns of emails in the organization included in the behavioral model, and transmitting a notification that a message is a malicious email message.

Abstract: Method, system and product for decomposing a simulation model. The method comprising automatically decomposing the simulation model into a predetermined number of co-simulation components, wherein each co-simulation component is allocated to a different simulation platform, wherein said automatically decomposing comprises: defining a target optimization function, wherein the target optimization function computes an estimated run time of the simulation model, wherein the target optimization function is based on a communication time within each co-simulation component and a communication time between each pair of co-simulation components; and determining a decomposition of the simulation model that optimizes a value of the target optimization function. The method further comprises executing the decomposed simulation model by executing in parallel each co-simulation component on a different simulation platform, whereby the simulation model is executed in a distributed manner.

Abstract: A data manager determines an appropriate number of clusters for continuous data using unsupervised learning. The data manager selects an appropriate number of clusters based on at least one temporal stability measure between continuous data from at least two time intervals.

Abstract: A data manager determines an appropriate number of clusters for continuous data using unsupervised learning. The data manager selects an appropriate number of clusters based on at least one temporal stability measure between continuous data from at least two time intervals.

Abstract: A method, system, and product for simulation of Internet of Things (IoT) environment. The method performed by a simulation node in the IoT environment, which comprises the simulation node and a cloud server connected by a computerized network. The method comprises selecting a simulated IoT device to simulate from a plurality of simulated IoT devices that are being simulated by the simulation node; invoking a real-world model to obtain real-world simulated values; determining a simulated behavior of the selected simulated IoT device by invoking a device model and providing the real-world simulated values thereto, o wherein the simulated behavior comprises transmitting a message to the cloud server; setting a next simulated action of the simulation node to occur at a designated time, wherein the next simulated action is the simulated behavior; and performing the next simulated action at the designated time.

Abstract: A data manager determines an appropriate number of clusters for continuous data using unsupervised learning. The data manager selects an appropriate number of clusters based on at least one temporal stability measure between continuous data from at least two time intervals.

Abstract: Setting a budget of alerts for single or multiple risk score types, adjusting a working threshold based on the set budget, wherein adjusting the working threshold is done by defining an reference threshold for an alert, providing a history of recorded risk scores within a budget sliding interval window and adjusting the working threshold such that a number of alerts which would have been provided by the recorded risk scores is calculated to stay within the set budget, and using the adjusted working threshold to normalize and optionally combine incoming risk scores so as to determine whether an incoming risk score should receive an alert.

Abstract: A data manager determines an appropriate number of clusters for continuous data using unsupervised learning. The data manager selects an appropriate number of clusters based on at least one temporal stability measure between continuous data from at least two time intervals.

Abstract: A system for detecting cyber security events can include a processor to generate a first set of a plurality of time series and aggregate statistics based on a plurality of properties corresponding to user actions for each user in a set of users. The processor can also separate the set of users into a plurality of clusters based on the first set of the plurality of time series or aggregate statistics for each user and assign an identifier to each of the plurality of clusters. Additionally, the processor can generate a second set of a plurality of time series based on properties of the plurality of clusters, wherein the properties of a cluster correspond to a membership, a diameter, and a centroid and detect an anomaly based on a new value stored in the second set of the time series. Furthermore, the processor can execute a prevention instruction.

Abstract: Embodiments include method, systems and computer program products for protecting sensitive data. Aspects include accessing computer readable program instructions having one or more output commands. Aspects also include locating the one or more output commands in the computer readable program instructions. Aspects also include identifying target output variables and output constants in the one or more output commands. Aspects also include modifying the computer readable program instructions to append one or more obfuscate commands to the target output variables.

Abstract: Method, system and product for decomposing a simulation model. The method comprising automatically decomposing the simulation model into a predetermined number of co-simulation components, wherein each co-simulation component is allocated to a different simulation platform, wherein said automatically decomposing comprises: defining a target optimization function, wherein the target optimization function computes an estimated run time of the simulation model, wherein the target optimization function is based on a communication time within each co-simulation component and a communication time between each pair of co-simulation components; and determining a decomposition of the simulation model that optimizes a value of the target optimization function. The method further comprises executing the decomposed simulation model by executing in parallel each co-simulation component on a different simulation platform, whereby the simulation model is executed in a distributed manner.

Abstract: A method, system, and product for simulation of Internet of Things (IoT) environment. The method performed by a simulation node in the IoT environment, which comprises the simulation node and a cloud server connected by a computerized network. The method comprises selecting a simulated IoT device to simulate from a plurality of simulated IoT devices that are being simulated by the simulation node; invoking a real-world model to obtain real-world simulated values; determining a simulated behavior of the selected simulated IoT device by invoking a device model and providing the real-world simulated values thereto, o wherein the simulated behavior comprises transmitting a message to the cloud server; setting a next simulated action of the simulation node to occur at a designated time, wherein the next simulated action is the simulated behavior; and performing the next simulated action at the designated time.