Abstract: According to one embodiment, a method, computer system, and computer program product for population density approximation is provided. The embodiment may include identifying a device as entering a preconfigured distance of a preconfigured area, whereby the preconfigured area is one of a plurality of preconfigured areas. The embodiment may also include gathering device-identifying information corresponding to the device. The embodiment may further include creating a profile for each device using the device-identifying data. The embodiment may also include correlating device movements across the plurality of preconfigured areas using the profile associated with each device. The embodiment may further include calculating a population density based on the correlated device movements.

Abstract: A method for processing security events by applying a rule-based alarm scheme may be provided. The method includes generating a rule index of rules and an indicator of compromise index for each of the rules. The method includes also processing the incoming security event by applying the rules, increasing a current rule counter relating to a triggered rule, and increasing a current indicator of compromise counter pertaining to the triggered rule. Furthermore, the method includes generating a pseudo security event from received data about known attacks and related indicators of compromise, processing the pseudo security events by sequentially applying the rules, increasing a current rule counter of pseudo security events, and increasing a current indicator of compromise counter for pseudo security events, and sorting the rules and sorting within each rule the indicator of compromise values in the indicator of compromise index.

Abstract: A computer-implemented method for managing access rights to a knowledge graph is provided. The method comprises splitting, for each user system, its respective portion of the knowledge graph into a plurality of knowledge subgraphs, encrypting each of the knowledge subgraphs, and generating a plurality of private summary graphs. The method also comprises maintaining a collaboration graph comprising one vertex per user system and edges representing collaborations between the users, mapping all private subgraphs of all user systems to one public summary graph, each vertex of the public summary graph comprises less data than the related vertex of the related private summary graphs and wherein none of the vertices of the summary graph comprises any encryption or decryption key, and granting access to a selected knowledge subgraph from a first user system to a second user system.

Abstract: According to one embodiment, a method, computer system, and computer program product for crowd density analysis with multiple regions is provided. The embodiment may include identifying three or more local measurement nodes. The embodiment may also include defining one or more bins, each bin comprising at least three local measurement nodes from the three or more local measurement nodes. The embodiment may further include mapping one or more regions corresponding to a bin from the one or more bins. The embodiment may also include identifying a device in a region. The embodiment may further creating a profile corresponding to the identified device. The embodiment may also include calculating a population density based on a number of created profiles in a region from the one or more regions.

Abstract: The exemplary embodiments disclose a method, a computer system, and a computer program product for detecting malware. The exemplary embodiments may include aggregating known malware patterns by storing malware patterns and related malware categories of the malware patterns. The exemplary embodiments may additionally include training a first machine-learning system, comprising a generator portion and a discriminator portion, by using the known malware patterns and the related malware categories as training data. The exemplary embodiments may also include generating additional synthetic code patterns by feeding random code samples to the trained first machine-learning system. The exemplary embodiments may further include training a second machine-learning system by using benevolent code patterns and the generated additional synthetic code patterns as training data.

Abstract: Methods, computer program products, and systems are presented. The methods include customer specific information exchange and an adjustment of the privacy level of this information. For this purpose an abstraction layer and an obfuscation module are introduced. Using a “fraud vector” a risk assessment is performed on the obfuscated transaction data.

Abstract: Methods, computer program products, and systems are presented. The methods include customer specific information exchange and an adjustment of the privacy level of this information. For this purpose an abstraction layer and an obfuscation module are introduced. Using a “fraud vector” a risk assessment is performed on the obfuscated transaction data.

Abstract: The exemplary embodiments disclose a method, a computer system, and a computer program product for detecting malware. The exemplary embodiments may include aggregating known malware patterns by storing malware patterns and related malware categories of the malware patterns. The exemplary embodiments may additionally include training a first machine-learning system, comprising a generator portion and a discriminator portion, by using the known malware patterns and the related malware categories as training data. The exemplary embodiments may also include generating additional synthetic code patterns by feeding random code samples to the trained first machine-learning system. The exemplary embodiments may further include training a second machine-learning system by using benevolent code patterns and the generated additional synthetic code patterns as training data.

Abstract: A computer-implemented method, system and computer program product for protecting against application programming interface (API) attacks. A connection is established between an API user and an API provider. The established connection is then monitored to assess connection security and trustworthiness of the connection as well as trustworthiness of the API user and/or API provider. A score is then generated for each factor used in assessing the connection security and trustworthiness of the connection as well as the trustworthiness of the API user and/or API provider based on the monitoring. A level of risk for an API attack with respect to the API user and/or API provider is then generated based on such scores. An action (e.g., blocking traffic) is then performed with respect to the API user and/or API provider based on the level of risk for an API attack with respect to the API user and/or API provider, respectively.

Abstract: A system for determining code ancestry. The system includes: a memory; and a processor communicatively coupled to the memory. The processor is configured to perform a method comprising: receiving a source code file; parsing a plurality of functions out of the source code file; generating fuzzy fingerprints from the plurality of functions; and storing the fuzzy fingerprints in a graph database.

Abstract: A computer-implemented method or protecting a machine-learning model against training data attacks is disclosed. The method comprises performing an initial training of a machine-learning system with controlled training data, thereby building a trained initial machine-learning model and identifying high-impact training data from a larger training data set than in the controlled training data, wherein the identified individual training data have an impact on a training cycle of the training of machine-learning model, wherein the impact is larger than a predefined impact threshold value. The method also comprises building an artificial pseudo-malicious training data set from the identified high-impact training data and retraining the machine-learning system comprising the trained initial machine-learning model using the artificial pseudo-malicious training data set.

Abstract: A system may receive a string of characters, identify two or more sub-strings of the string, compare the two or more sub-strings to one or more reserve values from a database of reserve values, identify a first sub-string of the two or more sub-strings that contains one of the one or more reserve values, identify a second sub-string of the two or more sub-strings with a sensitive value, and obfuscate the second sub-string and not obfuscating the first sub-string.

Abstract: A node in a blockchain network may generate a secret information proof, generate a private/public key pair, encrypt the secret information proof with the private/public key pair, and submit the proof to a blockchain network.

Abstract: A method, computer program, and computer system are provided for resource allocation in a cloud computing environment. A request for resource allocation is received from a user in a cloud computing environment. A profile is determined for the user based on one or more metrics. A workload allocation is assigned to the user based on the determined profile matching one or more clusters of other users. A usage value of the assigned workload allocation to the user may be monitored. The user is immediately upgraded to a higher workload allocation based on the usage value exceeding a threshold value.

Abstract: One embodiment of the invention provides a method comprising identifying a tenant compromised by a security breach in a multi-tenant cloud environment including at least one virtual machine (VM), and storing at least one snapshot of the at least one VM. The method further comprises automatically performing containment of the security breach by mitigating the tenant compromised by the security breach. The method further comprises automatically performing remediation of at least one salvageable image in the environment by migrating one or more other tenants not yet compromised by the security breach in the environment to a sandbox, verifying the one or more other tenants are not compromised by the security breach by testing the one or more other tenants in the sandbox for a probationary period, and migrating the one or more other tenants to a new cloud container in production environment in response to the verifying.

Abstract: Described are techniques for multi-tenant security. The techniques include detecting malicious activity on a compromised application in a multi-tenant host. The techniques further include automatically performing a live migration of each tenant of the multi-tenant host to a respective single-tenant host. The techniques further include mitigating the malicious activity on the compromised application that is migrated to a single-tenant host, and automatically performing another live migration of each benign tenant to a new multi-tenant host.

Abstract: Aspects of the present invention disclose a method, computer program product, and system for detecting a malicious process by a selected instance of an anti-malware system. The method includes one or more processors examining a process for indicators of compromise to the process. The method further includes one or more processors determining a categorization of the process based upon a result of the examination. In response to determining that the categorization of the process does not correspond to a known benevolent process and a known malicious process, the method further includes one or more processors executing the process in a secure enclave. The method further includes one or more processors collecting telemetry data from executing the process in the secure enclave. The method further includes one or more processors passing the collected telemetry data to a locally trained neural network system.

Abstract: A computer system controls access to data. A secure container that is based on an image file is instantiated at an endpoint device of a user, wherein the secure container includes encrypted data corresponding to the user. An access request to the secure container is authenticated by verifying credentials of the user. In response to verifying the credentials of the user, access to the data is granted. Access to the data is controlled by decrypting and enabling access to a portion of the data, wherein additional portions of the data are decrypted and made accessible based on user behavior.

Abstract: A computer-implemented method for digital fingerprint obfuscation is disclosed. The computer-implemented method includes training a machine learning model to classify web traffic data into one or more personas. The computer-implemented method further includes identifying, using the trained machine learning model, a particular persona of a user based, at least in part, on a user's real traffic data generated during a current user session. The computer-implemented method further includes generating synthetic traffic data based, at least in part, on the identified particular persona of the user.

Abstract: A computer-implemented method for protecting a processing environment from malicious incoming network traffic may be provided. The method comprises: in response to receiving incoming network traffic comprising a data packet, performing a packet and traffic analysis of the data packet to determine whether said data packet is non-malicious and malicious, and processing of the data packet in a sandbox environment. Furthermore, the method comprises: in response to detecting that the data packet is non-malicious based on the packet and traffic analysis, releasing the processed data packet from the sandbox environment for further processing in the processing environment, and in response to detecting that the data packet is malicious based on the packet and traffic analysis discarding the data packet.