Abstract: A computer-implemented method or protecting a machine-learning model against training data attacks is disclosed. The method comprises performing an initial training of a machine-learning system with controlled training data, thereby building a trained initial machine-learning model and identifying high-impact training data from a larger training data set than in the controlled training data, wherein the identified individual training data have an impact on a training cycle of the training of machine-learning model, wherein the impact is larger than a predefined impact threshold value. The method also comprises building an artificial pseudo-malicious training data set from the identified high-impact training data and retraining the machine-learning system comprising the trained initial machine-learning model using the artificial pseudo-malicious training data set.

Abstract: A system may receive a string of characters, identify two or more sub-strings of the string, compare the two or more sub-strings to one or more reserve values from a database of reserve values, identify a first sub-string of the two or more sub-strings that contains one of the one or more reserve values, identify a second sub-string of the two or more sub-strings with a sensitive value, and obfuscate the second sub-string and not obfuscating the first sub-string.

Abstract: A node in a blockchain network may generate a secret information proof, generate a private/public key pair, encrypt the secret information proof with the private/public key pair, and submit the proof to a blockchain network.

Abstract: A method, computer program, and computer system are provided for resource allocation in a cloud computing environment. A request for resource allocation is received from a user in a cloud computing environment. A profile is determined for the user based on one or more metrics. A workload allocation is assigned to the user based on the determined profile matching one or more clusters of other users. A usage value of the assigned workload allocation to the user may be monitored. The user is immediately upgraded to a higher workload allocation based on the usage value exceeding a threshold value.

Abstract: One embodiment of the invention provides a method comprising identifying a tenant compromised by a security breach in a multi-tenant cloud environment including at least one virtual machine (VM), and storing at least one snapshot of the at least one VM. The method further comprises automatically performing containment of the security breach by mitigating the tenant compromised by the security breach. The method further comprises automatically performing remediation of at least one salvageable image in the environment by migrating one or more other tenants not yet compromised by the security breach in the environment to a sandbox, verifying the one or more other tenants are not compromised by the security breach by testing the one or more other tenants in the sandbox for a probationary period, and migrating the one or more other tenants to a new cloud container in production environment in response to the verifying.

Abstract: Described are techniques for multi-tenant security. The techniques include detecting malicious activity on a compromised application in a multi-tenant host. The techniques further include automatically performing a live migration of each tenant of the multi-tenant host to a respective single-tenant host. The techniques further include mitigating the malicious activity on the compromised application that is migrated to a single-tenant host, and automatically performing another live migration of each benign tenant to a new multi-tenant host.

Abstract: Aspects of the present invention disclose a method, computer program product, and system for detecting a malicious process by a selected instance of an anti-malware system. The method includes one or more processors examining a process for indicators of compromise to the process. The method further includes one or more processors determining a categorization of the process based upon a result of the examination. In response to determining that the categorization of the process does not correspond to a known benevolent process and a known malicious process, the method further includes one or more processors executing the process in a secure enclave. The method further includes one or more processors collecting telemetry data from executing the process in the secure enclave. The method further includes one or more processors passing the collected telemetry data to a locally trained neural network system.

Abstract: A computer system controls access to data. A secure container that is based on an image file is instantiated at an endpoint device of a user, wherein the secure container includes encrypted data corresponding to the user. An access request to the secure container is authenticated by verifying credentials of the user. In response to verifying the credentials of the user, access to the data is granted. Access to the data is controlled by decrypting and enabling access to a portion of the data, wherein additional portions of the data are decrypted and made accessible based on user behavior.

Abstract: A computer-implemented method for digital fingerprint obfuscation is disclosed. The computer-implemented method includes training a machine learning model to classify web traffic data into one or more personas. The computer-implemented method further includes identifying, using the trained machine learning model, a particular persona of a user based, at least in part, on a user's real traffic data generated during a current user session. The computer-implemented method further includes generating synthetic traffic data based, at least in part, on the identified particular persona of the user.

Abstract: A computer-implemented method for protecting a processing environment from malicious incoming network traffic may be provided. The method comprises: in response to receiving incoming network traffic comprising a data packet, performing a packet and traffic analysis of the data packet to determine whether said data packet is non-malicious and malicious, and processing of the data packet in a sandbox environment. Furthermore, the method comprises: in response to detecting that the data packet is non-malicious based on the packet and traffic analysis, releasing the processed data packet from the sandbox environment for further processing in the processing environment, and in response to detecting that the data packet is malicious based on the packet and traffic analysis discarding the data packet.

Abstract: A system for determining code ancestry. The system includes: a memory; and a processor communicatively coupled to the memory. The processor is configured to perform a method comprising: receiving a source code file; parsing a plurality of functions out of the source code file; generating fuzzy fingerprints from the plurality of functions; and storing the fuzzy fingerprints in a graph database.

Abstract: Load testing a service having a plurality of different states is provided. A multitude of simulated users accessing the service are divided into a plurality of cohorts. Simulated users within a given cohort share a similar personality type. A load test of the service is performed by applying a set of service requests from each respective cohort to the service. In response to a percentage of simulated users of each cohort encountering a particular state in the service, a user response is determined for the percentage of simulated users within each cohort at that particular state based on a probabilistic user behavior model corresponding to a personality type of each cohort such that user responses at that particular state are distributed in accordance with the probabilistic user behavior model. Distributed user responses at that particular state are applied to the load test in accordance with the probabilistic user behavior model.

Abstract: A display case is provided. The display case includes a transparent display for viewing an object through the transparent display and a watermarking engine configured to display a watermark on the transparent display.

Abstract: A computer-implemented method, system and computer program product for protecting against application programming interface (API) attacks. A connection is established between an API user and an API provider. The established connection is then monitored to assess connection security and trustworthiness of the connection as well as trustworthiness of the API user and/or API provider. A score is then generated for each factor used in assessing the connection security and trustworthiness of the connection as well as the trustworthiness of the API user and/or API provider based on the monitoring. A level of risk for an API attack with respect to the API user and/or API provider is then generated based on such scores. An action (e.g., blocking traffic) is then performed with respect to the API user and/or API provider based on the level of risk for an API attack with respect to the API user and/or API provider, respectively.

Abstract: A computer-implemented method for protecting a processing environment from malicious incoming network traffic may be provided. The method comprises: in response to receiving incoming network traffic comprising a data packet, performing a packet and traffic analysis of the data packet to determine whether said data packet is non-malicious and malicious, and processing of the data packet in a sandbox environment. Furthermore, the method comprises: in response to detecting that the data packet is non-malicious based on the packet and traffic analysis, releasing the processed data packet from the sandbox environment for further processing in the processing environment, and in response to detecting that the data packet is malicious based on the packet and traffic analysis discarding the data packet.

Abstract: According to one embodiment, a method, computer system, and computer program product for population density approximation is provided. The embodiment may include identifying a device as entering a preconfigured distance of a preconfigured area, whereby the preconfigured area is one of a plurality of preconfigured areas. The embodiment may also include gathering device-identifying information corresponding to the device. The embodiment may further include creating a profile for each device using the device-identifying data. The embodiment may also include correlating device movements across the plurality of preconfigured areas using the profile associated with each device. The embodiment may further include calculating a population density based on the correlated device movements.

Abstract: A system may receive a string of characters, identify two or more sub-strings of the string, compare the two or more sub-strings to one or more reserve values from a database of reserve values, identify a first sub-string of the two or more sub-strings that contains one of the one or more reserve values, identify a second sub-string of the two or more sub-strings with a sensitive value, and obfuscate the second sub-string and not obfuscating the first sub-string.

Abstract: A processor may detect a risk on a local machine. The processor may determine that the risk warrants a heightened-level remediation. The processor may connect the local machine to a cloud-based desktop environment. The processor may perform the heightened-level remediation on the local machine. The processor may merge data from the cloud-based desktop environment to the local machine in response to the heightened-level remediation being performed.

Abstract: A method for processing security events by applying a rule-based alarm scheme may be provided. The method includes generating a rule index of rules and an indicator of compromise index for each of the rules. The method includes also processing the incoming security event by applying the rules, increasing a current rule counter relating to a triggered rule, and increasing a current indicator of compromise counter pertaining to the triggered rule. Furthermore, the method includes generating a pseudo security event from received data about known attacks and related indicators of compromise, processing the pseudo security events by sequentially applying the rules, increasing a current rule counter of pseudo security events, and increasing a current indicator of compromise counter for pseudo security events, and sorting the rules and sorting within each rule the indicator of compromise values in the indicator of compromise index.

Abstract: Approaches presented herein enable detecting and assessing evidence of malware intrusion. More specifically, scans of a system are performed, where the scans detect evidence of malware intrusion, and each of the scans generates a respective result. A severity score is assigned to each respective result of the scans, and an assessment score for the system is computed based on the severity score assigned to each respective result of the scans.