Abstract: The present application discloses a method, system, and computer system for detecting stockpiled domains. The method includes (i) determining that a candidate domain is a malicious stockpiled domain using one or more of (a) a fingerprinting classification, (b) a heuristics-based classification, and (c) a machine learning classification, and (ii) applying a security policy based on a classification of the candidate domain as the malicious stockpiled domain.

Abstract: Proactively detecting malicious domains using graph representation learning may be provided by extracting seed domains from a uniform resource locator (URL) feed of observed requests for access to domains; expanding the seed domains to a via a passive domain name service (PDNS) crawl to include additional domains with the seed domains; collecting a ground truth, including labeling a first set of the seed domains as benign and a second set of the seed domains as malicious; constructing a graph neural network (GNN) of the additional domains and the seed domains, wherein each domain of the additional domains and the seed domains are represented as a node in the GNN that includes feature values associated that domain; training the GNN to classify unseen domains not associated with a node as either benign or malicious; and classifying, via the GNN, a queried domain as either benign or malicious.

Abstract: An execution environment has been designed that detects likely data exfiltration by using taint tracking and abstract execution. The execution environment is instrumented to monitor for use of functions identified as having functionality for transferring data out of an execution environment. In addition, heuristics-based rules are defined to mark or “taint” objects (e.g., variables) that are likely targets for exfiltration. With taint tracking and control flow analysis, the execution environment tracks the tainted objects through multiple execution paths of a code sample. After comprehensive code coverage, logged use of the monitored functions are examined to determine whether any tainted objects were passed to the monitored functions. If so, the logged use will indicate a destination or sink for the tainted source. Each tainted source-sink association can be examined to verify whether the exfiltration was malicious.

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

Abstract: Generating high-quality threat intelligence from aggregated threat reports is provided via developing a generative model that identifies relationships between a plurality of threat assessment scanners; pre-training a plurality of individual encoders based on a corresponding plurality of pretext tasks and the generative model; combining the individual encoders into a pre-trained encoder; fine-tuning the pre-trained encoder using threat data; and marking a candidate threat, as evaluated via the pre-trained encoder as fine-tuned, as one of benign or malicious.

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

Abstract: In described examples, an apparatus includes: a set of control registers containing control bits for controlling circuitry coupled to receive register write enable signals and to receive input data; a memory for storing data corresponding to the control bits coupled to receive an address and a memory write enable signal; decode circuitry coupled to output the register write enable signals; a data output bus coupled to receive data from the memory but free from connections to the control registers; and a controller coupled to receive an address, coupled to output the address on an internal address bus, coupled to output a register write enable signal, and coupled to output the memory write enable signal, configured to cause data to be written to a selected control register corresponding to the address received, and to cause the data to be contemporaneously stored at a memory location corresponding to the address received.

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

Abstract: The main objective of Certificate Transparency (CT) is to detect mis-issued certificates or rouge certificate authorities. It has been observed that phishing sites have been increasingly acquiring certificates to look more legitimate and reach more victims, thus providing an opportunity to predict phishing domains early. The present disclosure provides systems and methods for early detection of phishing and benign domain traces in CT logs. The provided system may predict phishing domains early even before content is available via time-, issuer-, and certificate-based characteristics that are used to identify sets of CT-based inexpensive and novel features. The CT-features are augmented with other features including passive DNS (pDNS) and domain-based lexical features.

Abstract: The present application provides a system for detecting brand squatting domains with a three-stage detection pipeline having three different classifiers. The provided system helps predict whether an unknown domain will be malicious. The first classifier detects abusive brand squatting domains, such as those that impersonate exact popular brand names, as soon as the domains are registered. The second classifier detects abusive brand squatting domains when hosting information becomes available, in combination with the information available for the first classifier. The third classifier detects abusive brand squatting domains when certificate information associated with domains is available, in combination with the information available for the first and second classifiers. The performance of each classifier improves from the first to the second to the third with the first classifier making determinations with the least information and the third classifier making determinations with the most information.

Abstract: A system is provided for identifying compromised mobile devices from a network administrator's point of view. The provided system utilizes a graph-based inference approach that leverages an assumed correlation that devices sharing a similar set of installed applications will have a similar probability of being compromised. Stated differently, the provided system determines whether a given unknown device is compromised or not by analyzing its connections to known devices. Such connections are generated from a small set of known compromised mobile devices and the network traffic data of mobile devices collected by a service provider or network administrator. The proposed system is accordingly able to reliably detect unknown compromised devices without relying on device-specific features.

Abstract: The present disclosure provides new and innovative systems and methods for filtering encrypted messages. In an example, a computer-implemented method includes obtaining a message, determining sender profiling features of the message, determining enterprise graph features of the message, determining header features of the message, determining a message flag based on the sender profiling features, the enterprise graph features, and the header features, and processing the message based on the message flag.

Abstract: The presently disclosed method and system exploits information and traces contained in DNS data to determine the maliciousness of a domain based on the relationship it has with other domains. A method may comprise providing data to a machine learning module that was previously trained on domain and IP address attributes or classifiers. The method then may comprise classifying apex domains and IP addresses based on the IP address and domain attributes or classifiers. Additionally, the method may comprise associated each of the domains and IP addresses based on the corresponding classification. The method may further comprise building a weighted domain graph at real-time utilizing the DNS data based on the aforementioned associations among domains. The method may then comprise assessing the maliciousness of a domain based on the weighted domain graph that was built.

Abstract: The main objective of Certificate Transparency (CT) is to detect mis-issued certificates or rouge certificate authorities. It has been observed that phishing sites have been increasingly acquiring certificates to look more legitimate and reach more victims, thus providing an opportunity to predict phishing domains early. The present disclosure provides systems and methods for early detection of phishing and benign domain traces in CT logs. The provided system may predict phishing domains early even before content is available via time-, issuer-, and certificate-based characteristics that are used to identify sets of CT-based inexpensive and novel features. The CT-features are augmented with other features including passive DNS (pDNS) and domain-based lexical features.

Abstract: The presently disclosed method and system exploits information and traces contained in DNS data to determine the maliciousness of a domain based on the relationship it has with other domains. A method may comprise providing data to a machine learning module that was previously trained on domain and IP address attributes or classifiers. The method then may comprise classifying apex domains and IP addresses based on the IP address and domain attributes or classifiers. Additionally, the method may comprise associated each of the domains and IP addresses based on the corresponding classification. The method may further comprise building a weighted domain graph at real-time utilizing the DNS data based on the aforementioned associations among domains. The method may then comprise assessing the maliciousness of a domain based on the weighted domain graph that was built.

Abstract: In described examples, an apparatus includes: a set of control registers containing control bits for controlling circuitry coupled to receive register write enable signals and to receive input data; a memory for storing data corresponding to the control bits coupled to receive an address and a memory write enable signal; decode circuitry coupled to output the register write enable signals; a data output bus coupled to receive data from the memory but free from connections to the control registers; and a controller coupled to receive an address, coupled to output the address on an internal address bus, coupled to output a register write enable signal, and coupled to output the memory write enable signal, configured to cause data to be written to a selected control register corresponding to the address received, and to cause the data to be contemporaneously stored at a memory location corresponding to the address received.

Abstract: In described examples, an apparatus includes: a set of control registers containing control bits for controlling circuitry coupled to receive register write enable signals and to receive input data; a memory for storing data corresponding to the control bits coupled to receive an address and a memory write enable signal; decode circuitry coupled to output the register write enable signals; a data output bus coupled to receive data from the memory but free from connections to the control registers; and a controller coupled to receive an address, coupled to output the address on an internal address bus, coupled to output a register write enable signal, and coupled to output the memory write enable signal, configured to cause data to be written to a selected control register corresponding to the address received, and to cause the data to be contemporaneously stored at a memory location corresponding to the address received.

Abstract: In described examples, an apparatus includes: a set of control registers containing control bits for controlling circuitry coupled to receive register write enable signals and to receive input data; a memory for storing data corresponding to the control bits coupled to receive an address and a memory write enable signal; decode circuitry coupled to output the register write enable signals; a data output bus coupled to receive data from the memory but free from connections to the control registers; and a controller coupled to receive an address, coupled to output the address on an internal address bus, coupled to output a write enable signal, and coupled to output the memory write enable signal, configured to cause data to be written to a selected control register corresponding to the address received, and to cause the data to be contemporaneously stored at a memory location corresponding to the address received.

Abstract: Methods of providing policy based access to master keys, enabling keys to be distributed to groups of users in a secure manner while minimizing disruptions to the user in the event of changes to group membership or changes to user attributes. User attributes are identified. Policies are rewritten in terms of user attributes. New unique user attribute keys are generated for each attribute for each user. An access tree is constructed with user attribute keys as leaf nodes and Boolean algebra operations as internal nodes. Shamir polynomials are used for AND nodes, and broadcast polynomials are used for OR nodes. Master keys are accessible by traversing the access tree from the leaf nodes to the root node constructing the polynomials attached to all the nodes along the access path.

Abstract: Methods of providing policy based access to master keys, enabling keys to be distributed to groups of users in a secure manner while minimizing disruptions to the user in the event of changes to group membership or changes to user attributes. User attributes are identified. Policies are rewritten in terms of user attributes. New unique user attribute keys are generated for each attribute for each user. An access tree is constructed with user attribute keys as leaf nodes and Boolean algebra operations as internal nodes. Shamir polynomials are used for AND nodes, and broadcast polynomials are used for OR nodes. Master keys are accessible by traversing the access tree from the leaf nodes to the root node constructing the polynomials attached to all the nodes along the access path.