Abstract: Techniques for automatically revoking leaked access credentials are disclosed. In some embodiments, a computer system may receive an indication that a credential for accessing a resource has been leaked, where the credential has been leaked by being included in content that has been published on an online service or has been stored in a shared folder of the online service. The computer system may then determine that the credential is effective in accessing the resource, and, in response to the determining that the credential is effective, trigger a revocation of the credential, the revocation of the credential causing the credential to no longer be effective in accessing the resource.

Abstract: In an example embodiment, an efficient, automated method to generate password guesses is provided by leveraging online text sources along with natural language processing techniques. Specifically, semantic structures in passwords are exploited to aid system in generating better guesses. This not only helps cover instances where traditional password meters would indicate a password is safe when it is not, but also makes the solution robust against fast-evolving domains such as new slang in natural languages or new vocabulary arising from new products, product updates, and services.

Abstract: In an example embodiment, a combination of machine learning and rule-based techniques are used to automatically detect social engineering attacks in a computer system. More particularly, three phases of detection are utilized on communications in a thread or stream of communications: attack contextualization, intention classification, and security policy violation detection. Each phase of detection causes a score to be generated that is reflective of the degree of danger in the thread or stream of communications, and these scores may then be combined into a single global social engineering attack score, which then may be used to determined appropriate actions to deal with the attack if it transgresses a threshold.

Abstract: Source code is scanned to generate a list of vulnerable tokens. Thereafter, the list of vulnerable tokens is inputted into a machine learning model to identify false positives in the list of vulnerable tokens. Based on this identification, the list of vulnerable tokens can be modified to remove the identified false positives. Related apparatus, systems, techniques and articles are also described.

Abstract: Various examples are directed to systems and methods for identifying textual information regarding a first topic. A computer system may access a plurality of text units and detect that a first text unit of the plurality of text units is in a first language. The computer system may access a first language keyword set for the first topic, where the first language keyword set comprises a first plurality of keywords associated with the first language. The computer system may determine a first relevance score for the first text unit based at least in part on the first language keyword set. If the first relevance score is greater than a relevance score threshold, the computer system translates the first text unit to a base language and determines a text unit classification for the first text unit using a classification model trained with training data in the base language.

Abstract: Source code is scanned to generate a list of vulnerable tokens. Thereafter, the list of vulnerable tokens is inputted into a machine learning model to identify false positives in the list of vulnerable tokens. Based on this identification, the list of vulnerable tokens can be modified to remove the identified false positives. Related apparatus, systems, techniques and articles are also described.

Abstract: A user authentication process is initiated by a software application executing on a primary server. The user authentication process prompts a user to enter, via a graphical user interface, login credentials. Thereafter, it is determined that the login credentials have been flagged. The user is then directed from the primary server to a fake server (i.e., a second server) mimicking the software application executing on the primary server. Thereafter, the fake server obtains metadata associated with the user interacting with the fake server that characterizes the user. This obtained metadata can later be provided (e.g., displayed, loaded into memory, stored in physical persistence, transmitted to a remote computing system, etc.). Related apparatus, systems, techniques and articles are also described.

Abstract: Various examples are directed to systems and methods for identifying textual information regarding a first topic. A computer system may access a plurality of text units and detect that a first text unit of the plurality of text units is in a first language. The computer system may access a first language keyword set for the first topic, where the first language keyword set comprises a first plurality of keywords associated with the first language. The computer system may determine a first relevance score for the first text unit based at least in part on the first language keyword set. If the first relevance score is greater than a relevance score threshold, the computer system translates the first text unit to a base language and determines a text unit classification for the first text unit using a classification model trained with training data in the base language.

Abstract: Embodiments provide systems and methods configured to mine information available from informal sources (e.g., social media, blogs, and forums) regarding security vulnerabilities. Particular embodiments may comprise engine(s) of a backend in communication with a user through an interface of a frontend, and also in communication with an underlying database to store security information and related information (e.g. search parameters). Embodiments may allow creation of user-specific search phrases for searching information in one or more informal social media information sources. Search results may be consolidated, and users such as system administrators quickly alerted to possible security issues. Embodiments may refine data mining over time by tracking the reputation (e.g. for data accuracy, freshness) of various sources. Embodiments may also reference formal official and third party sources of security information.

Abstract: A user authentication process is initiated by a software application executing on a primary server. The user authentication process prompts a user to enter, via a graphical user interface, login credentials. Thereafter, it is determined that the login credentials have been flagged. The user is then directed from the primary server to a fake server (i.e., a second server) mimicking the software application executing on the primary server. Thereafter, the fake server obtains metadata associated with the user interacting with the fake server that characterizes the user. This obtained metadata can later be provided (e.g., displayed, loaded into memory, stored in physical persistence, transmitted to a remote computing system, etc.). Related apparatus, systems, techniques and articles are also described.

Abstract: Embodiments automate tracking of exploit information related to initially-identified security vulnerabilities, through the data mining of social networks. Certain social network communities (e.g., those frequented by hackers) share information about computer security breaches (zero-day events). Embodiments recognize that further relevant security information may be revealed, in conjunction with and/or subsequent to such initial zero-day vulnerability disclosures. That additional information can include valuable details regarding known (or unknown) vulnerabilities, exploit codes and methodologies, patches, etc. Tracking that additional information can benefit security researchers/experts/law enforcement personnel. Embodiments monitoring social media traffic based upon initial security vulnerability information, perform analysis to detect patterns and create relevant keywords therefrom.

Abstract: Anonymity and confidentiality of information published from a microblogging platform, are preserved using randomly chosen relays (not related to the publisher account) in order to hide content in the cloud of published messages. The information can be relayed in clear text or in encrypted format. Additional linked relays may be used to overcome character number limitations imposed by the microblogging platform, with the longer full text of the original message reconstructed at the conclusion of the process. Depending upon the desired degree of confidentiality, complexity of the relay combination can be adjusted, and the path secretly shared among sender and authorized recipient. Only authorized recipient(s) can obtain (through another platform) the path combination to reach the message. A trusted third party stores the path relays and authorizations to access the path. The confidential information that is to be shared, may remain on the microblogging platform spread randomly over anonymous accounts.

Abstract: Anonymity and confidentiality of information published from a microblogging platform, are preserved using randomly chosen relays (not related to the publisher account) in order to hide content in the cloud of published messages. The information can be relayed in clear text or in encrypted format. Additional linked relays may be used to overcome character number limitations imposed by the microblogging platform, with the longer full text of the original message reconstructed at the conclusion of the process. Depending upon the desired degree of confidentiality, complexity of the relay combination can be adjusted, and the path secretly shared among sender and authorized recipient. Only authorized recipient(s) can obtain (through another platform) the path combination to reach the message. A trusted third party stores the path relays and authorizations to access the path. The confidential information that is to be shared, may remain on the microblogging platform spread randomly over anonymous accounts.

Abstract: Embodiments automate tracking of exploit information related to initially-identified security vulnerabilities, through the data mining of social networks. Certain social network communities (e.g., those frequented by hackers) share information about computer security breaches (zero-day events). Embodiments recognize that further relevant security information may be revealed, in conjunction with and/or subsequent to such initial zero-day vulnerability disclosures. That additional information can include valuable details regarding known (or unknown) vulnerabilities, exploit codes and methodologies, patches, etc. Tracking that additional information can benefit security researchers/experts/law enforcement personnel. Embodiments monitoring social media traffic based upon initial security vulnerability information, perform analysis to detect patterns and create relevant keywords therefrom.

Abstract: A report handler may receive abuse reports from reporters alleging policy violations of network use policies by at least one potential victim, and a source analyzer may determine at least one subset of the reporters. A content analyzer may determine a reference to the at least one potential victim in network activities of the at least one subset, and a review requester may generate a notification of a potential coalition attack against the at least one potential victim, based on the reference in the context of the at least one subset.

Abstract: A request handler may be configured to receive an enforcement request for enforcement of an obligation required as a condition for a previously-granted first resource access request. n obligation enforcer may be configured to enforce the obligation, based on the enforcement request, and a compliance manager may be configured to obtain certification of execution of the obligation from an obligation certification service, and to provide the certification as a basis for granting a second resource access request.

Abstract: A request handler may be configured to receive an enforcement request for enforcement of an obligation required as a condition for a previously-granted first resource access request. n obligation enforcer may be configured to enforce the obligation, based on the enforcement request, and a compliance manager may be configured to obtain certification of execution of the obligation from an obligation certification service, and to provide the certification as a basis for granting a second resource access request.

Abstract: Embodiments provide systems and methods configured to mine information available from informal sources (e.g., social media, blogs, and forums) regarding security vulnerabilities. Particular embodiments may comprise engine(s) of a backend in communication with a user through an interface of a frontend, and also in communication with an underlying database to store security information and related information (e.g. search parameters). Embodiments may allow creation of user-specific search phrases for searching information in one or more informal social media information sources. Search results may be consolidated, and users such as system administrators quickly alerted to possible security issues. Embodiments may refine data mining over time by tracking the reputation (e.g. for data accuracy, freshness) of various sources. Embodiments may also reference formal official and third party sources of security information.

Abstract: A report handler may receive abuse reports from reporters alleging policy violations of network use policies by at least one potential victim, and a source analyzer may determine at least one subset of the reporters. A content analyzer may determine a reference to the at least one potential victim in network activities of the at least one subset, and a review requester may generate a notification of a potential coalition attack against the at least one potential victim, based on the reference in the context of the at least one subset.

Abstract: An evidence monitor may monitor interactions between at least one service provider and at least one service consumer during a time period. The evidence monitor may receive negative feedback from the at least one service consumer regarding a corresponding interaction of the interactions. A reputation engine may increase a reputation score of the at least one service provider during the time period in accordance with a growth rate, as the interactions occur during the time period. The reputation engine may also decrease the reputation score of the at least one service provider in response to the negative feedback and in accordance with a negative feedback response characteristic.