Abstract: A computer-implemented method includes: continuously generating, by a server on an enterprise network, an instance of a secret message encrypting information specific to a target system on the enterprise network; embedding, using steganography, the instance of the secret message on the target system, wherein the embedding is conducted when the instance of the secret message is generated; maintaining, by the server, a database that stores contents of each instance of the secret message; scanning, by the server, the target system for the instance of the secret message embedded on the target system; in response to locating the instance of the secret message on the target system, comparing contents of the instance of the secrete message with information stored on the database; and in response to determining that the contents of the instance of the secrete message do not match the information stored on the database, generating an alert.

Abstract: Implementations provide a computer-implemented method that includes: accessing, by a node of a blockchain network, a first set of data encoding a set of transaction records, wherein the blockchain network comprises a plurality of consensus nodes; at least based on the first set of data, generating, by the node, a transaction hash for the set of transaction; accessing a second set of data encoding a compliance status of the node of the blockchain network; at least based on the second set of data; generating, by the node, a compliance hash for the node of blockchain network; generating, by the node, a root hash that combines the transaction hash and the compliance hash; and submitting, by the node and to the plurality of consensus nodes of the blockchain network, a block that includes the root hash for entry into the blockchain.

Abstract: Systems and methods include a computer-implemented method for blocking the transfer of sensitive information. A document is analyzed by a leakage prevention system for sensitive information. The document is sent by a sender to at least one receiver. A context in which sensitive information is used in the document is determined. A sender risk profile of the sender and receiver risk profiles of the at least one receiver are determined. Risk scores for the sender and the at least one receiver are determined using predefined rules and the sender/receiver risk profiles. The risk scores identify a use level of sensitive information in the document. A determination is made by the leakage prevention system, based at least on the risk scores, whether to block a transfer of the document or to allow a transfer of the document. The document is transferred or blocked based on the determination.

Abstract: Implementations can provide a method that includes: accessing the source code of a script hosted by a remote server; extracting features from the source code in accordance with a machine-learning model comprising one or more layers of logic; at least based on the machine-learning model, determining, for each of the extracted features, a corresponding probability conditioned on the source code containing ransomware; and at least based on the machine-learning model, determining a combined probability for the extracted features conditioned on the source code containing ransomware when the extracted features are jointly present; comparing the combined probability with a threshold; in response to determining that the combined probability exceeds the threshold, flagging the source code as containing ransomware; and in response to determining that the combined probability does not exceed the threshold, flagging the source code as not containing ransomware.

Abstract: The present disclosure relates to systems and methods for detecting unauthorized system configuration changes. For example, metadata can be extracted from network traffic captured by one or more different network tools and/or network devices and provided to a metadata evaluator. As an example, the one or more different network tools and/or devices can include a switch port analyzer tool, a security information and event management tool, and/or a test access port device. The metadata evaluator can process the extracted metadata to detect a system configuration change in a system on a network that includes the network traffic. The metadata evaluator can determine whether the system configuration change is an authorized system configuration change. In some examples, the metadata evaluator can determine whether the system configuration change is an authorized system configuration change based on change management data from a change management system.

Abstract: Described herein is a prediction engine for aiding decision support. In some examples, the prediction engine can be used in aiding cyber security applications. The prediction engine can include multiple prediction layers that each include a number of machine learning models that contribute to an overall prediction of the prediction engine in predicting whether a respective system or system user poses a cyber-threat. The prediction engine can provide prediction data that can indicate that the respective system or system user is a cyber-threat. In some examples, a decision engine can be employed to use the prediction data to mitigate or eliminate the cyber-threat.

Abstract: A security tool includes a vulnerability classifier for classifying vulnerabilities based on an assessment report, an exploitability classifier for determining an exploitability level for a vulnerability of a list of vulnerabilities of the assessment report based on data of an intelligence feed, a risk classifier for calculating an overall risk level for a computer application associated with the vulnerability of the list of vulnerabilities based on an impact score for the computer application, and a remediation prioritizer to determine an order of remediation for the computer application and to generate a remediation prioritization report including the order of remediation.

Abstract: The present disclosure relates to systems and methods for detecting unauthorized system configuration changes. For example, metadata can be extracted from network traffic captured by one or more different network tools and/or network devices and provided to a metadata evaluator. As an example, the one or more different network tools and/or devices can include a switch port analyzer tool, a security information and event management tool, and/or a test access port device. The metadata evaluator can process the extracted metadata to detect a system configuration change in a system on a network that includes the network traffic. The metadata evaluator can determine whether the system configuration change is an authorized system configuration change. In some examples, the metadata evaluator can determine whether the system configuration change is an authorized system configuration change based on change management data from a change management system.

Abstract: Implementations provide a computer-implemented method that includes: accessing, by a node of a blockchain network, a first set of data encoding a set of transaction records, wherein the blockchain network comprises a plurality of consensus nodes; at least based on the first set of data, generating, by the node, a transaction hash for the set of transaction; accessing a second set of data encoding a compliance status of the node of the blockchain network; at least based on the second set of data; generating, by the node, a compliance hash for the node of blockchain network; generating, by the node, a root hash that combines the transaction hash and the compliance hash; and submitting, by the node and to the plurality of consensus nodes of the blockchain network, a block that includes the root hash for entry into the blockchain.

Abstract: Methods and systems, including computer programs encoded on a computer storage medium, implement compliance testing to evaluate controls used to protect assets of a target system. A respective first score is generated for each control based on compliance tests performed to detect each of the controls at the target system. A compliance model is generated that integrates machine-learning algorithms to classify inputs corresponding to a compliance test and to enable predictive analytics of the compliance model using the classified inputs. The compliance model derives a negative compliance test (nCT) for each of the compliance tests by applying the predictive analytics to a data set that includes the first score for each control. An nCT is performed for each control detected at the target system and a second score is generated for each nCT. An assurance score characterizing effectiveness of the control is generated based on the first and second scores.

Abstract: Implementations can provide a method that includes: accessing the source code of a script hosted by a remote server; extracting features from the source code in accordance with a machine-learning model comprising one or more layers of logic; at least based on the machine-learning model, determining, for each of the extracted features, a corresponding probability conditioned on the source code containing ransomware; and at least based on the machine-learning model, determining a combined probability for the extracted features conditioned on the source code containing ransomware when the extracted features are jointly present; comparing the combined probability with a threshold; in response to determining that the combined probability exceeds the threshold, flagging the source code as containing ransomware; and in response to determining that the combined probability does not exceed the threshold, flagging the source code as not containing ransomware.

Abstract: Methods for detection of web application anomalies include receiving, by processors of a web server, web application logs and database logs. A machine learning algorithm is executed by the processors to segment the web application logs and the database logs into clusters based on probability density modeling, such that a variance of features within each cluster is less than a threshold variance. Each cluster corresponds to authorized access of backend databases or unauthorized access of the backend databases. The processors compare each cluster to baseline clusters corresponding to the authorized access of the backend databases. The processors determine that a particular cluster corresponds to the unauthorized access of the backend databases based on the comparison. Responsive to determining that the particular cluster corresponds to the unauthorized access of the backend databases, a display device of the web server generates a graphical user interface representing the particular cluster.

Abstract: An automated method for improving application developers' cybersecurity competencies is provided.

Abstract: Systems and methods include a computer-implemented method for presenting a model of cybersecurity. Questionnaire answers corresponding to individual components of each of three elements contributing to cybersecurity risk and maturity for a computer system are received by a four-dimensional cybersecurity assurance model application. Three scores corresponding to dimensions of cybersecurity assurance for the computer system are generated by the four-dimensional cybersecurity assurance model application using the questionnaire answers. A three-dimensional graph presenting a four-dimensional model of cybersecurity assurance for the computer system is generated by the four-dimensional cybersecurity assurance model application using the three scores and temporal information.

Abstract: A method may include obtaining a request to unblock a predetermined website in a network and that is associated with a predetermined list. The predetermined list may be used to determine whether a respective user device among various user devices can access one or more websites. The method may further include determining an impact level of the predetermined website for an organization using a machine-learning algorithm and website gateway data. The method may further include determining a probability of a security breach using the machine-learning algorithm and threat data. The method may further include determining whether to unblock the predetermined website based on the impact level and the probability of a security breach. The method may further include transmitting, in response to determining that the predetermined website should be unblocked, a command that modifies the predetermined list to enable the respective user device to access the predetermined website.

Abstract: An automated method for improving application developers' cybersecurity competencies is provided.

Abstract: A method for detecting Command and Control (C&C) toward a web application in a network includes: obtaining, using a Web Application Firewall (WAF) of the network, network traffic between the web application and a server outside the network; transmitting the network traffic from the WAF to a machine learning model; determining, using the machine learning model, whether the network traffic includes a command signature; in response to determining that the network traffic includes a command signature, generating a notification; and determining, based on the notification, whether the server is a C&C.

Abstract: A method may include obtaining various votes for a blockchain transaction from various blockchain nodes. The method may further include determining various weighted votes using the votes and respective cybersecurity states of the blockchain nodes. The respective cybersecurity states may correspond to whether a predetermined security vulnerability is associated with the blockchain nodes. The respective cybersecurity states may be dynamic values that are updated based on changes among predetermined security vulnerabilities. The method may further include determining whether to validate the blockchain transaction based on the weighted votes.

Abstract: A system, a method, and a computer program for remediating a cyberattack risk for a computing resource located at a node in a computer network having a plurality of nodes. The solution includes receiving vulnerability score data that has a severity level for a vulnerability in the computing resource at the node, receiving a number of installations value (NCRi) that indicates a number of instances the computing resource is included in the plurality of nodes, determining a percentile of occurrence value (POCRi) for the computing resource based on the number of installations value (NCRi), applying a severity adjustment matrix to the severity level to determine a true severity level for the vulnerability in the computing resource, reprioritized the vulnerability in the computing resource based on the true severity level, and mitigating the cyberattack risk for the computing resource based on the true severity level.

Abstract: A method may include obtaining a request to unblock a predetermined website in a network and that is associated with a predetermined list. The predetermined list may be used to determine whether a respective user device among various user devices can access one or more websites. The method may further include determining an impact level of the predetermined website for an organization using a machine-learning algorithm and website gateway data. The method may further include determining a probability of a security breach using the machine-learning algorithm and threat data. The method may further include determining whether to unblock the predetermined website based on the impact level and the probability of a security breach. The method may further include transmitting, in response to determining that the predetermined website should be unblocked, a command that modifies the predetermined list to enable the respective user device to access the predetermined website.