Abstract: An account management system establishes an account for a user. The user enters user account information into the account and the account management system establishes a facial template for the user based on an image of the face of the user. The user requests to change user account information at a merchant POS (POS) device. The merchant POS device captures a facial image of the user and transmits the image the account management system, which generates a facial template and compares the generated facial template against the existing facial template associated with user account. If the generated facial template is less than a threshold difference from the existing facial template, the user may update user account information at the merchant POS device, which communicates the updated user account information to the account management system. The account management system associates the updated user account information with the user account.

Abstract: Systems for generating enhanced biometric data and using enhanced biometric data to process events are provided. A system may receive a request for enhanced biometric data from a first user and may extract details associated with the request. Based on the identity of the first user and the extracted details, a user profile may be selected from a plurality of user profiles associated with the first user. The user profile may include biometric data of the first user, predetermined limits on types of events to be processed, amounts, and the like. The system may generate enhanced biometric data based on the user profile and may transmit the enhanced biometric data to a computing device of a second user. The second user may then provide the enhanced biometric data when requesting to process an event.

Abstract: In general, one innovative aspect of the subject matter described in this specification may be embodied in methods that may include designating specific information within a digital identification as secure user information and designating other specific information as non-secure user information, and provisioning user-specific authentication techniques to restrict unauthorized access to the secure user information. For instance, the secure user information may be prevented from being displayed on the digital identification without the submission of an access credential such as a user-specified code or a user biometric identifier.

Abstract: A system facilitates secure communication between an authorized user device and two or more servers via two or more channels that are associated with the respective servers. For each communication channel, the system receives a device identifier for the authorized user device and links the device identifiers together via another identifier, thereby allowing the system to recognize that the different device identifiers identify the same authorized user device. The system can identify an unauthorized device masquerading as the authorized user device by determining that a communication from the unauthorized device does not include another identifier linking the two or more device identifiers and/or by determining that a device identifier computed during the registration process is different from a linked identifier.

Abstract: A wireless Internet-of-Things (IoT) device identification method and framework incorporates machine learning (ML) techniques with information from the protocol used (e.g., Bluetooth, Bluetooth Low Energy/Bluetooth Smart, and others). A passive, non-intrusive feature selection technique targets IoT device captures with an ML classifier selection algorithm for the identification of IoT devices (i.e., picking the best performing ML algorithm among multiple ML algorithms available). Using an input training label and training dataset (e.g., training wireless IoT packets) associated with the IoT device, a classifier and a filter are selected. An inter-arrival-time (IAT) associated with the filtered training data set and a density distribution for the IAT are then calculated.

Abstract: An authentication and registration system is provided which can reduce a burden at the time of authentication and registration while ensuring security when a single apparatus is used to perform authentication and registration of identification information on another apparatus. In an authentication and registration system (1), an authentication request signal is transmitted from a mobile terminal (3) to a registration server (2). The registration server (2) transmits an operation command signal to the mobile terminal (3) and when the signal is received, a display (3b) of the mobile terminal (3) displays operation sub-commands. When the sub-commands are executed through operations of switches (10) to (20), an on-board controller (4) transmits an operating state signal indicating the execution to the registration server (2). When the operating state signal indicates that the sub-commands are executed, the registration server (2) determines that authentication of the identification information succeeds.

Abstract: Embodiments are directed to a computing device having execution hardware including at least one processor core, and non-volatile memory that stores verification module and a private symmetric key unique to the computing device. The verification module, when executed on the execution hardware, causes the execution hardware to perform pre-execution local authenticity verification of externally-supplied code in response to a command to launch that code. The local authenticity verification includes computation of a cryptographic message authentication code (MAC) of the externally-supplied code based on the private symmetric key, and verification of the MAC against a stored local authenticity verification value previously written to the non-volatile memory. In response to a positive verification of the of the MAC, execution of the externally-supplied code is permitted.

Abstract: Methods, systems, and computer-readable media for using a multi-tenant web relay service to provide secure access to on-premises web services from a tenant-specific cloud service are described herein. In one or more embodiments, a multi-tenant web relay service may receive from a tenant-specific cloud service a connection request to an on-premises web service hosted within a tenant datacenter. The connection request may comprise data indicating a display-friendly name of the web service and the tenant datacenter. Responsive to receiving the request, the web relay service may forward the connection request to the on-premises web service via a rendezvous support service and a web relay agent. Responsive to receiving the connection request, the on-premises web service may generate a response which may be relayed back to the tenant-specific cloud service by the multi-tenant web relay service.

Abstract: A system and computer-implemented method for controlling wireless access to the operations of communicative electric motors. An electronic processing element receives an authentication request from a remote access device via a wireless transceiver, approves the authentication request, including determining an associated access level from among a hierarchy of access levels, and grants access to a motor controller to perform actions allowed by the associated access level. Approving the request may be based on receiving a valid password, which may be calculated on the remote access device by a computer program using an electronic key, or by receiving information from an authentication hardware component associated with the device. The various access levels may allow for shutting off, read-only monitoring (of, e.g., temperature, vibration), controlling (e.g., speed), and programming (e.g., tap settings) operation of the motor, and controlling the authentication process (e.g.

Abstract: A method includes receiving, at an access point, an access request from a first device after an expiration of a first passcode. The access request is encrypted based on the first passcode. The method includes making a determination by the access point before an expiration of a usage time of a first passcode usage list that an identifier of the first device is included in the first passcode usage list. The method also includes, in response to making the determination, generating, at the access point, data representing a second passcode by encrypting the second passcode using the first passcode; and sending the data representing the second passcode from the access point to the first device.

Abstract: A method includes defining a database accessible to a plurality of users having respective user IDs and organized to include information for a plurality of matters and, for each matter, the database include fields configured to store a name of a client, and fields describing the client, a files location associated with the matter, and a notes location associated with the matter, the database further including reports locations associated with respective users; in response to receiving an email having a subject line, body, and attachment: determining whether the email subject line contains a user ID and, in response to the subject line containing a user ID: determining if the email was sent from a preapproved sender and, if not rejecting the email; and detaching the attachment from the email and placing the attachment in the reports location for the user having a user ID matching the user ID in the subject line of the email. Other systems and methods are provided.

Abstract: Providing access to an external application includes receiving login credentials to access a client instance, wherein the login credentials are associated with a user account, causing the client instance to provide a link to an external application in the client instance, detecting a request to navigate to the external application from the link, generating a authentication record for the user account and the external application, storing information for the user account based on the authentication record, and generating a URL for the external application based on the authentication record. Providing access to the external application also includes receiving, from a remote client device hosting the external application, an authorization request comprising nonce information, determining that the user account is authorized to access the external application based on the authentication table, and providing access to the external application.

Abstract: A frictionless multi-factor authentication system and method (“FMFA system”) that facilitates verification of the identity of a website user, registrant or applicant. The FMFA system reduces or removes the burden on the user by eliminating the additional manual second step traditionally required by two-factor authentication methods, and replacing the second step with an automated authentication step based on the location of a mobile device that is associated with the user. The FMFA system may be utilized for authenticating users to access sensitive data on online accounts, applications and websites, download files, perform online transactions, store information through websites or data stores, or the like. The FMFA system allows registration information obtained from a previously-registered user to authenticate the user on subsequent visits or logins to the website.

Abstract: Access to a linked resource may be protected using a time-based transformation of links to the resource. A linked resource may be transmitted to a browser in a markup language page. Information indicative of a time-based transformation of a link may be transmitted to the browser in the markup language page, or separately from the markup language page. The time-based transformation may be applied to the transmitted link. The transformed link may be requested, and compared to a version of the link that has been transformed, using the time-based transformation with respect to the time the request is received.

Abstract: Techniques for computer security, and more specifically timestamp-abased authentication, are described. Some implementations provide an authentication method that utilizes an authentication process that is shared as a secret between a first and second computing system. The process provides as output a number that is based on a timestamp. The first computing system executes the authentication process using a timestamp obtained from its clock. The resulting number is transmitted to the second computing system, possibly along with other authentication data, such as a username and/or password. In response, the second computing system executes the authentication process using a timestamp obtained from its clock. If the numbers generated by the first and second computing systems match, the first computing system is authenticated.

Abstract: An apparatus and a method for providing a security service in a communication system are provided. The security device includes a receiver configured to receive validation information used for validating data received by a receiving apparatus from the receiving apparatus, at least one processor configured to determine whether the validation information matches set validation related information, and a transmitter configured to transmit information indicating the determined result to the receiving apparatus.

Abstract: Apparatus, systems, articles of manufacture, and methods for improving anti-malware scan responsiveness and effectiveness using user symptoms feedback. An example method includes detecting a performance issue on a computing device, presenting a user interface on a display of the computing device requesting user feedback regarding the performance issue, and synthesizing user input related to the performance issue to identify, on the computing device, a scan parameter associated with the performance issue. The example method further includes, in response to failing to identify the scan parameter on the computing device, transmitting the user input to a symptom analysis server to identify the scan parameter based on anti-malware scans from other computing devices, and, in response to determining the scan parameter, performing a targeted anti-malware scan on the computing device.

Abstract: In the present invention, unauthorized access from outside a facility to a device disposed inside the facility is detected by effectively using the output from a mirror port of a network switch. A gateway device has: a monitored data acquisition unit for saving in a monitored data storage unit, as monitored data, packet data that is outputted from a mirror port of a switch, the packet data being outputted from a device being monitored; an unauthorized access detection unit for detecting unauthorized access by determining whether the monitored data is abnormal on the basis of a comparison between the monitored data and assessment rules; and an unauthorized access notification unit for notifying a server of a monitoring center, which is connected to an external network via an external communication unit, that unauthorized access has been detected.

Abstract: Systems, methods, and apparatuses enable agent-less network traffic interception using an overlay network. The system creates an inspection namespace on a server computer and clones namespace properties of a default namespace on the server computer to the inspection namespace. The system creates an overlay network in the inspection namespace connecting the server computer to a security service. The system creates a namespace bridge between the default namespace and the inspection namespace to pass server traffic between the namespaces. The system then transmits server traffic to the security service using the overlay network and an encapsulation protocol.

Abstract: A communication network may scan data to identify and prevent the spread of malicious data, such as viruses, worms, trojans, malware, and the like, transmitted through the communication network. As scanning content for malicious data within an application program or an application node hosted on the communication network may limit the performance of the application program, a server in a load balanced datacenter environment may host a malicious data scan as a service. Accordingly, the malicious data scan service may scale effectively to accommodate an increasing number of application nodes in the network, and by retrieving updated definitions of malicious data at suitable times, the server may identify malicious data with increasing reliability.

Abstract: Methods, systems, and media for detecting malicious activity from user devices are provided. In some embodiments, a method for detecting malicious activity from user devices is provided, the method comprising: receiving information indicating a requested connection to a destination by a first user device; adding the received information to information received from a plurality of user devices to generate aggregated connection information; determining that the requested connection to the destination by the first user device is part of an attack, wherein determining that the requested connection to the destination by the first user device is part of the attack on the destination comprises determining that more than a predetermined percentage of user devices have requested connections to the destination; receiving information indicating a requested connection to the destination by a second user device; and causing the connection to the destination by the second user device to be blocked.

Abstract: Disclosed herein are systems and method for protecting an endpoint device from malware. In one aspect, an exemplary method comprises performing, by a light analysis tool of the endpoint, a light static analysis of a sample, terminating the process and notifying the user when the process is malware, performing light dynamic analysis when the process is not malware based on the light static analysis, when the process is clean based on the light dynamic analysis, enabling the process to execute, when the process is malware, terminating the process and notifying the user, and when the process is suspicious pattern, suspending the process, setting a level of trust, sending the sample to a sandbox, terminating the process and notifying the user when the process is a malware based on received final verdict, enabling the process to resume executing when the process is determined as being clean based on the final verdict.

Abstract: Technologies for detecting bot signals include extracting at least a primary signal and a secondary signal from header data logged by an automated service during a time interval, where the header data is associated with web-based client-server requests received by an online system, generating distribution data representative of the secondary signal when the primary signal matches a first criterion, converting the distribution data to a quantitative score, after the time interval, causing a web-based client-server request to be blocked or redirected when the quantitative score matches a second criterion.

Abstract: In some embodiments, an industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time that represent operation of the industrial asset. A threat detection computer may determine that an attacked monitoring node is currently being attacked. Responsive to this determination, a virtual sensor coupled to the plurality of monitoring nodes may estimate a series of virtual node values for the attacked monitoring node(s) based on information received from monitoring nodes that are not currently being attacked. The virtual sensor may then replace the series of monitoring node values from the attacked monitoring node(s) with the virtual node values. Note that in some embodiments, virtual node values may be estimated for a particular node even before it is determined that the node is currently being attacked.

Abstract: An apparatus includes a memory and a hardware processor. The memory stores a threshold. The processor receives first, second, and third messages. The processor determines a number of occurrences of words in the messages. The processor also calculates probabilities that a word in the messages is a particular word and co-occurrence probabilities. The processor further calculates probability distributions of words in the messages. The processor also calculates probabilities based on the probability distributions. The processor compares these probabilities to a threshold to determine whether the first message is related to the second message and/or whether the first message is related to the third message.

Abstract: Described herein are various methods of securing a computer system. One or more methods include starting a security process after basic functionality on a computer is initiated at startup. The security process performs one or more reviews, such as audits, of the computer to verify that there have not been unauthorized changes to the computer, such as to any settings or executable files.

Abstract: This disclosure provides an apparatus and method for a consolidated enterprise view of cybersecurity data from multiple sites, including but not limited to in industrial control systems and other systems. A method includes receiving, by a replicator system, cybersecurity data from a site risk manager (RM) database. The method includes transferring the cybersecurity data, by the replicator system, through a secure firewall to an enterprise RM database. The enterprise RM database consolidates data received from a plurality of replicator systems.

Abstract: A first Event is identified from a normalized log persistency layer, where the first Event is associated with an attack on a computing system. A plurality of Events are fetched from the normalized log persistency layer, where each fetched Event correlates with its neighboring fetched Event by at least one correlation attribute, and each of the fetched Event and the first Event are presented on a graphical user interface as a chain of events. A workspace is generated, where the workspace comprises a series of attack paths, where each attack path corresponds to one Event in the chain of events. An ETD pattern is created based on the attack paths in the workspace.

Abstract: Systems and methods for detecting anomalous data traffic over proxy servers in a data communications network. The method includes receiving, by a server computing device, network log data corresponding to data traffic during a timeframe. The method further includes normalizing the network log data using at least one of timestamp data of the network log data or IP address data of the network log data. The method also includes extracting risk-based data features from the network log data. The method further includes calculating using an isolation forest algorithm, anomaly scores for the normalized network log data based on the extracted risk-based features. The method also includes determining at least one anomaly event based on the calculated anomaly scores. The method further includes identifying at least one host device and at least one timestamp corresponding to the at least one anomaly event.

Abstract: A system and method of security assessment of a network is described. The system may include one or more security assessment computers controlled by a security assessor, and connected to a network, and first executable program code for acting as an agent on a first end device on the network. The first executable program code is configured to be executed by a browser application of the first end device, and is configured to initiate a simulation by requesting information from at least a first security assessment computer of the one or more security assessment computers.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for vulnerability assessment and hash generation for exterior data deployment. In this way, the system utilizes a vulnerability assessment to generate a permit to send approval for dissemination of data, files, or the like outside of the entity via an electronic communication. The vulnerability assessment determines a permit to send status for the communication. The system may then generate a hash for the communication and embed the hash within the data of the communication. Upon sending, the entity will only permit communications with a known hash embedded therein from being transmitted outside of the internal entity network.

Abstract: This invention provides systems and methods for data processing by means of an ongoing background process on an end-user's computer. As a user receives and generates data, files are analyzed. A container file is opened into the volatile memory and its contents (including data and metadata) are extracted, without requiring an index to be created. The extracted components are analyzed based on predefined characteristics.

Abstract: A computerized method for reconfiguring one or more malware detection systems each performing cybersecurity analyses on incoming data is described. The method involves receiving meta-information including metrics associated with a malware detection system. Based on the meta-information, a determination is made whether the malware detection system is operating at an optimal performance level. If not, results produced by conducting behavior analyses predicting operability of the malware detection system are determined and the results are provided as feedback to the malware detection system to update one or more configuration parameter values thereof.

Abstract: A plurality of monitoring nodes may each generate a time-series of current monitoring node values representing current operation of a cyber-physical system. A feature-based forecasting framework may receive the time-series of and generate a set of current feature vectors using feature discovery techniques. The feature behavior for each monitoring node may be characterized in the form of decision boundaries that separate normal and abnormal space based on operating data of the system. A set of ensemble state-space models may be constructed to represent feature evolution in the time-domain, wherein the forecasted outputs from the set of ensemble state-space models comprise anticipated time evolution of features. The framework may then obtain an overall features forecast through dynamic ensemble averaging and compare the overall features forecast to a threshold to generate an estimate associated with at least one feature vector crossing an associated decision boundary.

Abstract: A technique verifies a determination of an exploit or malware in an object at a malware detection system (MDS) appliance through correlation of behavior activity of the object running on endpoints of a network. The appliance may analyze the object to render a determination that the object is suspicious and may contain the exploit or malware. In response, the MDS appliance may poll the endpoints (or receive messages pushed from the endpoints) to determine as to whether any of the endpoints may have analyzed the suspect object and observed its behaviors. If the object was analyzed, the endpoints may provide the observed behavior information to the appliance, which may then correlate that information, e.g., against correlation rules, to verify its determination of the exploit or malware. In addition, the appliance may task the endpoints to analyze the object, e.g., during run time, to determine whether it contains the exploit and provide the results to the appliance for correlation.

Abstract: Example techniques described herein determine a validation dataset, determine a computational model using the validation dataset, or determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processing unit can determine signatures of individual training data streams. The processing unit can determine, based at least in part on the signatures and a predetermined difference criterion, a training set and a validation set of the training data streams. The processing unit can determine a computational model based at least in part on the training set. The processing unit can then operate the computational model based at least in part on a trial data stream to provide a trial model output. Some examples include determining the validation set based at least in part on the training set and the predetermined criterion for difference between data streams.

Abstract: An example operation may include one or more of identifying a page of a website for phishing testing, attempting each of a Hypertext Transfer Protocol (HTTP) GET request and a HTTP Secure (HTTPS) GET request via the identified page of the website, attempting each of a HTTP POST request and a HTTPS POST request via the identified page of the website, determining if the website is a phishing website based on server responses to the attempted HTTP and HTTPS GET requests and the attempted HTTP and HTTPS POST requests received from the website, and in response to determining the website is a phishing website, outputting an indication of the determination for display on a display device.

Abstract: Techniques are described for detecting and attributing automatic unauthorized redirects originating from executable code contained within an advertisement hosted within a web page or application displayed on an end user's mobile or desktop computing devices.

Abstract: Systems and methods for performing a simulated phishing attack are provided. A simulated attack server can send a simulated attack email including a unique identifier to a target. The simulated attack server can receive a reply email including the unique identifier from the target. The simulated attack server can extract the unique identifier from the reply email. The simulated attack server can determine a match between the unique identifier and an identity of the target. The simulated attack server can record a target failure, responsive to determining the match between the unique identifier and the identity of the target.

Abstract: The present disclosure describes systems and methods for using a model for a predetermined role for simulated phishing campaigns. A campaign controller communicates simulated phishing communications to one or more devices of a user using a model that the campaign controller selects from a plurality of models in a database that have been established for predetermined roles of a company. The model is selected based on one or more attributes of the user that are identified by the campaign controller. The campaign controller identifies one or more attributes of each user of a plurality of users for the simulated phishing campaign, and the campaign controller selects a respective model for each user based on the attributes of each user, wherein the models are not all the same for all of the users.

Abstract: Methods and systems for monitoring activity on a network. The systems may include a host computer executing a non-honeypot service. The host computer may also include a control module configured to enable or disable a honeypot service on the host computer in response to at least one of computational resource availability and configured tolerance for degraded service.

Abstract: The technology disclosed relates to enforcing multi-part policies on data-deficient transactions of independent data stores. In particular, it relates to combining active analysis of access requests for the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting object metadata in a supplemental data store, actively processing data-deficient transactions that apply to the objects by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions, and actively enforcing the multi-part policies using the retrieved object metadata.

Abstract: A method for protecting an enterprise network includes, at a system that is remote from the enterprise network: controlling communications to and from the enterprise network according to a set of security policies; controlling endpoint to endpoint connections within the enterprise network according to the set of security policies; receiving a request for modifications to the set of policies; automatically generating a policy digest formatted according to a predefined format, the policy digest comprising the modifications, and storing the policy digest in the memory; retrieving the policy digest from the memory; generating one or more calls to one or more system components that control the communications to and from the enterprise network and the endpoint to endpoint connections based on the policy digest; and modifying control of the communications and the endpoint to endpoint connections based on the one or more calls.

Abstract: An example embodiment performed by a scoped software application executable on a computing device of a computational instance of a remote network management platform may involve: requesting and receiving, from an application database associated with a third-party software application, alert rules that trigger alerts when associated events occur in a managed network; receiving data representing selection of a set of the alert rules and, based on the data, requesting and receiving, from the application database, a set of past alerts that have been triggered by the set of the alert rules; using mapping data to map fields of the set of the past alerts to fields of a sample security incident record; displaying a preview region including the sample security incident record; using the mapping data to create security incident records that map to the set of the past alerts; and writing, to a security incident database, the security incident records.

Abstract: In one embodiment, a method includes receiving, by a security controller, a first security sequence generated by a network controller of a network and a second security sequence generated by a node of the network. The second security sequence is a security configuration of the node when the second security sequence was generated. The method also includes generating, by the security controller, a third security sequence and detecting, by the security controller, a discrepancy between the first security sequence, the second security sequence, and the third security sequence. In response to detecting the discrepancy, the method further includes determining, by the security controller, that the security configuration of the node has been modified.

Abstract: Enhanced electronic security systems and methods are provided. A whitelist, blacklist, or both of resource access sources that are allowed to use a particular resource access account are obtained. Upon detecting an access attempt to a particular resource on a computer network, a source of the access attempt and a resource access account used in the access attempt is identified. The whitelist, blacklist, or both are referenced to determine if the source of the access attempt is allowed to use the resource access account used in the access attempt. When the source of the access attempt is not allowed to use the resource access account used in the access attempt, one or more mitigation tasks may be performed.

Abstract: The invention relates generally to the field of network connectivity management, specifically to provisioning and controlling the data access of multiple client devices to application servers via a connectivity management device. The invention includes apparatuses, methods, and systems for automating the management of such apparatus and its associating client devices. The management includes initializing and storing device data, ownership proof, connectivity credentials, and security policies into a management system, such as blockchain digital ledger or device management application server. The stored information is used for auto pairing and authenticating the devices via a second wireless technology and triggering secure connection setup over the first wireless technology.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, a method comprises provisioning at least a given one of the first and second security edge protection proxy elements with configuration information that enables the given security edge protection proxy element to identify at least one security operation to be applied to at least one information element in a received message before sending the message to the other one of the first and second security edge protection proxy elements.

Abstract: Method and systems for controlling data remotely that includes connecting to a remote device within a fabric of smart devices. The remote device stores data locally. Controlling the data includes remotely controlling the data stored in the remote device from another device connected to the fabric by transmitting a message to the remote device. Moreover, the transmitted message includes a profile identifier that causes a data management entity of the remote device to perform an indicated data management action. Furthermore, the profile identifier identifies a data management profile, and the message includes a command tag that indicates the data management action to be performed.

Abstract: Aspects of the subject disclosure may include, for example, receiving from a web real-time communications gateway a first request for communication services from a network resource, where the network resource does not utilize a web real-time communications protocol and where the first request is compliant with a markup language that differs from the web real-time communications protocol, directing the network resource to provide the communication services identified in the first request, receiving a first message from the web real-time communications gateway, where the first message is compliant with the markup language, translating the first message to a first updated message conforming to a protocol used by the network resource, where protocol differs from the markup language used for communicating with the web real-time communications gateway, and transmitting the updated first message to the network resource facilitating the communication services identified in the first request.