Abstract: One or more clients of a service may obtain access to resources of the service using one or more roles. A role may be used to delegate access to resources that a client normally would not otherwise have access to. A requestor may make a request to assume an intermediary role and receive a first token that enables assumption of the intermediary role. The requestor, after assuming the intermediary role, may request to assume to assume a destination role and receive a second token that enables the requestor to access one or more computing resources by assuming the destination role.

Abstract: Methods, apparatuses, and systems are described for provisioning access rights in a computing system. A data structure may be created that corresponds to the access rights of a computing system. The data structure may be traversed to identify candidate bundles of access rights that correspond to patterns of access rights in the computing system. The candidate bundles of access rights may be evaluated to select one or more bundles to define as one or more roles in the computing system. The defined roles may then be provisioned to the users of the computing system as a replacement for the individual access rights. Various constraints may be applied to reduce the number of candidate bundles of access rights to evaluate.

Abstract: A method includes retrieving, by a workspace client on a computing device, a first set of resource associations from a workspace server. The first set of resource associations identify one or more data file-types executable by each application on a virtualization server. The method also includes generating, by the workspace client, from the first set of resource associations, a second set of resource associations. The second set of resource associations identify a subset of applications on the virtualization server operable to perform operations on each of the one or more data file-types. The method further includes obtaining, by a storage provider client on the computing device, the second set of resource associations. The storage provider client is configured to enable one or more applications on the virtualization server to execute at least one data file accessible from a storage provider.

Abstract: A security profile manager receives a request to add a user to a cloud computing environment and generates a security profile for the user that includes an attribute associated with usage activity of a resource category available to the user. The security profile manager monitors the usage activity of the resource category by the user in view of the security profile, determines a security vulnerability value for the user in view of the usage activity, and executes a security audit operation on the security profile in view of the security vulnerability value.

Abstract: A device may provide a verification indicator to a device associated with a website. The verification indicator may be associated with verifying access to the website. The device may detect that the verification indicator has been associated with code associated with the website based on processing the code. The device may provide a script to the device. The script may be included in the code. The script may be associated with monitoring operations of the website. The device may receive data related to the operations. The device may analyze the data using a model. The model may be associated with making a prediction related to at least one of: a value to be received via the website, or traffic associated with the website. The device may perform one or more actions related to the website based on a result of the analyzing.

Abstract: Methods are disclosed for setting up a microservice, enhancing a ledger of microservices with a further microservice and accessing medical datasets stored in a microservice. The microservice contains the medical dataset in an encrypted form. The microservice includes an access logic based on accessing entity information. The access logic defines access conditions to the medical dataset and is configured to grant access to the medical dataset upon the access conditions being fulfilled.

Abstract: In some embodiments, a system and a computer-implemented method for role-based collaborative design based on manufacturing constraints are disclosed.

Abstract: The present disclosure generally relates to Blockchain-based systems configured to process access rights to resources in a computationally efficient manner. Certain embodiments of the present disclosure generally relate to systems and methods that generate distributed applications to represent digital access rights to resources. Additionally, certain embodiments of the present disclosure generally relate to systems and methods that enhance the processing of assigning access rights using a Blockchain-based system using metadata.

Abstract: Aspects refresh permission credentials by populating within user profile data sets cached for members an invalidated value and a first timestamp of said populating the invalidated value; selecting user profile data sets including the invalidated value; identifying a second timestamp of time of creation of the permission credential within the selected user profile data sets; and in response to determining that a time elapsed between the first and second timestamps does not exceed a threshold, rebuilding the selected user profile data sets to include an updated value of the permission credential and set the second timestamp value to a current time of the rebuild, and cache (store) the rebuilt selected user profile data set within the repository.

Abstract: A method, system, and computer-usable medium are disclosed for receiving a response, by a security management system, from a site external to an internal network comprising the security management system to an endpoint device of the internal network, and injecting a header into the response by the security management system, the header including security rules, such that when the response is communicated to the endpoint device, the endpoint device responds to the security management system with information regarding subsequent requests made by the endpoint device in connection with the response.

Abstract: In an approach for an access control system, a processor verifies an identity of a user in specified time intervals based on a first device associated with the user. A processor sends a validation token to a cloud-based system and updates a record associated with the user in the cloud-based system. A processor, in response to an attempt to access a secure area, transmits the validation token to a second device. A processor verifies the validation token by the second device with the cloud-based system.

Abstract: Methods, systems, and devices for wireless communications are described. Aspects include a device generating data to be sent to a receiving device and determining to provide provenance for the data. The device may generate a data identifier based on an identifier generation key and encrypt the data using an encryption key generated from a key associated with an owner of the device. The device may sign they encrypted data transmission using a signing key where the signing key is based on the encrypted data and the data identifier. In some cases, the device may send the data to a receiving device via one or more proxy devices. In some cases, multiple device may send signed data transmissions to a proxy device and the proxy device may process the multiple data transmission and send the processed data to the receiving device. The receiving device may verify provenance of the data.

Abstract: One or more DNS services are provided that are configured to not only tolerate some commonly observed DNSSEC misconfigurations (while still providing DNSSEC's security guarantees), but also provide a more intelligent DNS resolution process informed by DNSSEC.

Abstract: In some implementations, a method includes receiving, by a malware detection system, a request for a certification user interface element for a file to be served in an Internet resource, wherein the file is a file that has previously been classified as not containing malware by the malware detection system, and wherein the certification user interface element certifies that the file has been classified by the malware detection system as not containing malware, determining, based on the request, that the file is available for download from an Internet resource, and storing data that identifies the Internet resource as a location where a malware-free file is available for download.

Abstract: Systems and methods for detecting transmission of covert payloads of data are provided. A datagram is received at a host within a network. A determination is made that processing the datagram creates an error condition. A determination is made that that the datagram contains a payload intended for covert transmission where at least one suspicious condition is present. The suspicious conditions include an encrypted payload, a destination not matching any known address for hosts within the network, a time to live value matching the number of gateways traversed by the datagram within the network, and a particular type of error condition.

Abstract: An AI-based cyber threat analyst protects a system from cyber threats. A cyber threat analyst module uses i) one or more AI models, ii) a set of scripts, and iii) any combination of both, to form and investigate hypotheses on what are a possible set of cyber threats that include abnormal behavior and/or the suspicious activity. The analyzer module uses one or more data analysis processes including i) an agent analyzer data analysis process; ii) an Ngram data analysis process; iii) an exfiltration data analysis process; and iv) a network scan data analysis process; in order to obtain any of the abnormal behavior and the suspicious activity to start the investigation on the possible set of cyber threats hypotheses, as well as, to obtain the collection of system data points to either support or refute the possible cyber threat hypotheses.

Abstract: A method and system for matching event sequences for predictive detection of cyber-attacks are discussed. The method comprises receiving a reference event sequence and a query event sequence; converting the reference event sequence to a first step-value list and the query event sequence to a second step-value list; and matching the first and second step-value lists to identify at least one optimal common pattern.

Abstract: In one embodiment, a device classification service forms a device cluster by applying clustering to telemetry data associated with a plurality of devices. The service obtains device type labels for the device cluster. The service generates a device type classification rule using the device type labels and the telemetry data. The service determines whether the device type classification rule should be revalidated by applying a revalidation policy to the device type classification rule. The service revalidates the device type classification rule, based on a determination that the device type classification rule should be revalidated.

Abstract: The present disclosure provides systems and methods for detection of one or more security threats or malicious actions. According to the present disclosure, data can be received from one or more data producers and provided to a behavior processor. The behavior processor extracts, identifies, or detects one or more behaviors from the data based on one or more datum, features, or characteristics included therein, and provides the one or more identified behaviors to a tactic processor. The tactic processor extracts, identifies, or detects one or more tactics based on the one or more identified behaviors, and submits the one or more identified tactics to a tactic classifier to determine whether the one or more identified tactics are indicative of the one or more security threats or malicious actions. Other aspects are also described.

Abstract: A deep-learning based method evaluates similarities of entities in decentralized identity graphs. One or more processors represent a first identity profile as a first identity graph and a second identity profile as a second identity graph. The processor(s) compare the first identity graph to the second identity graph, which are decentralized identity graphs from different identity networks, in order to determine a similarity score between the first identity profile and the second identity profile. The processor(s) then implement a security action based on the similarity score.

Abstract: The invention relates to a work machine and a method for monitoring a control system at a work machine (1a). According to the method, in-parameters (32, 34, 36, 38) are obtained in the form of signals from the control system, wherein the control system generates actual values on one or more out-parameters (42, 44) in the form of signals based on said in-parameters. A characteristic of the invention is that a digital flow of data, comprising both said in-parameters and out-parameters via a control bus (5a, 5b), is addressed to a RAM buffer memory (3b,3c), which is included in a personal computer (3a) onboard the work machine, which buffer memory in FIFO mode writes a data file (id:1.1-id1:n) of a predetermined size, which is saved in a non-volatile data support memory (3d).

Abstract: The present disclosure relates generally to the field of data processing and electronic messaging systems, and, more particularly, to systems and methods for mediating a user's access to a resource to thereby prevent potential security breaches, including phishing and impersonation, malware, and security issues, particularly with respect to websites and electronic communications.

Abstract: The cyber security appliance can have at least the following components. A phishing site detector that has a segmentation module to break up an image of a page of a site under analysis into multiple segments and then analyze each segment of the image to determine visually whether a key text-like feature exists in that segment. A signature creator creates a digital signature for each segment containing a particular key text-like feature. The digital signature for that segment is indicative of a visual appearance of the particular key text-like feature. Trained AI models compare digital signatures from a set of key text-like features detected in the image of that page under analysis to digital signatures of a set of key text-like features from known bad phishing sites in order to output a likelihood of maliciousness of the unknown site under analysis.

Abstract: A system comprises an enterprise network system and engine. The engine has a discovery module coupled to a switch device, an AI and machine learning based monitoring and detection module coupled to the switch device, and a remediation module coupled to the switch device. The remediation module is configured to initiate a remediation process based upon the detection of at least one of the anomalies from the flow of data.

Abstract: Embodiments of the present systems and methods may provide a platform for threat information sharing.

Abstract: Systems and method handling software vulnerabilities in service meshes can include receiving information on software vulnerabilities from external feeds. From a services catalog which maintains data associated with service instances supported by a service mesh, one or more vulnerable service instances supported by the service mesh are identified. Notifications are provided to sidecar proxies associated with vulnerable service instances. The notifications include criteria such as criticality levels and categories associated with the software vulnerabilities. Based on destination policies for the vulnerable service instances, instructions are provided to the sidecar proxies to trip circuit breakers associated with the vulnerable service instances and thus prevent further access and cascading impact of the software vulnerabilities.

Abstract: In an aspect of the invention, the method includes one or more processors identifying events in the target environment that are associated with an indication of a security attack on the target environment. The method further includes composing rules based on the events and relating to an entity identifier that is fixed over a period of time in relation to an entity in the target environment. The method further includes weighting the rules according to a probability that the rule positively identifies a security attack. The method further correlating outputs of multiple activated rules relating to an entity identifier that are activated over time in response to events occurring in the target environment. The method further includes aggregating weightings from the multiple activated rules. The method further includes determining a score for an entity relating to the entity identifier based on the aggregated weightings.

Abstract: A system and method for network cybersecurity analysis that uses user and entity behavioral analysis combined with network topology information to provide improved cybersecurity. The system and method involve gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network. Risks and vulnerabilities associated with user entities may be represented, in part or in whole, by the behavioral analyses and monitoring of those user entities.

Abstract: Carrying out a penetration testing campaign in a networked system by a penetration testing system, for determining a way for an attacker to compromise the networked system, comprises determining that the attacker can obtain user credentials of a first user, determining that when using the user credentials the first user has access rights to a first network node of the networked system, determining that a second network node of the networked system is compromisable by the attacker during the penetration testing campaign, determining that the first network node was accessed from the second network node, and based on the foregoing, determining that the first network node is compromisable by the attacker during the penetration testing campaign, and determining the way for the attacker to compromise the networked system which includes a step of compromising the first network node using the user credentials of the first user.

Abstract: Embodiments of the disclosure provide a system and method for developing rich data for holistic metrics for gauging an enterprise cyber security posture to enable proactive and preventative measures in order to minimize the enterprise's exposure to a cyberattack. By taking an enterprise-wide holistic approach to cyber security, the enterprise will have information needed to identify areas of its network systems for remediation that will result in making the enterprise a less attractive target for cyber threat actors.

Abstract: Embodiments of the disclosure provide a system and method for developing rich data for holistic metrics for gauging an enterprise cyber security posture to enable proactive and preventative measures in order to minimize the enterprise's exposure to a cyberattack. By taking an enterprise-wide holistic approach to cyber security, the enterprise will have information needed to identify areas of its network systems for remediation that will result in making the enterprise a less attractive target for cyber threat actors.

Abstract: Determining an entity's cybersecurity risk and benchmarking that risk includes non-intrusively collecting one or more types of data associated with an entity. Embodiments further include calculating a security score for at least one of the one or more types of data based, at least in part, on processing of security information extracted from the at least one type of data, wherein the security information is indicative of a level of cybersecurity. Some embodiments also comprise assigning a weight to the calculated security score based on a correlation between the extracted security information and an overall security risk determined from analysis of one or more previously-breached entities in the same industry as the entity. Additional embodiments include calculating an overall cybersecurity risk score for the entity based, at least in part, on the calculated security score and the weight assigned to the calculated security score.

Abstract: Techniques for routing a request based on a vulnerability in a processing node are disclosed. A vulnerability analyzer determines a set of detected vulnerabilities in each of a set of processing nodes. Based on the detected vulnerabilities, the vulnerability analyzer determines a respective vulnerability score for each processing node. A routing engine receives a request to be processed by at least one of the set of processing nodes. The routing engine selects a particular node for processing the request based on the detected vulnerabilities in one or more of the set of processing nodes. The routing engine may select the particular node based on the vulnerability scores of the set of processing nodes. Additionally or alternatively, the routing engine may select the particular node based on whether the particular node includes any vulnerability that may be exploited by the request.

Abstract: A cyber-defense appliance securely communicates and cooperates with a suite of different lightweight probes that can ingest onboard traffic from multiple different independent systems using protocols for at least one of a data link layer, a physical layer, and then one or more of an application layer, a transport layer, a network layer, and any combination of these layers when a protocol is used in that layer in the independent system. The lightweight probe ingests data and meta data with an independent system it resides within. The appliance has AI models to model a normal pattern of life in each of the independent systems using the data and/or meta data from protocols listed above. An analyzer module cooperates with the AI models that model a normal pattern of life in each of the independent systems to determine when abnormal behavior or suspicious activity is detected.

Abstract: Big data analysis methods and machine learning based models are used to provide offer recommendations to consumers that are probabilistically determined to be relevant to a given consumer. Machine learning based matching of user attributes and offer attributes is first performed to identify potentially relevant offers for a given consumer. A de-duplication process is then used to identify and eliminate any offers represented in the offer data that the consumer has already seen, has historically shown no interest in, has already accepted, that are directed to product or service types the user/consumer already owns, for which the user does not qualify, or that are otherwise deemed to be irrelevant to the consumer.

Abstract: A method for determining a main chain of a blockchain, a device, and a storage medium. The method comprises: determining, on the basis of a detection result that it is detected that a blockchain has at least two fork chains, weights of blocks in the fork chains (110); determining, on the basis of the weights of the blocks comprised in the fork chains, the weights of the fork chains (120); and determining a main chain from the fork chains on the basis of the weights of the fork chains, and rolling back the fork chains except for the main chain (130).

Abstract: Provided is a network control device 2000 for controlling a network where a plurality of terminals and countermeasure devices are connected, the network control device 2000 including: a clustering unit 2001 that divides terminals including an incident-detected terminal and the related terminal group into a plurality of zones, on the basis of terminal information including information with which an incident-detected terminal is able to be identified, information with which a related terminal group suspected of being related to an incident is able to be identified among the plurality of terminals, and an inter-terminal communication history; and a communication control setting unit 2002 that sets communication control relating to the terminals and the countermeasure devices for each of the plurality of zones.

Abstract: Among other things, this document describes systems, methods and apparatus for identifying and mitigating network attacks, particularly botnet attacks and other volumetric attacks. In some embodiments, a distributed computing platform provides client-facing service endpoints and a request routing mechanism (request router or RR) directing clients to a particular service endpoint or cluster thereof to obtain a service. The state of the RR at a given time is communicated to enforcement points in the system, which may be cluster equipment, service endpoints, or other components. When client traffic arrives at a particular enforcement point it is checked for consistency with the RR's directions, referred to as ‘mapping consistency’. This information is incorporated into decisions about how to handle the packets from the client.

Abstract: A graph stream mining processing system and method may be used to analyze the data from a plurality of data streams. In one embodiment, the graph stream mining processing system and method may be used to detect one or more candidate botnet malicious nodes.

Abstract: A method for extracting, correlating, consolidating and presenting metadata from transmissions is provided. The method may include receiving a TCP/IP transmission. The transmission may include a header and a body. The method may include extracting an originating IP address from a location of the transmission. The location may be in the header or in the body. The IP address may be extracted in binary form. The method may include determining an accuracy and validity metric of the transmission using an artificial intelligence module. The method may include converting the extracted IP address from binary form into hexadecimal form. The method may include embedding the hexadecimal form of the IP address into one or more unused options of the header. The method may include processing the transmission. The processing may be completed upon determination that the transmission is a valid transmission.

Abstract: Implementations provide automated intrusion alert-based blacklisting with minimal false positives that ignores regular business operations, scalable to accommodate the volume of IDS alerts received by high-traffic internet-accessible networked systems. Implementations identify and block hostile infrastructure IP addresses during the reconnaissance phase based on IDS alert(s). Each IDS alert is automatically reviewed in historical context and triggers IP blocking as necessary. Some implementations maintain TCP/IP handshake records, preventing blocking an IP used to conduct regular business operations on the network that a malicious party has spoofed to avoid identification. Based on the historical context of each IP address within the local network environment, specifically regular business operations traffic versus malicious traffic, the IP address is blocked only if the majority of connections therefrom are malicious.

Abstract: There are disclosed devices, system and methods for detecting malicious scripts received from malicious client side vectors. First, a script received from a client side injection vector and being displayed to a user in a published webpage is detected. The script may have malicious code configured to cause a browser unwanted action without user action. The script is wrapped in a java script (JS) closure and/or stripped of hyper-text markup language (HTML). The script is then executed in a browser sandbox that is capable of activating the unwanted action, displaying execution of the script, and stopping execution of the unwanted action if a security error resulting from the unwanted action is detected. When a security error results from this execution in the sandbox, executing the malicious code is discontinued, displaying the malicious code is discontinued, and execution of the unwanted action is stopped.

Abstract: The present disclosure provides systems and methods for classifying or determined whether a request for a user's information is malicious or safe/legitimate. Request information related to a request for a user's information can be received, and one or more screenshots associated with the request can be obtained and provided to a machine learning model. The machine learning model can generate a probability or confidence level that the request is malicious.

Abstract: Systems, methods, and media are used to identify phishing attacks. A notification of a phishing attempt with a parameter associated with a recipient of the phishing attempt is received at a security management node. In response, an indication of the phishing attempt is presented in a phishing attempt search interface. The reported phishing attempts may be aggregated based upon specified criteria to avoid redundant incidents that may hinder remediation efforts.

Abstract: A method of monitoring traffic, the method being carried out by a router acting as a gateway between a first and second network, the method comprising: after establishment of a TCP connection between a first device on the first network and a second device on the second network: receiving a plurality of data packets sent from the first device over the TCP connection; sending a TCP ACK packet to the first device in response to each data packet of the plurality of data packets; storing said data packets without sending them to the second device; examining at least part of the plurality of the stored data packets in order to determine whether to block or allow the TCP connection; in the event that it is determined to allow the TCP connection: sending each of the stored data packets to the second device; in the event that it is determined to block the TCP connection: sending a TCP RST message to each of the first and second devices in order to close the TCP connection.

Abstract: An authentication system handles authentication requests to apply introspection and policy enforcement. A policy server obtains a client security policy and an authenticator security policy. The policy server obtains an encrypted credential request with client metadata from a client and determines whether the client metadata satisfies the client security policy. The policy server provides the encrypted credential request to an authenticator device and obtains an encrypted credential response with authenticator metadata in response. The policy server determines whether the authenticator metadata satisfies the authenticator security policy. The policy server processes the encrypted credential response, without decrypting the encrypted credential request or the encrypted credential response, based on a determination of whether the client metadata satisfies the client security policy and the authenticator metadata satisfies the authenticator security policy.

Abstract: An application-centric authorization model utilizes locally-evaluated rules derived from non-local policies and provided to the application via an authorization object, preferably in the subject's session context. Preferably, the approach does not involve a runtime determination regarding the policy or policies; rather, one or more existing policies are merely used to derive authorization rules associated with a subject, and which are then evaluated and enforced at runtime in a computationally-efficient manner within the local runtime context of the application or service.

Abstract: A method for operating a communications system, in particular a communications system based on software-defined networking, which has at least one network infrastructure component, in particular an SDN switch, and at least one communications device, the network infrastructure component being developed for forwarding data to and/or from the at least one communications device. The method includes the following steps: allocating the communications device to at least one security zone; specifying at least one forwarding rule for forwarding data by the network infrastructure component to and/or from the communications device, the specification of the forwarding rule taking place under consideration of the security zone.

Abstract: The disclosure relates generally to methods, systems, and apparatuses for managing network connections. A method may include identifying a first state of a first endpoint connection of a first networked machine and a second state of a second endpoint connection of a second network machine, and confirming the first state and the second state based on expected states for the first networked machine and the second network machine, wherein the expected states comprise a list of expected connections.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to assess compliance of a virtual computing environment. An example method disclosed herein to assess compliance of computing resources of a computing environment includes monitoring for an occurrence of a change in a computing resource in the computing environment, and in response to detecting the occurrence and without waiting for batch testing, assessing compliance of the computing resource with a compliance policy.