Abstract: Systems and methods for end to end encryption are provided. In example embodiments, a computer accesses an image including a geometric shape. The computer determines that the accessed image includes a candidate shape inside the geometric shape. The computer determines, using the candidate shape, an orientation of the geometric shape. The computer determines a public key of a communication partner device by decoding, based on the determined orientation, data encoded within the geometric shape. The computer receives a message. The computer verifies, based on the public key of the communication partner device, whether the message is from the communication partner device. The computer provides an output including the message and an indication of the communication partner device if the message is verified to be from the communication partner device. The computer provides an output indicating an error if the message is not verified to be from the communication partner device.

Abstract: Machine learning methods and systems for developing security governance recommendations are disclosed.

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

Abstract: A method, system and non-transitory computer-readable medium for classifying a received data package using a framework. The framework comprises at least one classifier; a processing component for processing the received data package using the at least one classifier, and a database for storing at least a data model and a data set of mappings. The at least one classifier is configured to obtain data of the received data package and apply the data set of mappings to the obtained data to generate normalised data. The data model is then applied to the normalised data to generate at least one permutation of the normalised data, and the data package is classified based on the at least one permutation of the normalised data.

Abstract: A monitoring system includes a processor configured to perform operations including: place the monitoring system into a training mode to generate a model of an industrial process; receive indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the multiple monitored devices is configured to control the industrial process; and from received indications of observed transmissions of operational commands associated with the industrial process, generate the model of the industrial process, wherein the model comprises indications of an expected order of transmissions of operational commands associated with the industrial process are expected to occur.

Abstract: Systems, methods, devices, instructions, and media are described for generating suggestions for connections between accounts in a social media system. One embodiment involves storing connection graph information for a plurality of user accounts, and identifying, by one or more processors of the device, a first set of connection suggestions based on a first set of suggestion metrics. A second set of connection suggestions is then identified based on a second set of suggestion metrics, wherein the second set of connection suggestions and the second set of suggestion metrics are configured to obscure the first set of connection suggestions, and a set of suggested connections is generated based on the first set of connection suggestions and the second set of connection suggestions. The set of connection suggestions is then communicated to a client device method associated with the first account.

Abstract: Systems and methods for detecting suspicious malware by analyzing data such as transfer protocol data or logs from a host within an enterprise is provided. The systems and methods include a database for storing current data and historical data obtained from the network and a detection module and an optional display. The embodiments herein extract information from non-encrypted transfer protocol metadata, determine a plurality of features, utilize an outlier detection model that is based on historical behaviors, calculate a suspiciousness score, and create alerts for analysis by users when the score exceeds a threshold. In doing so, the systems and methods of the present invention improve the ability to identify suspicious outliers or potential malware on an iterative basis over time.

Abstract: The present disclosure presents distributed attack detection systems and related methods. One such method comprises executing, by a client computing device, a convolutional neural network model that is configured to detect a network attack on the client computing device; receiving an HTTP request; extracting a uniform resource locator contained within the HTTP request; inputting the uniform resource locator in the convolutional neural network model; receiving an output from the convolutional neural network model that classifies the uniform resource locator as being directed to a network attack on the client computing device; and transmitting, by the client computing device, embeddings of a hidden layer of the convolutional neural network model to one or more computer servers that are hosting a recurrent neural network model for detecting a distributed network attack across a plurality of client computing devices.

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

Abstract: A method may include obtaining first network information from a network scan of a computer network that describes network vulnerabilities of a computer network and second network information that describes network traffic of the computer network. The method may include identifying an interaction with the computer network based on the network traffic included in the second network information. The method may include correlating the first network information and the identified interaction to determine a network security issue for the computer network. Correlating the first network information and the identified interaction may include determining a correspondence between the interaction with the computer network and the network vulnerabilities described by the first network information. A network alert may be generated based on the potential network security issue.

Abstract: Embodiments of the present disclosure provide a system for generating risk scores in near real-time. The system includes a processor and a memory coupled with and readable by the processor and storing therein a set of instructions. When executed by the processor, the processor is caused to generate risk scores in near real-time by receiving near real-time application events associated with an application in near real-time and identifying anomalies from the near real-time application events. The processor is further caused to generate risk scores in near real-time by generating an intermediate near real-time risk score for the identified anomalies and combining the intermediate near real-time risk score with a batch risk score generated from a batch process executed prior to receiving the near real-time application events to generate a near real-time risk score.

Abstract: Disclosed herein are system, method, and computer program product embodiments for mitigating malicious network traffic. A computing device (e.g., a network management device, a control device, etc.) may receive indications of data/information communicated by one or more devices within a network and cause the one or more devices to implement measures to block malicious traffic resulting from multi-vector cyberattacks.

Abstract: Detecting anomalous behavior using a browser extension, including: gathering first information describing activity associated with a user and generated by a browser extension on a user device; gathering second information describing activity associated with the user and generated by an application executed on the user device; and determining, based on the first information and the second information, whether the user has deviated from normal activity.

Abstract: Provided is a method for training credit thresholds, including: acquiring a plurality of service features from history data of a service operation triggered based on a plurality of IP addresses; hierarchically calculating at least two correlation coefficients for each of the service features; generating, for each of the IP addresses based on the correlation coefficients corresponding to the service features, a credit value indicating the validity of each of the IP addresses; generating an evaluation indicator for the plurality of IP addresses; and determining a credit value corresponding to the evaluation indicator as a credit threshold in response to the evaluation indicator meeting a target condition.

Abstract: A computer-implemented method for identifying a use anomaly potentially exposing sensitive data is disclosed. The method comprises receiving data comprising logs of a communication involving a computing device, where the logs comprise distinct logs of at least three communication abstraction levels. At least three anomaly classifiers are operated for logs from each of the at least three communication abstraction levels. An ensemble model is used to identify an anomaly in the communication, by processing output from each of the at least three anomaly classifiers. The various logs from a moment in time when the anomaly occurred are collated, and a graphical user interface is generated for reviewing the identified anomaly and collated logs. A human reviewer is then alerted that an anomaly has been identified.

Abstract: Briefly, systems and methods for securely updating an IoT system are presented, the methods including: providing the IoT system, the IoT system including: IoT devices operable by a user; an IoT hub for electronically coupling the IoT devices to the user; a dashboard graphical user interfaces (GUIs) for enabling communication between the IoT vendors and the IoT user devices, where the dashboard GUIs includes a user dashboard for retrieving IoT user device information and for enabling secure data sharing with the IoT vendors; receiving a regulatory update requirement by the IoT vendor; determining a current status for each of the IoT user devices by the IoT vendor.

Abstract: Systems and methods are provided for data security. A server system provides data security using one or more processor devices, one or more communication interfaces, and one or more memory devices including computer-executable instructions.

Abstract: The disclosure provides an approach for discovering vulnerable application server endpoints. Embodiments include retrieving, from an application server, an object representing a front controller of the application server. Embodiments include extracting, from the object, values for a plurality of variables. Embodiments include constructing, based on the values for the plurality of variables, one or more universal resource locators (URLs) corresponding to one or more methods of the front controller. Embodiments include sending one or more unauthenticated requests to one or more resources indicated by the one or more URLs. Embodiments include determining, based on a given response to a given unauthenticated request of the one or more unauthenticated requests, whether a given URL of the one or more URLs is vulnerable. Embodiments include performing one or more actions based on the determining of whether the given URL is vulnerable.

Abstract: In some embodiments, a system includes a processor; and a non-transitory computer readable medium coupled to the processor, the non-transitory computer readable medium including code that: requests, using a device-specific attestation request, a device-specific attestation of a device; receives, via a secure communication channel, device-specific attestation data from the device as a result of the device-specific attestation; and generates an enhanced attestation object based on the device-specific attestation data. In some embodiments, the enhanced attestation object is used to verify that an execution environment of an application on the device is secure. In some embodiments, a device-specific risk score is generated based upon the device-specific attestation data and an enhanced attestation risk score is generated based on the enhanced attestation data analysis, the enhanced attestation risk score being used to verify that the execution environment of the application on the device is secure.

Abstract: A technique for determining a safety-critical state in a cyber-physical system, CPS, is disclosed. A method implementation of the technique is performed by a safety component of the CPS and comprises obtaining (S302) combined sensor data from a plurality of sensors available in the CPS, the combined sensor data being indicative of a current state of the CPS, obtaining (S304) at least one intent-based safety policy, wherein an intent-based safety policy corresponds to a safety policy indicative of a predefined safety-related intent concerning an operational state of the CPS, and checking (S306) the combined sensor data against the at least one intent-based safety policy to determine whether or not the CPS is in a safety-critical state.

Abstract: According to various embodiments, a system for detecting security vulnerabilities in at least one of cyber-physical systems (CPSs) and Internet of Things (IoT) devices is disclosed. The system includes one or more processors configured to construct an attack directed acyclic graph (DAG) unique to each CPS or IoT device of the devices. The processors are further configured to generate an aggregate attack DAG from a classification of each device and a location of each device in network topology specified by a system administrator. The processors are also configured to calculate a vulnerability score and exploit risk score for each node in the aggregate attack DAG. The processors are further configured to optimize placement of defenses to reduce an adversary score of the aggregate attack DAG.

Abstract: A computing system identifies an evidence set associated with a detected cybersecurity attack. The evidence set includes logs representing security alerts associated with the detected cybersecurity attack. The computing system analyzes the evidence set to predict actions taken by a malicious actor, the actions comprising historical actions and future actions. The computing system analyzes the predicted actions to classify the historical actions and future actions taken by the malicious actor. The computing system generates a query for analyzing the evidence set based on the classified historical actions and future actions.

Abstract: Implementations are directed to methods, systems, and apparatus for ontology-based risk propagation over digital twins. Actions include obtaining knowledge graph data defining a knowledge graph including nodes and edges between the nodes, the nodes including asset nodes representing assets and process nodes representing processes; each edge representing a relation between nodes; determining, from the knowledge graph, an aggregated risk for a first process represented by a first process node, including: identifying, for the first process node, a set of incoming nodes, each incoming node comprising an asset node or a process node and being connected to the first process node by a respective edge; determining a direct risk for the first process; and determining an indirect risk for the first process; and generating, based on the aggregated risk for the first process node, a mitigation recommendation including actions for reducing the aggregated risk for the first process node.

Abstract: Methods, devices, and systems disclosed herein measure endpoint user security event susceptibility (e.g., a malware infection) and provide information for endpoint posture evaluation. A relatively small software application may be installed using, for example, a systems management push system where the software runs on each endpoint system and reports back to a central repository or base system. The software runs on machines that it is pushed to and generates a score for that endpoint. That score is a quantification of endpoint user security risk, i.e., the likelihood that a particular endpoint is likely to be the source of a security event at some point in the future. This information may be used to generate a Relative Score for each endpoint so that the endpoints can be ranked from most secure to least secure and an Absolute Score so that a given distributed system can be compared to other distributed systems.

Abstract: Systems and methods for identifying patterns in blockchain activities based on multi-modal data using artificial intelligence models that compensate for training data featuring a high proportion of missing data points. For example, the system may receive blockchain activity record data for a plurality of blockchain activities involving a plurality of blockchain accounts. The system may input the data into an artificial intelligence model, wherein the artificial intelligence model is trained to identify serial relationships of related blockchain activities corresponding to inputted target blockchain activities based on proportions of digital assets at subsets of blockchain accounts of the plurality of blockchain accounts. The system may receive an output from the artificial intelligence model. The system may generate for display, in a user interface, a visualization of the target blockchain activity based on the output.

Abstract: A method for opening unknown files in a malware detection system, is provided. The method generally includes receiving a request to open a file classified as an unknown file, opening the file in a container, collecting at least one of a log of events carried out by the file or observed behavior traces of the file while open in the container, transmitting, to a file analyzer, at least one of the file, the log of events, or the behavior traces for static analysis, determining, a final verdict for the file, based on at least one of the file, the log of events, or the behavior traces, wherein the final verdict for the file is based on the static analysis or dynamic analysis of the file, and taking one or more actions based on a policy configured for the first endpoint and the final verdict.

Abstract: The present disclosure provides a method and apparatus for suppressing the spread of viruses in a local area network (LAN). The method includes, in response to that an ARP packet is received, determining whether a number of interacting terminals corresponding to a target terminal that sent the ARP packet reaches a first preset threshold; in response to that the number of interacting terminals reaches the first preset threshold, further determining whether a number of abnormal terminal relationships corresponding to the target terminal reaches a second preset threshold; and in response to that the number of abnormal terminal relationships reaches the second preset threshold, providing protection to the target terminal to so to suppress virus propagation in the LAN.

Abstract: Systems and methods for detecting anomalous and malicious URL's by analyzing markup language structure, such as HTML, are provided. The systems and methods include the querying of a URL to obtain the markup language data. The markup language data their corresponding elements and their locations rows/depths are parsed into coordinates within a 2-dimensional grid and then processed into features. A color is assigned to each feature as a function of the type of feature. The three dimensions (x, y coordinates and color coordinate) of the features are used to generate an image. The generated images are then compressed to facilitate processing. The compressed images of common websites are analyzed using deep machine learning algorithms to generate a model that represents their structure. These generated models are then used to detect suspicious and/or anomalous websites.

Abstract: A computing device receives an IP address and a port number related to a transport protocol and an application protocol version and other attributes related to an application protocol extracted from an encrypted client hello (ECH) enabled transport layer security (TLS) connection request from a client computing device and extracts, from the database, a set of all known hostnames matching the IP address. The device generates a reduced list of the set of all hostnames matching the IP address, and assigns a confidence score to each hostname of the reduced list based on an alias count and/or a popularity ranking of the hostname. Finally, a prioritized list of one or more hostnames is generated based on the confidence score, the prioritized list indicating the one or more hostnames in the order of descending probability of being requested in the ECH enabled TLS connection request.

Abstract: Described embodiments provide systems and methods for updating a SSL certificate. A method can include sending, by a service executable on at least one server, a request to a vault to identify one or more SSL certificates identifiable by a common name, in response to a first request to access an application service. The service may identify a first SSL certificate having a furthest expiration date among the one or more SSL certificates. The service may store the first SSL certificate in a cache, the first SSL to be used to secure a connection to access the application service.

Abstract: In an approach to improve data governance and security for digital assets, embodiments apply, based on blockchain based smart contracts, privacy and security policies for a participating heterogeneous digital twin enclosed within predetermined boundaries of a geofence boundary, and apply, based on a hierarchical designation of geofences, hierarchical privacy and security policies to geofences associated with the participating digital twin. Further, embodiments dynamically generate computational and deployment policies based on the applied hierarchical privacy and security policies of the geofenced digital twin, and create dynamic test automation workflows for enhanced security and privacy testing that enumerate security, privacy vulnerabilities or high-risk geospatial areas.

Abstract: Systems, devices, and methods are discussed for treating a number of network security devices in a cooperative security fabric as a unified object for configuration purposes.

Abstract: Systems, devices, and methods are discussed for context protected access to an air-gapped network resource via a bridge server.

Abstract: Systems, devices, and methods are discussed for context protected access to an unadvertised cloud-based resource.

Abstract: A method includes identifying a first group of objects generated by security tools during a first time interval and containing cotemporal, analogous characteristics identifying a first endpoint device connected to a computer network; based on the first group of objects, confirming detection of the first endpoint device by a first security tool and a second security tool during the first time interval; identifying a second group of objects generated by security tools during a second time interval and containing cotemporal, analogous characteristics identifying the first endpoint device; based on the second group of objects, confirming detection of the first endpoint device by the second security tool during the second time interval; and responsive to absence of detection of the first endpoint device by the first security tool during the second time interval, generating a source remove event specifying removal of the first security tool from the first endpoint device.

Abstract: To verify compliance with a data access policy, the system compares electronic data to an electronic data access policy identified by a database; determines whether a portion of the electronic data complies with the electronic data access policy; in response to the portion of the electronic data not complying with the electronic data access policy, indicates that an access to the electronic data by a communication device is not permissible; and declines the access to the portion of the electronic data to the communication device when the access to the electronic data is not permissible. Related methods and computer program products are also discussed.

Abstract: Methods, systems, and computer storage media for providing access to computing environments based on a multi-environment policy are provided. The a multi-environment policy is configurable to define rules that have provider-controlled and customer-controlled computing environment parameters for approving access to provider-controlled computing environments and customer-controlled computing environments. In operation, a request associated a computing environment are received. The computing environment is associated with a multi-environment policy. The multi-environment policy is configurable to define the rules based on access vectors having grouped computing environment aspects for control and visibility associated with accessing computing environments. Based on the request, a determination whether the request is for a provider-controlled or a customer-controlled computing environment is made.

Abstract: A method is provided to operate a CN node to determine UP security activation. A UP session establishment request is obtained for a wireless device. An indication is obtained that the UP session establishment request is associated with an emergency session and/or that null ciphering and/or null integrity protection are applied to a CP associated with a CP session for the wireless device. It is determined that a UP should be configured for the UP session without activating integrity and/or confidentiality protection for the UP based on the indication. A UP security policy is provided to a RAN node associated with the wireless device, wherein the UP security policy indicates to configure the UP for the UP session without activating integrity and/or confidentiality protection based on determining that a UP should be configured for the UP session without activating integrity and/or confidentiality protection.

Abstract: System and methods of brokering trust across multiple Authentication and Authorization methods in a multi-domain, multi-operator, private and public cloud networks are identified. A Digital Trust Broker (DTB) is disclosed that brokers trust between infrastructure authentication methods that use digital certificates (PKI) and operator/enterprise Authentication/Authorization methods through interaction with multiple operator/service provider control and management platforms. The Digital Trust Broker interacts with vendor management and security platforms for associating device manufacturing, assembly, supply-chain, and logistics attributes for assuring trust of compute, network, storage and other system components that a high security enterprise or service provider acquires and installs in their networks. Additionally, methods of generating enhanced certificates for secure network slices and other Cloud and SDN hosted virtual network functions as trust assured services are also disclosed.

Abstract: Systems and methods for providing controlled access to a system by a user device include receiving, from a user device, a request including a current context. The method includes receiving a request for access to a computing resource, the request including a current context, the current context defining a user space and a resource space. The user device evaluates the current context against a security policy. The user device determines that the user device is permitted to access the computing resource based on the request in response to the evaluating the current context against the security policy. In response to determining that the user device is permitted to access the computing resource, accessing the computing resource as requested.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: A remote access system for policy-controlled computing with a client device connected to a remote software environment is disclosed. The client device communicates with the remote software environment that securely runs applications. Restrictions for a local application that runs on the client device are enforced using a first plurality of policies. A mid-link server enforces restrictions on the remote software environment using a second plurality of policies. The second plurality of policies are updated for each client device, and corresponding enterprise, a country, and a present location of each of the client device of the plurality of client devices. A mirror function that emulates sensor input from the client device as if it is happening inside the remote software environment.

Abstract: Systems and methods for facilitating shared access-right evaluation using linked communication channels are provided. A first communication can be received over a first communication link from a first user device, and a second communication can be received over a second communication link from a second user device. The first and second communications can include requests for the assignment of access rights. Map data can be generated and transmitted to each of the first and second user devices. Each user device can display a visual representation of access-right data. Further, a communication session can be facilitated between the first user device and the second user device. The communication session can be presented on the visual representation for each user device so that the first user and the second user can collaboratively evaluate access rights.

Abstract: An information processing apparatus, an information processing system, a communication support system, an information processing method, and a non-transitory recording medium. The information processing apparatus acquires participant information related to a particular participant of a plurality of participants in communication, acquired from the particular participant of the plurality of participants participating, acquires attention amount information related to an attention amount of the particular participant of the plurality of participants with respect to information used in the communication, determines presentation information to be presented to the plurality of participants based on the attention amount information of the particular participant adjusts timing for transmitting the presentation information to one or more other participants of the plurality of participants, and transmits the presentation information to an output device provided for each of the plurality of participants.

Abstract: Systems and methods for dynamically adjusting presentation content based on user responses are described. Embodiments are configured to provide presentation content to a user from a host device, provide an interactive element in conjunction with the presentation content, collect response data from the user via the interactive element; and generate a customized document for the user based on the response data. Embodiments are further configured to provide the presentation content to a user through a website, and to customize the website based on the response data.

Abstract: Systems and methods for providing synchronous transmission of streaming media are disclosed. One method may include: receiving, from a first user device associated with a first user, a request to invite a second user to a virtual media streaming session; retrieving, from the at least one database, a second user profile, the second user profile identifying a second user device associated with the second user; transmitting, subsequent to the retrieving, instructions to the second user device to present a notification alerting the second user of the request; determining, using a processor, whether a response accepting the request is detected from the second user device; and connecting, responsive to determining that the response accepting the request was detected, the second user profile to the virtual media streaming session; wherein multimedia content presented in the virtual media streaming session is simultaneously viewable on the first user device and the second user device.

Abstract: A user equipment (UE) may be equipped with multiple subscriber identity modules (SIMS) capable of supporting emergency calls. When an emergency call is detected, the UE may send emergency call requests to a network through the multiple SIMS. The UE may handle the emergency call through whichever SIM that receives the earliest successful response from the network. By utilizing multiple SIMS to establish the emergency call, both reliability and session response time may be enhanced.

Abstract: Modular technologies for servicing telephony systems are disclosed herein. An example method includes receiving a user request to service a telephony system of a user, and transmitting a set of available session initiation protocol (SIP) providers to a user computing device for analysis by the user. Responsive to receiving a user input, the example method includes connecting the user computing device to an SIP trunk, connecting to a serviceable call location included in the user request through the SIP trunk, wherein connecting to the serviceable call location initiates a data stream, and executing a servicing task included in the user request. The example method includes recording a portion of the data stream during execution of the servicing task, storing the portion of the data stream, and causing the user computing device to display the portion of the data stream for viewing by the user.

Abstract: Live editing a workbook with multiple clients including receiving, by a table manager, a request by a first client on a first client computing system to edit a workbook in an exploration mode that displays edits to the workbook without altering the workbook; receiving, by the table manager from the first client, an exploration edit targeting the exploration of the workbook; applying, by the table manager, the exploration edit to the exploration of the workbook; and presenting, by the table manager to a second client on a second client computing system, the application of the exploration edit to the exploration of the workbook.

Abstract: Streaming of shared state date from a presenter device to one or more viewer devices may be accomplished by shared state of a file (e.g., state of a presentation and/or the application that is displaying Information from the file and/or data related to the particular shared streaming of the presentation) rather than a screen share view of the application and/or file.