Abstract: A method for software code analysis includes receiving source code of an application program, which includes one or more calls from respective entry points in the source code to a library program. The source code is automatically analyzed in order to generate a first data flow graph (DFG), representing a flow of data to be engendered upon running the application program. One or more vulnerabilities are identified in the library program. The library program is automatically analyzed to generate a second DFG linking at least one of the entry points in the source code to at least one of the vulnerabilities. The first DFG is combined with the second DFG in order to track the flow of data from the application program to the at least one of the vulnerabilities and to report at least one of the vulnerabilities as being exploitable.

Abstract: A phishing site detection device extracts, from a phishing kit, a condition of access sources with which the access to a phishing site is blocked. Then, the phishing site detection device accesses a phishing site constructed by the phishing kit using one or more extracted conditions of access sources, and stores an access result for each condition of access sources in an access result storage module. Thereafter, the phishing site detection device sets a condition of access sources with which the access to the phishing site constructed by the phishing kit is blocked, accesses a website to be detected, and determines whether the website is a phishing site on the basis of the access result.

Abstract: Systems and methods for detecting malicious behavior in a network by analyzing process interaction ratios (PIRs) are provided. According to one embodiment, information regarding historical process activity is maintained. The historical process activity includes information regarding various processes hosted by computing devices of a private network. Information regarding process activity within the private network is received for a current observation period. For each process, for each testing time period of a number of testing time periods within the current observation period, a PIR is determined based on (i) a number of unique computing devices that host the process and (ii) a number of unique users that have executed the process. A particular process is identified as potentially malicious when a measure of deviation of the PIR of the particular process from a historical PIR mean of the particular process exceeds a pre-defined or configurable threshold during a testing time period.

Abstract: A computing system includes persistent storage configured to store representations of software applications installed on computing devices, and a software application configured to perform operations, including retrieving, from the persistent storage, a first plurality of representations of a first plurality of software applications installed on a particular computing device and a second plurality of representations of a second plurality of software applications installed on a reference computing device. The operations also include determining a device fingerprint of the particular computing device based on the first plurality of representations and a reference device fingerprint of the reference computing device based on the second plurality of representations, and comparing the device fingerprint to the reference device fingerprint.

Abstract: A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc.

Abstract: A method includes receiving a scan request requesting to scan a set of network-connected assets designated for a network scan. For each respective network-connected asset, the method includes scanning, at a network security scanner using a first scanning privilege level, the respective network-connected asset. The method includes determining, based on the scan using the first scanning privilege level, whether the respective network-connected asset has a vulnerability. In response, the method includes scanning, at the network security scanner using a second scanning privilege level, the respective network-connected asset. The second scanning privilege level defines a lower level of access the network security scanner has than the first scanning privilege level. The method includes determining, based on the scans, an exposure level of the vulnerability. The method includes reporting the exposure level of the vulnerability to a user of the respective network-connected asset.

Abstract: An apparatus includes a CPU, a CPU boot ROM that stores a program to be executed by the CPU, a secure microcontroller that detects modification of the program, and a secure-microcontroller boot ROM that stores a recovery program for recovering the program in response to the secure microcontroller detecting modification of the program. The secure-microcontroller boot ROM is accessible from the secure microcontroller, and is not accessible from the CPU.

Abstract: Method and system for protecting an executing environment from malicious code elements, one exemplary method including compiling a set of trustworthy code elements, each code element being executable using an application. The method further includes determining whether the file contains an embedded code element. If the file contains an embedded element, the embedded code element can be authenticated based on the stored set of code elements, to determine whether the embedded code element is trustworthy. Access to the file can be enabled in response to an authentication result that the embedded code element is trustworthy.

Abstract: A method including determining, by an infrastructure device, harmful patterns indicating characteristics of harmful traits included in affected data known to include harmful content, and clean patterns indicating characteristics of clean traits included in clean data known to be free of the harmful content; training, by the infrastructure device, a machine learning model to indicate presence of the harmful content based at least in part on utilizing the harmful patterns and the clean patterns; transmitting, by the infrastructure device to a user device, the harmful patterns, the clean patterns, and the machine learning model; and determining, by the user device, whether given data includes the harmful content based at least in part on utilizing the harmful patterns, the clean patterns, and the machine learning model. Various other aspects are contemplated.

Abstract: A conference system with low standby power consumption includes a transmitter, an image data source, a receiver, and a display device. The transmitter includes a battery for providing power, at least one link port for accessing data, and a processor coupled to the battery and the at least one link port. The image data source is used for transmitting the image data to the transmitter. The receiver is linked to the transmitter for receiving the image data. The display device is linked to the receiver for displaying the image data. When the transmitter and the image data source are electrically coupled, the processor ceases to use the battery of the transmitter and controls the image data source for providing power to the transmitter. When the transmitter and the image data source are separated, the processor uses the battery of the transmitter for driving firmware of the transmitter.

Abstract: Systems and methods for virtual image testing. An example method may comprise receiving, by a messaging application, an identifier of a file residing a file system. Configuring a file serving process to respond to content requests specifying the file. Transmitting, by the messaging application, a notification comprising a uniform resource locator derived from the file identifier.

Abstract: Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).

Abstract: System, method, and software for detecting anomalies in data generated by microservices. In one embodiment, an anomaly detector collects performance metrics for a microservice deployed in a data center for an application. The anomaly detector transforms the performance metrics into a time-series structured dataset for the microservice, and feeds the structured dataset to a machine learning system to determine whether an anomaly exists in the structured dataset based on an anomaly detection model. The anomaly detector performs an anomaly classification with the machine learning system based on an anomaly classification model and the structured dataset when an anomaly is detected in the structured dataset, and performs an action based on the anomaly classification.

Abstract: The disclosed computer-implemented method for protecting customer payment data against malware attacks on inline frame payment forms may include (i) detecting a payment form in a payment page on an online merchant website (e.g., by monitoring the website for a user entry of payment information during a customer transaction session or by analyzing, in hypertext markup language associated with an inline frame (iframe), a document object model (DOM)) to identify the payment form, (ii) identifying the iframe on the online merchant website, (iii) determining whether the iframe is associated with a trusted domain utilized for processing the payment information to complete the customer transaction session, and (iv) performing a security action that protects against a potential malware attack by preventing completion of the customer transaction upon determining that the iframe is unassociated with the trusted domain. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A determination method includes determining an attack type of an attack code included in an attack request on the server, carrying out emulation of an attack by the attack code on the server in accordance with the determined attack type, and in a case of succeeding in an attack on the server as a result of the emulation, extracting a feature appearing in a response from the server, and examining whether a plurality of responses respectively corresponding to a plurality of requests to the server after the attack request each have the extracted feature, and in a case where at least any one of the plurality of responses has the extracted feature, determining that an attack by the attack code has succeeded, by a processor.

Abstract: A method for resisting spread of unwanted code and data without scanning incoming electronic files for unwanted code and data, the method comprising the steps, performed by a computer system, includes receiving, at the computer system, an incoming electronic file containing content data encoded and arranged in accordance with a predetermined file type corresponding to a set of rules, determining a purported predetermined file type of the incoming electronic file by analysing the encoded and arranged content data, the purported predetermined file type and the associated set of rules specifying allowable content data for the purported predetermined file type, parsing the content data by dividing the content data into separate parts in accordance with a predetermined data format identified by the associated set of rules corresponding to the purported predetermined file type and determining nonconforming data in the content data by identifying content data that does not conform to the purported predetermined file

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for a security system with dynamic insurance integration. In some implementations, a security token is generated in response to a user requesting a risk assessment. The security token is provided to a third-party server. A request from the third-party server for monitoring data collected by a security system associated with the user is received. Monitoring data is provided to the third-party server. An indication of the risk assessment from the third-party server is received.

Abstract: In an illustrative embodiment, methods and systems for cybersecurity assessment of an organization's technology infrastructure include identifying features of the technology infrastructure and automatically generating a threat profile relevant to both the technology infrastructure and the organization's business (and/or business objectives), where the threat profile includes potential threat actors and threat scenarios applicable to the technology infrastructure. The methods and systems may include evaluating cybersecurity controls of the organization's technology infrastructure in light of the threat profile to identify and rate vulnerabilities within the technology infrastructure.

Abstract: A system and a method are disclosed for verifying a suspicious electronic communication. To this end, a secure communications service may detect an electronic communication comprising an identifier of a purported originator of the electronic communication and an identifier of an intended recipient, and determine that an attribute of the electronic communication corresponds to a suspicious attribute. Responsively, the service may intercept the electronic communication and storing the electronic communication in purgatory memory, so as to prevent the electronic communication from being populated in a private repository of the intended recipient, transmit a verification message, and receive a reply to the verification message that verifies the authenticity of the electronic communication.

Abstract: A first set of instructions, which is provided access to a first address space, is scheduled for execution at a first hardware thread of a processor. Prior to executing an instruction of a second set of instructions, which accesses a second address space, at the first hardware thread, a determination is made that the second address space is accessible from a second hardware thread of the processor.

Abstract: Systems, methods, and computer-readable media are disclosed for systems and methods for automated deployment of decoy production networks. Example methods may include detecting, by one or more computer processors coupled to memory, an unauthorized user in a production network environment, determining a computer-executable payload associated with the unauthorized user, and initiating a first virtual decoy production network environment. Methods may include causing the computer-executable payload to be executed in the first virtual decoy production network environment, and recording telemetry data associated with execution of the computer-executable payload in the first virtual decoy production network environment.

Abstract: Systems and methods of identifying over-privileged access in a computing system are disclosed. The method includes receiving configuration information for the computing system, selecting an identity that can access the computing system and determining access privileges for the selected identity using at least the received configuration information, the access privileges identifying one or more computing resource or service accessible to the selected identity, determining at least one role assumable by the identified one or more computing resource or service accessible to the selected identity, and determining whether the identified one or more computing resource or service accessible to the selected identity can elevate its privileges. In a case where it is determined that the identified one or more computing resource or service accessible to the selected identity can elevate its privileges, the method provides notification that the identity has over-privileged access to the computing system.

Abstract: The present description concerns a method of starting a first application configured to be implemented by at least one low-level operating system of a secure element, including the verification of at least a first piece of information updated after each operation of resetting of the secure element, the first piece of information being associated with the at least one low-level operating system.

Abstract: Network infrastructure can be automatically detected. A network sensor detects a new network message. A source-address of the new network message is extracted. A plurality of addresses are assembled based on the source-address. These are recursed, using each of the unique similar-addresses as current addresses. Metadata is assembled for each of the addresses in the plurality of addresses. For each particular address in the plurality of addresses, a risk-label is assigned out of a plurality of possible risk-labels, by weighing a plurality of factors; and performing a network security action with the risk-label.

Abstract: Detecting sequences of computer-executed operations, including training a BLSTM to determine forward and backward probabilities of encountering each computer-executed operations within a training set of consecutive computer-executed operations in forward and backward execution directions of the operations, and identifying reference sequences of operations within the training set where for each given one of the sequences the forward probability of encountering a first computer-executed operation in the given sequence is below a predefined lower threshold, the forward probability of encountering a last computer-executed operation in the given sequence is above a predefined upper threshold, the backward probability of encountering the last computer-executed operation in the given sequence is below the predefined lower threshold, and the backward probability of encountering the first computer-executed operation in the given sequence is above the predefined upper threshold, and where the predefined lower threshold

Abstract: Methods, apparatus, and processor-readable storage media for automatically detecting data offloading methods using data bucketing and machine learning techniques are provided herein. An example computer-implemented method includes obtaining operations data and configuration data for one or more storage objects in a database; determining one or more times at which data offloading is to be carried out for at least one of the storage objects in the database, wherein determining the one or more times includes processing at least a portion of the operations data using one or more machine learning techniques; generating at least one data offloading protocol, comprising one or more data offloading methods, by processing at least a portion of the configuration data; and automatically executing, in accordance with the one or more determined times, the at least one generated data offloading protocol for at least a portion of the one or more storage objects in the database.

Abstract: An information handling system may include a processor, a basic input/output system (BIOS) communicatively coupled to the processor, and a security agent comprising a program of instructions embodied in non-transitory computer-readable media and configured to, when read and executed by the processor: retrieve a BIOS policy, retrieve BIOS configuration information, based on the BIOS policy and the BIOS configuration information, determine a deviation of one or more BIOS attributes of the BIOS configuration information, and perform remediation of the one or more BIOS attributes based on the deviation.

Abstract: Techniques and mechanisms are disclosed enabling efficient collection of forensic data from client devices, also referred to herein as endpoint devices, of a networked computer system. Embodiments described herein further enable correlating forensic data with other types of non-forensic data from other data sources. A network security application described herein further enables generating various dashboards, visualizations, and other interfaces for managing forensic data collection, and displaying information related to collected forensic data and information related to identified correlations between items of forensic data and other items of non-forensic data.

Abstract: Techniques for using honeypots to lure attackers and gather data about attackers and attack patterns on Infrastructure-as-a-Service (IaaS) instances. The gathered data may then be analyzed and used to proactively prevent such attacks.

Abstract: Techniques and mechanisms are disclosed enabling efficient collection of forensic data from client devices, also referred to herein as endpoint devices, of a networked computer system. Embodiments described herein further enable correlating forensic data with other types of non-forensic data from other data sources. A network security application described herein further enables generating various dashboards, visualizations, and other interfaces for managing forensic data collection, and displaying information related to collected forensic data and information related to identified correlations between items of forensic data and other items of non-forensic data.

Abstract: A system is provided for delivering network services. The system receives an inventory of network assets and a scope of available network services. For each asset of at least a subset of the assets, the system selects importance-related ranking attributes and scannability-related ranking attributes from the available service characteristics of the asset. Based on the importance-related ranking attributes, the system determines an importance of the asset. Based on the scannability-related ranking attributes or the or a scope of available network services, the system determines a scannability of the asset. Based on the importance and scannability of the asset, the system determines a priority of the asset. Based on the priorities of the assets, the system determines a prioritized asset inventory.

Abstract: A distributed data storage system can consist an attack module connected to distributed data storage system that has at least one host connected to a first data storage device and a second data storage device via a network controller. A susceptibility to a third-party attack in the distributed data storage system may be identified with the attack module, which prompts the generation of an attack counter strategy with the attack module. The attack counter strategy can have at least one proactive action directed at preventing a future third-party attack on the detected susceptibility that is executed prior to a third-party attack to temporarily randomize execution timing of a data access operation of the distributed data storage system.

Abstract: Computer-implemented methods and systems are provided for the detection of software presence remotely through the web browser by detecting the presence of webinjects in a web browser that visits a detection webpage. The methods can include delivering a detection webpage to a web browser, in which the detection webpage has detection code configured to detect a presence of the webinject in the detection webpage; and inspecting, by the detection code, rendering of content of the detection webpage in the browser to detect webinject content in the detection webpage by the webinject, the webinject content including one or more Hypertext Markup Language (HTML) components. The method can further include, if webinject content is detected, generating a fingerprint for each of the one or more HTML components; transmitting the one or more fingerprints to an external server; and classifying, by the external server, the webinject based on the one or more fingerprints.

Abstract: Systems and methods for formatting data are disclosed. For example, a system may include at least one memory storing instructions and one or more processors configured to execute the instructions to perform operations. The operations may include receiving data comprising a plurality of sequences of data values and training a recurrent neural network model to output conditional probabilities of subsequent data values based on preceding data values in the data value sequences. The operations may include generating conditional probabilities using the trained recurrent neural network model and the received data. The operations may include determining a data format of a subset of the data value sequences, based on the generated conditional probabilities, and reformatting at least one of the data value sequences according to the determined data format.

Abstract: In general, in one aspect, a method for machine learning recognition of portable executable files as malware includes providing training data comprising features of portable executable files and a descriptive information for the portable executable files, the descriptive information comprising a family or type of malware. The method may include training a model using the training data to detect malware. The method may include using the trained model to recognize malware by providing features of a portable executable file as input and providing a threat score and descriptive information as output.

Abstract: A security assessment scheduling tool uses a configuration file that is configurable via a user interface, to specify one or more elements of an application to be analyzed during the scoping process. Further, the security assessment scheduling tool may automatically schedule assessments for large numbers of applications using one or more constraining optimization techniques and/or via modeling the scheduling problem as an RCPSP problem. The security assessment scheduling tool processes the RCPSP problem for a defined period of time and then schedules remaining unscheduled applications within a specified time period thereby allowing the security assessment scheduling tool to schedule assessments of tens of thousands of applications.

Abstract: Disclosed herein are systems and methods for parallel malware scanning in a cloud environment. In one exemplary aspect, a method may comprise identifying a plurality of agents connected to a server, wherein each agent is configured to synchronize data between a different computing device and the server. The method may comprise receiving, from a first agent of the plurality of agents, a request to scan the synchronized data for malware. In response to determining, from the plurality of agents, at least one other agent that comprises the synchronized data, the method may comprise partitioning the synchronized data into a plurality of portions. The method may comprise assigning a first portion for scanning to the first agent and at least one other portion for scanning to the at least one other agent, and aggregating scan results from the first agent and the at least one other agent.

Abstract: A method may include obtaining a request to unblock a predetermined website in a network and that is associated with a predetermined list. The predetermined list may be used to determine whether a respective user device among various user devices can access one or more websites. The method may further include determining an impact level of the predetermined website for an organization using a machine-learning algorithm and website gateway data. The method may further include determining a probability of a security breach using the machine-learning algorithm and threat data. The method may further include determining whether to unblock the predetermined website based on the impact level and the probability of a security breach. The method may further include transmitting, in response to determining that the predetermined website should be unblocked, a command that modifies the predetermined list to enable the respective user device to access the predetermined website.

Abstract: An authentication between a wireless charger and a device configured to receive wireless energy from the wireless charger includes establishing a wireless data channel between the wireless charger and the device. An authentication challenge signal is driven onto a transmit charging coil of the wireless charger and a receive charging coil of the device is configured to receive the authentication challenge signal. The device sends an authentication response signal to the wireless charger based at least in part on the authentication challenge signal.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

Abstract: Volatile organic compounds classification by receiving test data associated with detecting volatile organic compounds (VOCs), analyzing the test data according to a set of data features associated with known VOCs, determining a match between each feature of the test data and a corresponding feature of the set of data features, yielding a set of matches, defining a first degree of anomaly for the test data according to the set of matches, and classifying the test data according to the first degree of anomaly.

Abstract: System and methods are provided for implementing a Unified Integration Pattern (UIP) protocol for centralized handling of data feeds between client systems. In embodiments, a method includes: receiving an authentication Application Program Interface (API) message and data file transfer request for a data transfer event from a sending client system in a network of distinct client systems; authenticating the sending client system based on the authentication API message; uploading a data file from the sending client system based on the authenticating; receiving a notification API message from the sending client system indicating that that uploading of the data file to the computer system is complete; sending the data file to a receiving client system in the network of distinct client systems based on API message and data file request and the notification API message; and sending a notification message to the sending client system regarding the data transfer event.

Abstract: Methods and apparatus consistent with the present disclosure may be used after a computer network has been successfully attacked by new malicious program code. Such methods may include collecting data from computers that have been affected by the new malicious program code and this data may be used to identify a type of damage performed by the new malicious code. The collected data may also include a copy of the new malicious program code. Methods consistent with the present disclosure may also include allowing the new malicious program code to execute at an isolated computer while actions and instructions that cause the damage are identified. Signatures may be generated from the identified instructions after which the signatures or data that describes the damaging actions are provided to computing resources such that those resources can detect the new malware program code.

Abstract: The system inhibits malware, which has infected user equipment (UE), from establishing a communication channel between to the UE and a malware command and control (C2) website. A malware threat detector detects traffic generated by user equipment generated by malware. The system extracts the logs of these detections and processes the packet capture and extracts the fully qualified domain name (FQDN). The FQDN is then transmitted to a malware information sharing platform and added to the domain name system response policy zone (DNS RPZ). The DNS RPZ can block subsequent access to the malware C2 website due to the inclusion of the FQDN on the DNS RPZ.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: receive a client event report, the client event report including an operating system event trace for an attempt to exploit a patched vulnerability, and first feature data for a malware object that made the attempt; receive second feature data for an unknown object; compare the first feature data to the second feature data; and if the second feature data match the first feature data above a threshold, convict the unknown object as malware.

Abstract: A firewall may identify a uniform resource locator (URL) being transmitted to a user device, the URL link pointing to a host system. The firewall can then modify the URL link to point instead to a sandbox system. Once a user at the user device selects the URL link (e.g., by clicking or touching it in a browser), the firewall receives the user device's HTTP request and directs it to the sandbox system, which generates a new HTTP request that is then sent through the firewall to the host system. The host system then sends host content to the sandbox system instead of to the user device. The user device may then be presented with a representation of the host content as rendered at the sandbox system (e.g., through a remote desktop interface).

Abstract: A plant management method includes: acquiring correlation information indicating a correlation between a component subjected to a cyberattack and a component to be possibly affected by the cyberattack when a plant including a plurality of components is subjected to the cyberattack; and zoning the plurality of components on the basis of the correlation information.

Abstract: An object of this invention is to obtain a whitelist generator with which the accuracy of data relating to the specifications of normal communication serving as an automatic generation source can be guaranteed, whereby the accuracy of a generated whitelist can be guaranteed over an entire whitelist generation flow. The whitelist generator is applied to a system formed from a plurality of devices, the plurality of devices being configured to exchange data with each other, in order to generate a whitelist used for whitelisting intrusion detection, and includes a model verification unit that verifies, on the basis of an input model, at least one of whether or not normal communication in the system has been modeled correctly and whether or not the model is logically consistent, and a model conversion unit that converts the verified model into a whitelist.

Abstract: Disclosed are various approaches for automating the detection and identification of anomalous devices in a management service. Device check-ins are received by a management service and housed in a data store. The quantity of device check-ins over various time periods can be analyzed using various approaches to identify anomalous devices.