Abstract: The present description concerns a method of starting a first application configured to be implemented by at least one low-level operating system of a secure element, including the verification of at least a first piece of information updated after each operation of resetting of the secure element, the first piece of information being associated with the at least one low-level operating system.

Abstract: Network infrastructure can be automatically detected. A network sensor detects a new network message. A source-address of the new network message is extracted. A plurality of addresses are assembled based on the source-address. These are recursed, using each of the unique similar-addresses as current addresses. Metadata is assembled for each of the addresses in the plurality of addresses. For each particular address in the plurality of addresses, a risk-label is assigned out of a plurality of possible risk-labels, by weighing a plurality of factors; and performing a network security action with the risk-label.

Abstract: Detecting sequences of computer-executed operations, including training a BLSTM to determine forward and backward probabilities of encountering each computer-executed operations within a training set of consecutive computer-executed operations in forward and backward execution directions of the operations, and identifying reference sequences of operations within the training set where for each given one of the sequences the forward probability of encountering a first computer-executed operation in the given sequence is below a predefined lower threshold, the forward probability of encountering a last computer-executed operation in the given sequence is above a predefined upper threshold, the backward probability of encountering the last computer-executed operation in the given sequence is below the predefined lower threshold, and the backward probability of encountering the first computer-executed operation in the given sequence is above the predefined upper threshold, and where the predefined lower threshold

Abstract: Methods, apparatus, and processor-readable storage media for automatically detecting data offloading methods using data bucketing and machine learning techniques are provided herein. An example computer-implemented method includes obtaining operations data and configuration data for one or more storage objects in a database; determining one or more times at which data offloading is to be carried out for at least one of the storage objects in the database, wherein determining the one or more times includes processing at least a portion of the operations data using one or more machine learning techniques; generating at least one data offloading protocol, comprising one or more data offloading methods, by processing at least a portion of the configuration data; and automatically executing, in accordance with the one or more determined times, the at least one generated data offloading protocol for at least a portion of the one or more storage objects in the database.

Abstract: An information handling system may include a processor, a basic input/output system (BIOS) communicatively coupled to the processor, and a security agent comprising a program of instructions embodied in non-transitory computer-readable media and configured to, when read and executed by the processor: retrieve a BIOS policy, retrieve BIOS configuration information, based on the BIOS policy and the BIOS configuration information, determine a deviation of one or more BIOS attributes of the BIOS configuration information, and perform remediation of the one or more BIOS attributes based on the deviation.

Abstract: Techniques for using honeypots to lure attackers and gather data about attackers and attack patterns on Infrastructure-as-a-Service (IaaS) instances. The gathered data may then be analyzed and used to proactively prevent such attacks.

Abstract: Techniques and mechanisms are disclosed enabling efficient collection of forensic data from client devices, also referred to herein as endpoint devices, of a networked computer system. Embodiments described herein further enable correlating forensic data with other types of non-forensic data from other data sources. A network security application described herein further enables generating various dashboards, visualizations, and other interfaces for managing forensic data collection, and displaying information related to collected forensic data and information related to identified correlations between items of forensic data and other items of non-forensic data.

Abstract: A system is provided for delivering network services. The system receives an inventory of network assets and a scope of available network services. For each asset of at least a subset of the assets, the system selects importance-related ranking attributes and scannability-related ranking attributes from the available service characteristics of the asset. Based on the importance-related ranking attributes, the system determines an importance of the asset. Based on the scannability-related ranking attributes or the or a scope of available network services, the system determines a scannability of the asset. Based on the importance and scannability of the asset, the system determines a priority of the asset. Based on the priorities of the assets, the system determines a prioritized asset inventory.

Abstract: Techniques and mechanisms are disclosed enabling efficient collection of forensic data from client devices, also referred to herein as endpoint devices, of a networked computer system. Embodiments described herein further enable correlating forensic data with other types of non-forensic data from other data sources. A network security application described herein further enables generating various dashboards, visualizations, and other interfaces for managing forensic data collection, and displaying information related to collected forensic data and information related to identified correlations between items of forensic data and other items of non-forensic data.

Abstract: A distributed data storage system can consist an attack module connected to distributed data storage system that has at least one host connected to a first data storage device and a second data storage device via a network controller. A susceptibility to a third-party attack in the distributed data storage system may be identified with the attack module, which prompts the generation of an attack counter strategy with the attack module. The attack counter strategy can have at least one proactive action directed at preventing a future third-party attack on the detected susceptibility that is executed prior to a third-party attack to temporarily randomize execution timing of a data access operation of the distributed data storage system.

Abstract: Computer-implemented methods and systems are provided for the detection of software presence remotely through the web browser by detecting the presence of webinjects in a web browser that visits a detection webpage. The methods can include delivering a detection webpage to a web browser, in which the detection webpage has detection code configured to detect a presence of the webinject in the detection webpage; and inspecting, by the detection code, rendering of content of the detection webpage in the browser to detect webinject content in the detection webpage by the webinject, the webinject content including one or more Hypertext Markup Language (HTML) components. The method can further include, if webinject content is detected, generating a fingerprint for each of the one or more HTML components; transmitting the one or more fingerprints to an external server; and classifying, by the external server, the webinject based on the one or more fingerprints.

Abstract: Systems and methods for formatting data are disclosed. For example, a system may include at least one memory storing instructions and one or more processors configured to execute the instructions to perform operations. The operations may include receiving data comprising a plurality of sequences of data values and training a recurrent neural network model to output conditional probabilities of subsequent data values based on preceding data values in the data value sequences. The operations may include generating conditional probabilities using the trained recurrent neural network model and the received data. The operations may include determining a data format of a subset of the data value sequences, based on the generated conditional probabilities, and reformatting at least one of the data value sequences according to the determined data format.

Abstract: In general, in one aspect, a method for machine learning recognition of portable executable files as malware includes providing training data comprising features of portable executable files and a descriptive information for the portable executable files, the descriptive information comprising a family or type of malware. The method may include training a model using the training data to detect malware. The method may include using the trained model to recognize malware by providing features of a portable executable file as input and providing a threat score and descriptive information as output.

Abstract: Disclosed herein are systems and methods for parallel malware scanning in a cloud environment. In one exemplary aspect, a method may comprise identifying a plurality of agents connected to a server, wherein each agent is configured to synchronize data between a different computing device and the server. The method may comprise receiving, from a first agent of the plurality of agents, a request to scan the synchronized data for malware. In response to determining, from the plurality of agents, at least one other agent that comprises the synchronized data, the method may comprise partitioning the synchronized data into a plurality of portions. The method may comprise assigning a first portion for scanning to the first agent and at least one other portion for scanning to the at least one other agent, and aggregating scan results from the first agent and the at least one other agent.

Abstract: A security assessment scheduling tool uses a configuration file that is configurable via a user interface, to specify one or more elements of an application to be analyzed during the scoping process. Further, the security assessment scheduling tool may automatically schedule assessments for large numbers of applications using one or more constraining optimization techniques and/or via modeling the scheduling problem as an RCPSP problem. The security assessment scheduling tool processes the RCPSP problem for a defined period of time and then schedules remaining unscheduled applications within a specified time period thereby allowing the security assessment scheduling tool to schedule assessments of tens of thousands of applications.

Abstract: A method may include obtaining a request to unblock a predetermined website in a network and that is associated with a predetermined list. The predetermined list may be used to determine whether a respective user device among various user devices can access one or more websites. The method may further include determining an impact level of the predetermined website for an organization using a machine-learning algorithm and website gateway data. The method may further include determining a probability of a security breach using the machine-learning algorithm and threat data. The method may further include determining whether to unblock the predetermined website based on the impact level and the probability of a security breach. The method may further include transmitting, in response to determining that the predetermined website should be unblocked, a command that modifies the predetermined list to enable the respective user device to access the predetermined website.

Abstract: An authentication between a wireless charger and a device configured to receive wireless energy from the wireless charger includes establishing a wireless data channel between the wireless charger and the device. An authentication challenge signal is driven onto a transmit charging coil of the wireless charger and a receive charging coil of the device is configured to receive the authentication challenge signal. The device sends an authentication response signal to the wireless charger based at least in part on the authentication challenge signal.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

Abstract: Volatile organic compounds classification by receiving test data associated with detecting volatile organic compounds (VOCs), analyzing the test data according to a set of data features associated with known VOCs, determining a match between each feature of the test data and a corresponding feature of the set of data features, yielding a set of matches, defining a first degree of anomaly for the test data according to the set of matches, and classifying the test data according to the first degree of anomaly.

Abstract: System and methods are provided for implementing a Unified Integration Pattern (UIP) protocol for centralized handling of data feeds between client systems. In embodiments, a method includes: receiving an authentication Application Program Interface (API) message and data file transfer request for a data transfer event from a sending client system in a network of distinct client systems; authenticating the sending client system based on the authentication API message; uploading a data file from the sending client system based on the authenticating; receiving a notification API message from the sending client system indicating that that uploading of the data file to the computer system is complete; sending the data file to a receiving client system in the network of distinct client systems based on API message and data file request and the notification API message; and sending a notification message to the sending client system regarding the data transfer event.

Abstract: Methods and apparatus consistent with the present disclosure may be used after a computer network has been successfully attacked by new malicious program code. Such methods may include collecting data from computers that have been affected by the new malicious program code and this data may be used to identify a type of damage performed by the new malicious code. The collected data may also include a copy of the new malicious program code. Methods consistent with the present disclosure may also include allowing the new malicious program code to execute at an isolated computer while actions and instructions that cause the damage are identified. Signatures may be generated from the identified instructions after which the signatures or data that describes the damaging actions are provided to computing resources such that those resources can detect the new malware program code.

Abstract: The system inhibits malware, which has infected user equipment (UE), from establishing a communication channel between to the UE and a malware command and control (C2) website. A malware threat detector detects traffic generated by user equipment generated by malware. The system extracts the logs of these detections and processes the packet capture and extracts the fully qualified domain name (FQDN). The FQDN is then transmitted to a malware information sharing platform and added to the domain name system response policy zone (DNS RPZ). The DNS RPZ can block subsequent access to the malware C2 website due to the inclusion of the FQDN on the DNS RPZ.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: receive a client event report, the client event report including an operating system event trace for an attempt to exploit a patched vulnerability, and first feature data for a malware object that made the attempt; receive second feature data for an unknown object; compare the first feature data to the second feature data; and if the second feature data match the first feature data above a threshold, convict the unknown object as malware.

Abstract: A firewall may identify a uniform resource locator (URL) being transmitted to a user device, the URL link pointing to a host system. The firewall can then modify the URL link to point instead to a sandbox system. Once a user at the user device selects the URL link (e.g., by clicking or touching it in a browser), the firewall receives the user device's HTTP request and directs it to the sandbox system, which generates a new HTTP request that is then sent through the firewall to the host system. The host system then sends host content to the sandbox system instead of to the user device. The user device may then be presented with a representation of the host content as rendered at the sandbox system (e.g., through a remote desktop interface).

Abstract: A plant management method includes: acquiring correlation information indicating a correlation between a component subjected to a cyberattack and a component to be possibly affected by the cyberattack when a plant including a plurality of components is subjected to the cyberattack; and zoning the plurality of components on the basis of the correlation information.

Abstract: An object of this invention is to obtain a whitelist generator with which the accuracy of data relating to the specifications of normal communication serving as an automatic generation source can be guaranteed, whereby the accuracy of a generated whitelist can be guaranteed over an entire whitelist generation flow. The whitelist generator is applied to a system formed from a plurality of devices, the plurality of devices being configured to exchange data with each other, in order to generate a whitelist used for whitelisting intrusion detection, and includes a model verification unit that verifies, on the basis of an input model, at least one of whether or not normal communication in the system has been modeled correctly and whether or not the model is logically consistent, and a model conversion unit that converts the verified model into a whitelist.

Abstract: Disclosed are various approaches for automating the detection and identification of anomalous devices in a management service. Device check-ins are received by a management service and housed in a data store. The quantity of device check-ins over various time periods can be analyzed using various approaches to identify anomalous devices.

Abstract: An attack countermeasure determination includes a domain name input unit that receives any domain name as input, and acquires setting information corresponding to the domain name, registration information corresponding to the domain name, and external information corresponding to an internet protocol (IP) address corresponding to the domain name, as feature information on the domain name, an attack countermeasure determination unit that specifies a pre-designated category for the domain name on the basis of the feature information and determines, in a stepwise manner, an attack countermeasure against the domain name in accordance with the specified category, and an attack countermeasure information output unit that outputs attack countermeasure information corresponding to the attack countermeasure.

Abstract: Disclosed herein are systems and method for detecting passwords vulnerable to compromise. In one exemplary aspect, a method comprises identifying a plurality of files in at least one storage device of an organization. For each respective file in the plurality of files, in response to determining that the respective file type is in the database of vulnerable file types, the method comprises parsing text in the respective file and identifying, for the respective file, at least one demographic associated with the organization. The method further comprises retrieving dictionaries and expressions specific to the at least one demographic and determining the text in the respective file comprises a password using the retrieved dictionaries and expressions of the at least one demographic. In response to determining that the text comprises the password, the method comprises generating a security alert for an administrator of the storage device.

Abstract: According to examples, an apparatus may include machine-readable instructions that may cause the processor to determine that a first malware was detected on a first computing device and to determine whether a second malware was detected on a second computing device within a predefined period of time of when the first malware was detected on the first computing device, in which the first computing device and the second computing device are associated with a shared data storage that is remote from the first and second computing devices. The instructions may also cause the processor to, based on a determination that the second malware was detected within the predefined period of time, output a notification that the first malware was likely spread to the first computing device and/or that the second malware was likely spread to the second computing device through the shared data storage.

Abstract: Systems and methods for implementing sentiment analysis of computer code are provided. Developers who write source code may include comments or other natural language artifacts in the source code. These artifacts may be illustrative of current or legacy cybersecurity threats. Systems and methods may mine comments, and/or other code artifacts, for the dual purposes of cybersecurity threat detection and mitigation. Advanced code analytics may be leveraged for a deeper understanding of the sentiments expressed by the artifacts. Such sentiment may include negative sentiments expressed in error code selection and/or descriptions. All information retrieved is preferably human identity agnostic in line with personal data regulation compliance.

Abstract: An edge server receives a request from a client network application for a web page hosted at an origin server. The edge server transmits the requested web page in a response. The edge server accesses an edge server request log to retrieve a log entry associated with the request for the web page, where the log entry associated with the request for the web page includes information regarding the request and the response. The edge server retrieves one or more characteristics of an asset of the web page, where each characteristics has an expected value. The edge server determines whether the origin server is compromised when a value for a characteristic is not within a threshold range of the expected value for the characteristic of the asset and performs a mitigation action in response.

Abstract: Systems and techniques for sharing security data are described herein. Security rules and/or attack data may be automatically shared, investigated, enabled, and/or used by entities. A security rule may be enabled on different entities comprising different computing systems to combat similar security threats and/or attacks. Security rules and/or attack data may be modified to redact sensitive information and/or configured through access controls for sharing.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to identify co-relationships between media using social media. An example apparatus includes an audience estimator to: estimate a first audience of first media based on a first set of media-exposure social media messages corresponding to client devices referencing the first media, and estimate a second audience of second media based on a second set of media-exposure social media messages corresponding to the client devices referencing the second media.

Abstract: Threat modeling methods include providing one or more data stores storing threat model components, threats, and security requirements, each threat associated with at least one of the threat model components, each security requirement including a stored indication of whether it is a compensating control, and each compensating control associated with one of the threats. One or more computing devices communicatively coupled with the one or more data stores display a relational diagram of a system, an application, and/or a process, using visual representations of the threat model components, the diagram defining a threat model. The one or more computing devices display a threat report displaying each threat associated with one of the threat model components included in the threat model. The one or more computing devices further display a compensating control report displaying each compensating control that is associated with one of the threats included in the threat report.

Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application.

Abstract: A system configured for identifying unpermitted data in source code receives a search query comprising particular keywords related to the unpermitted data. The system labels the source code with vulnerability factors and categories of those vulnerability factors, where the vulnerability factors indicate a security vulnerability and the categories provide information about the security vulnerability of the source code. The system performs a static analysis on the source code to identify instances of the particular keyword in a data flow and control flow of the source code. The system performs a vulnerability analysis on the source code to determine a vulnerability level of the source code, in which factor weights and category weights for each code portion of the source code are determined. The system calculates a weighted sum of the factor weights and category weights for each code portion, thereby detecting instances of unpermitted data in source code.

Abstract: Programmable devices, hierarchical parallel machines and methods for providing state information are described. In one such programmable device, programmable elements are provided. The programmable elements are configured to implement one or more finite state machines. The programmable elements are configured to receive an N-digit input and provide a M-digit output as a function of the N-digit input. The M-digit output includes state information from less than all of the programmable elements. Other programmable devices, hierarchical parallel machines and methods are also disclosed.

Abstract: A method including analyzing affected data known to include harmful content to identify harmful traits that are included in the affected data with a frequency that satisfies a threshold frequency; analyzing clean data known to be free of harmful content to identify clean traits that are included in the clean data with a frequency that satisfies the threshold frequency; determining harmful patterns indicating characteristics of the harmful traits included in affected data based at least in part on comparing the affected data with the harmful traits and the clean traits; determining clean patterns indicating characteristics of the clean traits included in clean data based at least in part on comparing the clean data with the harmful traits and the clean traits; and determining whether given data includes the harmful content based at least in part on utilizing the harmful patterns and the clean patterns. Various other aspects are contemplated.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.

Abstract: A system for suspending a computing device suspected of being infected by a malicious code is configured to receive a signal to initiate a suspension procedure of the computing device. The system captures states of instructions that are being executed by a processor of the computing device, where the instructions comprise the malicious code. The system prioritizes the operation of a kill switch button over the instructions being executed by the processor. The system sends notification signals to servers managing a user account associated with a user currently logged in at the computing device, indicating that the computing device is suspected of having been infected by the malicious code. In response to sending the notification signals to the servers, the user account is suspended. The system terminates network connections of the computing device such that the computing device is disconnected from other devices.

Abstract: Embodiments are directed towards managing and tracking item identification of a plurality of items to determine if an item is a new or existing item, where an existing item has been previously processed. In some embodiments, two or more item identifiers may be generated. In one embodiment, generating the two or more item identifiers may include analyzing the item using a small item size characteristic, a compressed item, or for an identifier collision. The two or more item identifiers may be employed to determine if the item is a new or existing item. In one embodiment, the two or more item identifiers may be compared to a record about an existing item to determine if the item is a new or existing item. If the item is an existing item, then the item may be further processed to determine if the existing item has actually changed.

Abstract: The present invention provides systems and methods for processing return transactions over a network. An embodiment of the invention discloses an online return application that generates an electronic return shipping label that can be delivered to a browser of a customer that wishes to make a return. Also, disclosed is the creation and transmission of label delivery links, which provide for dynamic generation and delivery of shipping labels.

Abstract: Systems and methods are disclosed for obtaining network security threat information and mitigating threats to improve computing network operations. For example, methods may include receiving a message from a central instance; from outside of a private network, invoking a search of data associated with the private network, wherein the search is based on the message and the search is performed by an agent device within the private network; receiving a search result of the search from the agent device; transmitting the search result to the central instance, wherein the central instance is configured to generate network security threat information based in part on the search result and share the network security threat information with a plurality of customer instances that are associated with a group of customers; and receiving an alert message from the central instance, wherein the alert message includes information that identifies a network security threat.

Abstract: Embodiments for managing the utilization of software releases are provided. Information associated with a software release and at least one early adopter of the software release is analyzed to calculate a severity score for the software release. A time to utilize the software release is determined based on the calculated severity score.

Abstract: Aspects of the present disclosure involve systems and methods computing devices to access a public network posing as a user to the network to detect one or more malware programs available for downloading through the network. More particularly, a malware detection control system utilizes a browser executed on a computing device to access a public network, such as the Internet. Through the browser, sites or nodes of the public network are accessed by the control system with the interactions with the sites of the public network designed to mimic or approximate a human user of the browser. More particularly, the control system may apply the one or more personality profiles to the browser of the computing device to access and interact with the nodes of the public network. Further, the control system may monitor the information retrieved from the network sites to detect the presence of malware within the nodes.

Abstract: [Problem] An abnormality cause route in a network can be efficiently specified, and labor and a cost required for work can be reduced. [Solution] An abnormality cause specification support system 101 includes: a storage device 203 that holds communication relation information 401 in which a communication history between terminals 20 belonging to a predetermined network 10 is stored separately according to presence and absence of a session in the communication, and a policy 601 for specifying an abnormality cause route occurring in the network 10; and an arithmetic device 201 that specifies, among the communication history indicated by the communication relation information 401, a communication history indicating a condition defined in the policy 601 and a predetermined degree of conformity, and specifies a route between the terminals indicated by the specified communication history as an abnormal cause route to be considered with priority in the network 10.

Abstract: A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc.

Abstract: Disclosed embodiments relate to systems and methods for discovering and remediating hidden secrets in code files. Techniques include accessing an element of source code for analysis, performing a static analysis of the element of source code, and generating a control flow representation that identifies a plurality of functions and a sequence of functions associated with the element of the source code. The techniques may further include determining a probability of a hidden secret being included in the element of source code and performing a security action of at least one of: generating an alert, displaying a visual indication of the probability, generating a report associated with the hidden secret, sending data associated with the probability to a machine learning system for training the machine learning system, or a remediating action associated with the hidden secret.