Abstract: A computer implemented method of protecting a target subnet, including a set of network connected devices in a hierarchy of subnets of a computer network, from malware attack. The method includes generating a dynamical system for each subnet in the network, each dynamical system modelling a rate of change of a number of network connected devices in the subnet that are: susceptible to infection by the malware; infected by the malware; protected against infection by the malware; and remediated of infection by the malware. The dynamical systems are based on rates of transmission of the malware between pairs of subnets; evaluating a measure of risk of infection of the target subnet at a predetermined point in time based on the dynamical system for the target subnet; and responsive to the measure of risk meeting a predetermined threshold, deploying malware protection measures to devices in the target subnet.

Abstract: A method includes receiving code for computer programming, determining whether at least a portion of the code comprises at least one vulnerability, and comparing at least the portion of the code comprising the at least one vulnerability to a knowledge base. The knowledge base comprises (i) a plurality of code fragments comprising a plurality of vulnerabilities; and (ii) a plurality of solutions to prevent corresponding ones of the plurality of vulnerabilities. The method further includes identifying, based on the comparing, a code fragment of the plurality of code fragments matching at least the portion of the code comprising the at least one vulnerability, and executing a solution of the plurality of solutions corresponding to the identified code fragment to prevent the at least one vulnerability in at least the portion of the code.

Abstract: A protocol security system includes a protocol producer driver stored in a first memory range on a primary memory system, a protocol consumer driver stored on the primary memory system, and a firmware interface engine provided via the primary memory system. The firmware interface engine receives a protocol pointer from the protocol consumer driver, and identifies that the protocol pointer was provided by the protocol producer driver. If the firmware interface engine determines that the protocol pointer is not stored in the first memory range on the primary memory system, it generates a protocol security violation. If the firmware interface engine determines that the protocol pointer is stored in the first memory range on the primary memory system and points to an architectural protocol, it determines whether the protocol producer driver originated from a secondary memory system and, if not, generates a protocol security violation.

Abstract: This disclosure describes techniques for identifying the criticality of an asset in a network. In an example method, a first security metric of a first asset in a network, as well as network data that identifies data flows associated with a second asset in the network are identified. The second asset is a nearest neighbor of the first asset in the network. The method includes determining, based on the network data, a number of hosts in the network that exchanged data traffic with the second asset during a time period and generating a second security metric of the second asset based on the first security metric and the number of hosts. A security policy of the second asset is adjusted based on the security metric.

Abstract: There are disclosed devices, system and methods for feeding identification data of malicious creatives existing in internet advertisements to a supply side platform (SSP) by receiving reports of unwanted actions without user action by malicious creatives of internet advertisements (ads) requested from the SSP by webpages being displayed to users. The reports include a creative identification (ID), a malicious code chain of events, and a demand side platform (DSP) ID or a seat ID. The reports are pre-processed by classifying the unwanted action attempts based on the chain of events. The pre-processed reports are parsed to extract the creative IDs, the SSP IDs and the DSP IDs; and then stored in a searchable database. The stored parsed pre-processed reports are feed to SSPs based on the SSP identifications. The feed includes the creative IDs, the SSP IDs, the DSP IDs, timestamps of the unwanted action attempt and the classifications.

Abstract: Virus scanning of container images can be managed. For example, container images can be received in a sequential order. The container images can then be analyzed to determine the contents of the container images. The container images can be arranged in a virus-scanning queue in an order that is different from the sequential order in which the container images were received based on the contents of the container images. The container images can then be scanned for viruses in the order in which the container images are arranged in the virus-scanning queue.

Abstract: Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.

Abstract: A system and method for batched, supervised, in-situ machine learning classifier retraining for malware identification and model heterogeneity.

Abstract: Mechanisms are provided for implementing a Question Answering (QA) system utilizing a trained generator of a generative adversarial network (GAN) that generates a bag-of-ngrams (BoN) output representing unlabeled data for performing a natural language processing operation. The QA system obtains a plurality of candidate answers to a natural language question, where each candidate answer comprises one or more ngrams. For each candidate answer, a confidence score is generated based on a comparison of the one or more ngrams in the candidate answer to ngrams in the BoN output of the generator neural network of the GAN. A final answer to the input natural language question is selected from the plurality of candidate answers based on the confidence scores associated with the candidate answers, and is output.

Abstract: A distributed transmit platform deception network array system includes a plurality of platforms; each platform comprising at least one transmitter; wherein the platforms are in a geographically distributed configuration with respect to each other and at least one victim receiver; a propagating wavefront is generated by the transmitters of the plurality of platforms toward the at least one victim receiver according to deception target characteristics for each identified victim receiver; whereby the propagating wavefront is controlled, and a false location is determined by the victim receiver, Whereby detection of a deception at alternate receiver locations is minimized by selection of characteristics of the transmitted waveform.

Abstract: A computer implemented method of protecting a portion of a computer network from malware attack, the computer network including a network connected devices organized into hierarchical subnets modelled by a tree data structure in which each subnet is represented as a node in the tree, each node having a connection to parent node save for a root node, the method including performing protective actions on devices in subnets associated with a first subset of nodes to provide protection against the malware, prioritizing devices in the subnets associated with a second subset of nodes so as to provide a barrier of subnets protected against the malware to impede the propagation of the malware to devices in subnets associated with each of the first subset of nodes.

Abstract: A method for cloud-based, control-plane-event monitoring includes receiving control-plane events from a cloud-based element associated with a first and a second cloud environment. The received control-plane events are ingested from the cloud-based elements associated with the first and second cloud environments to generate a multiple-source data set from the control-plane events from the cloud-based elements associated with the first and second cloud environments. The multiple-source data set is then evaluated based on attributes of the first and second cloud environments in order to generate a common event data set. The common event data set is then processed using a rule set to generate an outcome.

Abstract: A global profile generation unit acquires a profile including, as an entry, information on parameter values for a combination of path parts and parameter names included in a normal HTTP request to a web server. When entries, in which the path parts are different but the parameter names are the same, are present in the acquired profile, the global profile generation unit generates a global profile in which the entries of the parameter names are aggregated in the acquired profile.

Abstract: A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise.

Abstract: A system may include persistent storage configured to store: a shared classification model including a plurality of classifiers based on training data from a plurality of managed networks, and a representation of a plurality of software applications executable computing devices within a particular managed network. The system may also include a discovery application configured to perform operations including obtaining attributes of a software process. The operations may also include determining, by way of the shared classification model and based on the attributes, a suggested classifier of the plurality of classifiers and determining, by way of the suggested classifier and based on the attributes, a suggested classification for the software process.

Abstract: Techniques are disclosed relating to determining characteristics associated with attempts to request access an online system. A security test that changes one or more parameters associated with accessing the online system may be implemented for a determined time interval. The parameters changed may include user interface parameters, security threshold parameters, and addresses of servlets in the online system. Access requests received during the security test may be compared to access requests received before and after the security test to determine characteristics of scripted access requests (e.g., automated attacks by one or more malicious users) and legitimate access requests to the online system. The present techniques enhance computer system security and can bolster network bandwidth by allowing malicious access requests to be more easily identified and filtered out.

Abstract: The present invention relates to a method for assessing the quality of network-related Indicators of Compromise comprising the phase of calculating, by a computerized data processing unit, a quality score for Indicators of Compromise of the IP Address type, the steps of assigning an autonomous system score of the IP Address according to a predefined range of values based on a database of autonomous system owners, assigning a subnet score of said IP Address according to a predefined range of values based on a database of subnet owners, assigning a services hosted score of the IP Address according to a predefined range of values based on known malicious services hosted by the IP Address before the phase of calculating the quality score, calculating the IP Address quality score as sum of the autonomous system score, subnet score and services hosted score and wherein the method comprises a phase of evaluating the calculated quality score comprises, for each of the Indicators of Compromise of the IP Address type,

Abstract: First data indicative of information that a packet is part of a DDoS attack is received at a management network device. A DDoS remediation network device to be used for remediation of packets associated with the DDoS attack is determined from the first data. Second data, indicative of the DDoS attack and indicative of the DDoS remediation network device, is transmitted from the management network device to an edge network device. The second data is configured to cause the edge network device to route packets associated with the DDoS attack to the DDoS remediation network device.

Abstract: A vulnerability evaluation apparatus includes an input unit configured to input a source code of a program to be evaluated, information indicating assets which are desired to be preserved and an attack accomplishment condition where the assets are not preserved, information indicating an attack determination position at which whether the condition where the assets are not preserved is satisfied can be determined, and input information for the program, an input position designating unit configured to designate an input position indicating a position at which the input information for the program is input, an attack determination position designating unit configured to designate the attack determination position, and an attack path analyzing unit configured to analyze a path from the attack determination position to the input position and specify an attack path where the attack accomplishment condition is satisfied.

Abstract: A network device may receive a request to install a filter associated with an application identifier or a uniform resource locator (URL), and may add, based on the request, information identifying the filter to a list of filters associated with the network device. The network device may receive a packet destined for an endpoint device, may generate a copy of the packet, and may cause the packet to be forwarded to the endpoint device. The network device may perform deep packet inspection of the copy to identify a packet application identifier or a packet URL, and may determine whether the packet application identifier or the packet URL matches the application identifier or the URL. The network device may cause the copy of the packet to be forwarded to a content destination device when the packet application identifier or the packet URL matches the application identifier or the URL.

Abstract: A system and method in accordance with example embodiments may include systems and methods for generating and transforming data presentation. The method may include receiving, using a processor, a request for a web page, and submitting, by the processor, the request to a computer server system. The request can include a user identification and a user password. The method may further include receiving, from the computer server system, data corresponding to the requested web page. Further, the method includes storing, in a memory, the received data, and causing the received data to be shown on a display associated with the user device.

Abstract: A variety of methods are provided for an application or operating system (OS) kernel intrusion detection and prevention, based on verification of security invariants and legitimacy of security state transitions from the past historical state. Methods are provided for an application or OS kernel intrusion detection and prevention for unknown attack vectors and vulnerabilities based on additional security checks added to the software by means of live patching.

Abstract: The disclosed embodiments provide a distributed transaction system including a group of validator nodes that are known to each other in a network but are indistinguishable to other network nodes. The validator nodes form a Committee including a Leader node and one or more Associate nodes. The Committee may be dynamically changed, such that new network nodes may be added to the Committee or may replace existing validator nodes. The Associate nodes also may coordinate with each other to select a new Leader node. The disclosed embodiments reduce the distributed system's reliance on the stability of any particular node(s) in the network, as the validator nodes in the Committee may be changed at a sufficient frequency to remove unreliable, unavailable, or otherwise untrusted nodes. Further, the disclosed embodiments provide a scheme that helps ensure the Leader node, as well as the other Committee members, functions properly.

Abstract: In one embodiment, a traffic analysis service that monitors a network obtains file metadata regarding an electronic file. The traffic analysis service determines a sensitivity score for the electronic file based on the file metadata. The traffic analysis service detects the electronic file within traffic in the network. The traffic analysis service causes performance of a mitigation action regarding the detection of the electronic file within the traffic, based on the sensitivity score of the electronic file.

Abstract: A system configured to detect a threat activity on a network. The system including a digital device configured to detect a first order indicator of compromise on a network, detect a second order indicator of compromise on the network, generate a risk score based on correlating said first order indicator of compromise on the network with the second order indicator of compromise on said network, and generate at least one incident alert based on comparing the risk score to a threshold.

Abstract: In one or more embodiments, one or more systems, one or more methods, and/or one or more processes may: read a document; determine that the document includes executable instructions; execute the executable instructions of the document; determine if a security agent exists on an information handling system (IHS); if the security agent does not exist on the IHS, corrupt data of the document; if the security agent does exist on the information handling system: generate an array of bytes associated with multiple identifiers of multiple of components of the IHS; determine a first hash value of the array of bytes and the document; retrieve a second hash value from the document; determine if the first hash value matches the second hash value; if the first hash value matches the second hash value, provide the data of the document to an application; and if not, corrupt the data of the document.

Abstract: A method for storing database security audit records, comprises: S1, when a database server recognizes an auditable event to generate one database security audit record, identifying the database security audit record with a hashed value so that each database security audit record corresponds to a unique hashed value respectively; S2, packaging multiple database security audit records into a database security audit record block; and S3, transmitting the database security audit record block in encrypted way by adopting a peer-to-peer protocol for direct network communication between two nodes, and verifying an ownership of the database security audit record block. The disclosure has the beneficial effects that through an encryption mechanism and a consensus mechanism, storage of database security audit records is achieved in a peer-to-peer network, thereby ensuring that the database security audit records cannot be tampered and forged.

Abstract: This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a common data format and standardized communication structure (e.g., using pre-established, cross-platform messaging), a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Examples are provided where an intrusion monitoring system (IMS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.

Abstract: A content engine may utilize a configuration management database (CMDB) to manage a configuration of a technology landscape. A curation manager 102 may utilize a plurality of article sources to provide, in collaboration with the content engine, a plurality of enriched articles that are specific to the technology landscape. The enriched articles enable an IT administrator using the content engine to execute IT administration duties in a fast, efficient, reliable, and timely manner.

Abstract: A system and method for generating insights on distributed denial of service (DDoS) attacks are provided. The method includes receiving a plurality of data feeds from a plurality of data sources; processing the plurality of received data feeds to generate enriched data sets; and analyzing the enriched data sets to generate insights information about a DDoS attack that have been participated in at least one DDoS attack.

Abstract: Methods of evaluating and deploying machine learning models for anomaly detection of a monitored system and related systems. Candidate machine learning algorithms are configured for anomaly detection of the monitored system. For each combination of candidate machine learning algorithm with type of anomalous activity, training and cross-validation sets are drawn from a benchmarking dataset. Using each of the training and cross-validation sets, a machine-learning model is trained and validated using the cross-validation set with average precision as a performance metric. A mean average precision value is then computed across these average precision performance metrics. A ranking value is computed for each candidate machine learning algorithm, and a machine learning algorithm is selected from the candidate machine learning algorithms based upon the computed ranking values.

Abstract: The present invention is provided with: a command acquisition unit that acquires a command related to operation of electronic data; a remote control unit that establishes a remotely controllable communication path with an execution environment in which the operation of the electronic data is to be executed, and transmits an execution instruction for executing the operation of the electronic data on the execution environment to the execution environment via the remotely controllable communication path; a data transmission unit that transmits the electronic data or the electronic data converted based on a predetermined algorithm to the execution environment; an execution history storage unit that stores the electronic data or the electronic data converted based on the predetermined algorithm for a predetermined period; and a malware detection unit that scans the electronic data stored or the electronic data converted based on the predetermined algorithm in the execution history storing unit to detect malware.

Abstract: A multi-engine malicious code scanning method for scanning data sets from a storage device is provided. The method includes, among other steps obtaining at least one data set from a storage device and generating a single forensic image of the data set and also applying a recover data application to the data set to generate a single recovered data set. A scanning is initiated of the single forensic image and the single recovered data set using the selected plurality of malware engines, where each of the malware engines, installed on the independent operating systems of the virtual operating system may be run concurrently on the single forensic image and the single recovered data set. A report is generated combining each of the malware engines reporting the results of the scans.

Abstract: A system for performing code security scan includes a non-transitory computer readable medium and a processor. The non-transitory computer readable medium stores a plurality of identifiers each identifying a software security analysis tool of one of several categories, including SAST, DAST and OSA tools. The processor receives an identification of code to be scanned. The processor selects at least two identifiers from the plurality of identifiers. The at least two identifiers identify at least two select software security analysis tools for execution on the identified code. The processor receives an execution result from each select software security analysis tool after performing execution on the identified code. The processor aggregates the execution result from each select software security analysis tool. A user interface displays an aggregation of the execution result from each select software security analysis tool.

Abstract: The present disclosure relates to security risk warning system that a recipient may acknowledge and act accordingly. Security insights may be provided explicitly in a security insight panel that may clearly identify vulnerabilities specific to a particular authenticable communication. This may limit risk that a recipient would ignore or not understand the risk. Security insights may be provided for a combination of indicated source, recipients, and content, such as links, text, attachments, and images. Security insights may be provided on site, such as on or proximate to the reviewed portions of the authenticable communication.

Abstract: A computer implemented method for storing and retrieving data elements in a computer memory comprises configuring, by a processor, the computer memory according to a data structure, the data structure including: a data element array including a plurality of sorted data elements, each data element associated with a position in the data element array; and a cluster element array including one or more cluster elements, each cluster element defined by one of one data element from the data element array or a plurality of continuous data elements from the data element array, wherein each cluster element is associated with a cluster code for determining the position of one or more data elements in the data element array, the cluster code correlating each data element defining the cluster element with the position of the data element in the data element array.

Abstract: The SECURE DYNAMIC PAGE CONTENT AND LAYOUTS APPARATUSES, METHODS AND SYSTEMS (“DPCL”) transform dynamic layout template requests, device, user, and surroundings security profiles, and layout usage monitor packages using DPCL components into customized secure dynamic layouts. In some implementations, the disclosure provides a processor-implemented method of transforming the content of an electronically generated user facing page for displaying on a user display.

Abstract: Computerized techniques to determine and verify maliciousness of an object by a security logic engine are described. A method features receiving information pertaining to a first set of events associated with a first object (first information) from an endpoint and information pertaining to a second set of events associated with a second object (second information) from an analysis system. Thereafter, the likelihood of the cyber-attack being conducted on the network is determined by at least correlating the first information and the second information with at least events associated with known malicious objects. Any endpoint vulnerable to the cyber-attack are identified based on a configuration of each of the plurality of endpoints and requesting the analysis system to conduct one or more further analyses in accordance with at least a software profile identified in a configuration of the first endpoint of the plurality of endpoints identified as vulnerable.

Abstract: Methods and systems are provided for automatically generating malware definitions and using generated malware definitions. One example method generally includes receiving information associated with a malicious application and extracting malware strings from the malicious application. The method further includes filtering the malware strings using a set of safe strings to produce filtered strings and scoring the filtered strings to produce string scores by evaluating words of the filtered strings based on word statistics of a set of known malicious words. The method further includes selecting a set of candidate strings from the filtered strings based on the string scores and generating a malware definition for the malicious application based on the set of candidate strings. The method also includes performing one or more security actions to protect against the malicious application, using the malware definition.

Abstract: This disclosure provides techniques for pooling and searching network security events reported by multiple sources. As information representing a security event is received from one source, it is searched against a central or distributed database representing events reported from multiple, diverse sources (e.g., different client networks). Either the search or correlated results can be filtered and/or routed according at least one characteristic associated with the networks, for example, to limit correlation to events reported by what are presumed to be similarly situated networks. The disclosed techniques facilitate faster identification of high-relevancy security event information, and thereby help facilitate faster threat identification and mitigation. Various techniques can be implemented as standalone software (e.g., for use by a private network) or for a central pooling and/or query service. This disclosure also provides different examples of actions that can be taken in response to search results.

Abstract: Detecting malwares in data streams of interest. In an embodiment, for each malware signature of interest, a malware sub-pattern that is likely to occur at low frequencies in clean data streams is identified. When scanning a data stream for malwares, each portion of the data stream is examined for match with a malware sub-pattern of a malware signature. If there is no match with any portion of the data stream, it is concluded that the data stream is free of a first malware corresponding to the malware signature. If there is a match with a first portion of the data stream, the data stream is examined around the first portion for the malware signature, wherein the data stream is concluded to contain the first malware if the data stream around the first portion is found to match the malware signature.

Abstract: A method for resisting spread of unwanted code and data without scanning incoming electronic files for unwanted code and data, the method comprising the steps, performed by a computer system, includes receiving, at the computer system, an incoming electronic file containing content data encoded and arranged in accordance with a predetermined file type corresponding to a set of rules, determining a purported predetermined file type of the incoming electronic file by analysing the encoded and arranged content data, the purported predetermined file type and the associated set of rules specifying allowable content data for the purported predetermined file type, parsing the content data by dividing the content data into separate parts in accordance with a predetermined data format identified by the associated set of rules corresponding to the purported predetermined file type and determining nonconforming data in the content data by identifying content data that does not conform to the purported predetermined file

Abstract: A behavioral malware detection involves extracting features from prefetch files, wherein prefetch files; classifying and detecting benign applications from malicious applications using the features of the prefetch files; and quarantining malicious applications based on the detection.

Abstract: Various technologies described herein pertain to detecting contextual anomalies in a behavioral network. Label propagation can be performed to construct contexts and assign respective context membership scores to users. Each context can be a respective subset of the users expected to have similar resource usages. The contexts can be constructed and the context membership scores can be assigned by combining behavioral information and contextual side information. The behavioral information can specify respective resource usages by the users within the behavioral network. Moreover, respective contextual anomaly scores for the users can be computed based on the respective context membership scores assigned to the users and the contextual side information. Further, the contextual anomalies can be detected from the contextual anomaly scores.

Abstract: Embodiments provide for a security information and event management (SIEM) system utilizing distributed agents that can intelligently traverse a network to exfiltrate data in an efficient and secure manner. A plurality of agent devices can dynamically learn behavioral patterns and/or service capabilities of other agent devices in the networking environment, and select optimal routes for exfiltrating event data from within the network. The agent devices can independently, selectively, or collectively pre-process event data for purposes of detecting a suspect event from within the network. When a suspect event is detected, agent devices can select a target device based on the learned service capabilities and networking environment, and communicate the pre-processed event data to the target device. The pre-processed event data is thus traversed through the network along an optimal route until it is exfiltrated from the network and stored on a remote server device for storage and further analysis.

Abstract: Systems and methods for enabling automated log analysis with controllable resource requirements are provided. A training set for log pattern learning is generated based on heterogeneous logs generated by a computer system. An incremental learning process is implemented to generate a set of log patterns from the training set. The heterogeneous logs are parsed using the set of log patterns. A set of applications is applied to the parsed logs.

Abstract: A method of scanning website vulnerability comprising: reading a vulnerability scan task in a scan task pool; finding a website corresponding to the vulnerability scan task, acquiring access data of the website, and obtaining a popularity coefficient of the website according to the access data; acquiring historical vulnerability scan data and a vulnerability risk level table, and obtaining a security risk coefficient of the vulnerability scan task according to the historical vulnerability scan data and the vulnerability risk level table; acquiring update time data of the vulnerability scan task, and calculating a time coefficient of the vulnerability scan task according to the update time data; inputting the popularity coefficient, the security risk coefficient, and the time coefficient into a preset priority evaluation model for processing, and obtaining an execution priority weight of the vulnerability scan task; and executing vulnerability scan tasks in the scan task pool in descending order according to t

Abstract: A file authentication method and apparatus are provided in the embodiments of this application. File digest data is extracted from a file that includes an installation package of an application. The file digest data identifies file information of the file. A feature character string of the file is generated based on the file digest data. File information of a target file is determined from a feature database based on the feature character string of the file. The target file matches the feature character string of the file, the feature database stores at least file information and feature character strings of a plurality of genuine files, and the file information of the target file and the file information of the plurality of genuine files include at least a certificate feature value. The file is authenticated according to the file information of the target file and the file information of the file.

Abstract: Various embodiments are provided for providing data security in a computing environment are provided. Data may be inspected during a write operation or a read operation and selected data from the data may be filtered according to one or more data security policies or rules prior to sending the plurality of data to or receiving the plurality of data from a shared computing file system.

Abstract: Verifying authenticity of software updates is provided. An update executable and an update behavior profile corresponding to a software update are hashed using a cryptographic hash function. A hash of the update executable and the update behavior profile is signed using a private key to form a hashed update digital signature.