Abstract: A communication system includes a communication control apparatus, and one or more communication processing apparatuses, which reside on a network.

Abstract: The presently disclosed technology provides a threat-specific network risk evaluation tailored to a client's security objectives. The present technology may include identifying a plurality of threats to a first component of a networked system and assigning a plurality of weighting values to the plurality of threats according to the client's security objectives. The present technology may include identifying a plurality of vulnerabilities of the first component and determining a set of relevant threats for the first vulnerability based on the nature of the vulnerability and the weighting values assigned to the plurality of threats. The set of relevant threats includes one or more of the plurality of threats. The present technology may include determining a set of relevant threats for each of the identified vulnerabilities of the first component and calculating a risk of the first component based on the sets of the relevant threats.

Abstract: The disclosed computer-implemented method for identifying malware locations based on analyses of backup files may include (i) identifying a presence of a backup file set and (ii) performing a security action that may include (a) detecting, based on a scan of the backup file set, malware in the backup file set, (b) determining, based on a location of the malware in a system file structure of the backup file set, a subgraph of the system file structure of the backup file set that includes the malware, (c) identifying a string prefix for the subgraph of the system file structure of the backup file set, (d) using an index to cross-reference the string prefix to a pointer identifying a subgraph of an original file set, and (e) scanning a file in the subgraph of the original file set for the malware. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A user device stores a messaging application and an encrypted database, processor and has a key store storing an authorisation token to be used by the messaging application. The messaging application is configured, in the unlaunched state, to retrieve the authorisation token from the key store to perform communication with the messaging server on receipt of an incoming call from the messaging server and to display a notification without contact information, and is configured, in the launched state, on receipt of an incoming call from the messaging server to retrieve the authorisation token from volatile memory to perform communication with the messaging server, and to display a notification of the incoming call with contact information for a calling party, on the display of the user device. The encryption key for the database is generated based on a user passcode, and the user device stores neither the user's passcode nor a hash of the passcode.

Abstract: The present disclosure relates to security risk warning system that a recipient may acknowledge and act accordingly. Security insights may be provided explicitly in a security insight panel that may clearly identify vulnerabilities specific to a particular authenticable communication. This may limit risk that a recipient would ignore or not understand the risk. Security insights may be provided for a combination of indicated source, recipients, and content, such as links, text, attachments, and images. Security insights may be provided on site, such as on or proximate to the reviewed portions of the authenticable communication.

Abstract: Techniques and mechanisms are disclosed enabling efficient collection of forensic data from client devices, also referred to herein as endpoint devices, of a networked computer system. Embodiments described herein further enable correlating forensic data with other types of non-forensic data from other data sources. A network security application described herein further enables generating various dashboards, visualizations, and other interfaces for managing forensic data collection, and displaying information related to collected forensic data and information related to identified correlations between items of forensic data and other items of non-forensic data.

Abstract: Priority scanning of files written by malicious users in a data storage system is described herein. A data storage system as described herein can include a user lookup component that obtains identities of users that have made at least one modification to a first file stored on the data storage system, resulting in a set of modifying users; a comparison component that compares respective modifying users of the set of modifying users to respective malicious users of a set of malicious users; and a scan priority component that, in response to the comparison component identifying at least one match between a modifying user of the set of modifying users and a malicious user of the set of malicious users, assigns a first scan priority to the first file that is higher than a second scan priority assigned to a second, different file stored on the data storage system.

Abstract: A system and method for implementing a software emulation environment is provided. In one example, a mobile application can interface with an emulation environment that can be used to test whether the mobile application includes malware that can compromise the security and integrity of an enterprise's computing infrastructure. When the mobile application issues a call for data, a device mimic module can intercept the call and determine if the call includes a call for one or more checkable artifacts that can reveal the existence of the emulation environment. If such a call for data occurs, the device mimic module can provide one or more spoofed checkable artifacts that have been recorded from a real-world mobile device. In this way, the existence of the emulation environment can be concealed so as to allow for a more thorough analysis of a mobile application for potential hidden malware.

Abstract: Methods, systems and computer program products for providing automated script review utilizing crowdsourced inputs are provided. Aspects include receiving a new script including a script text and a script description. Aspects include comparing the new script to each of a plurality of previously classified scripts to determine a degree of similarity. Each of the previously classified scripts and the new script have an associated set of attributes. Responsive to determining that the degree of similarity is below a predetermined threshold, aspects include mapping the new script to a crowdsourcing platform to identify a similar script. Aspects also include receiving information indicative of one or more features from the crowdsourcing platform. Responsive to inputting the one or more features into an acceptance model, aspects include generating an acceptance recommendation associated with the new script.

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

Abstract: The inventive subject matter provides apparatus, systems, and methods that improve on the pace of discovering new practical information based on large amounts of datasets collected. In most cases, anomalies from the datasets are automatically identified, flagged, and validated by a cross-validation engine. Only validated anomalies are then associated with a subject matter expert who is qualified to take action on the anomaly. In other words, the inventive subject matter bridges the gap between the overwhelming amount of scientific data which can now be harvested and the comparatively limited amount analytical resources available to extract practical information from the data. Practical information can be in the form of trends, patterns, maps, hypotheses, or predictions, for example, and such practical information has implications in medicine, in environmental sciences, entertainment, travel, shopping, social interactions, or other areas.

Abstract: Peer device protection enables a first device comprising a digital security agent to remedy security issues on (or associated with) a set of devices visible to the first device. The first device may comprise a digital security agent may identify a set of devices visible to the first device. The first device may monitor the set of devices to collect data, such as types of communications and data points of interest. The digital security agent may apply threat detection to the collected data to identify anomalous network behavior. When anomalous network behavior is detected, the first device may cause an indicator of compromise (IOC) to be generated. Based on the IOC, the first device may facilitate remediation of the anomalous network behavior and/or apply security to one or more devices in the set of devices.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for context-adaptive scanning of digital components. In one aspect, a method comprises: selecting a given digital component from among a plurality of digital components based on a current scanning priority of the given digital component; scanning the given digital component, comprising determining a current state of the given digital component; determining a current context of the given digital component based on one or more of: (i) the current state of the given digital component, or (ii) a current scan index of the given digital component that specifies a number of times the given digital component has been scanned; determining an updated scanning priority of the given digital component based on the current context of the given digital component; and re-scanning the given digital component according to the updated scanning priority.

Abstract: A security server receives a full hash and a set of subhashes from a client. The security server determines that the full hash is whitelisted. The security server updates, for each subhash in the set of subhashes, an associated clean count. The security server adds a subhash to a subhash whitelist responsive to an associated clean count exceeding a threshold. The security server receives a second set of subhashes. The security server determines whether at least one of the subhashes in the second set of subhashes is included in the subhash whitelist. The security server reports to the client based on the determination.

Abstract: An example implementation of the present techniques determines, in response to a request to download a resource, whether the resource has previously been determined to comprise malware. Additionally, it is determined, if the resource has previously been determined to comprise malware, whether the resource has changed since the previous determination. Further the request to download the resource is terminated if the resource has not changed.

Abstract: In some embodiments, an apparatus includes a memory and a processor operatively coupled to the memory. The processor is configured to identify a feature vector for a potentially malicious file and provide the feature vector as an input to a trained neural network autoencoder to produce a modified feature vector. The processor is configured to generate an output vector by introducing Gaussian noise into the modified feature vector to ensure a Gaussian distribution for the output vector within a set of modified feature vectors. The processor is configured to provide the output vector as an input to a trained neural network decoder associated with the trained neural network autoencoder to produce an identifier of a class associated with the set of modified feature vectors. The processor is configured to perform a remedial action on the potentially malicious file based on the potentially malicious file being associated with the class.

Abstract: Implementations described herein disclose a malware sequence detection system for detecting presence of malware in a plurality of events. An implementation of the malware sequence detection includes receiving a sequence of a plurality of events, and detecting presence of a sequence of malware commands within the sequence of a plurality of events by dividing the sequence of plurality of events into a plurality of subsequences, performing sequential subsequence learning on one or more of the plurality of subsequences, and generating a probability of one or more of the plurality of subsequences being a malware based on the output of the sequential subsequence.

Abstract: A computer-implemented method, computer program product and computing system for: utilizing artificial intelligence/machine learning to define a training routine for a specific attack of a computing platform; and generating a simulation of the specific attack by executing the training routine within a controlled test environment.

Abstract: An example method for determining a software classification is provided. The example method may include determining a plurality of substream boundaries including a first substream boundary within a representation of a software binary, and segmenting the representation of the software binary into a plurality of substreams. The example method may further include generating a first count string for a first substream based on operational class token counts in a tokenization of the first substream, where the tokenization of the first substream may be based on a mapping of commands within the first substream to operational classes. The example method may further include performing a first count string comparison with a reference database to determine a first count string match, where the first count string comparison being based on the first count string, and classifying the software binary based on the first count string match.

Abstract: Systems and methods are provided for generating samples of network traffic and characterizing the samples to easily identify exploits. A first embodiment of the present disclosure can generate traffic between a sample generator and the target computing device based on a particular exploit. The traffic can be a plurality of samples of the exploit using an exploit script. The method can provide for collecting and storing the plurality of samples. These samples can then be used to characterize the exploit by identifying invariant portions and variable portions of the samples. The method can further provide for removing any artifacts from the samples. Regular expressions can be constructed based on the samples. Each regular expression can be tested and ranked according to metrics of efficiency and accuracy.

Abstract: A method for detecting and/or identifying a cyber-attack on a network can include segmenting the network using a segmentation method with machine learning to generate one or more network segments; assigning a score to a data point within each network segment based on a presence or absence of an identified anomalous behavior of the data point; analyzing network data flow, via behavioral modeling, to provide a context for characterizing the anomalous behavior; combining, via a reinforcement learning agent, outputs of the segmentation method with behavioral modelling and assigned score to detect and/or identify a cyber-attack; providing one or more alerts to an analyst; receiving an analyst assessment of an effectiveness of the detection and/or identification; and providing the analyst assessment as feedback to the reinforcement learning agent.

Abstract: A system includes identification of a data source of a production environment, the data source storing authentic data, generation of simulated data of the data source, reception of a request for data of the data source from a requesting system in the production environment and, in response to the received request, providing of the simulated data to the requesting system. In some aspects, the simulated data is provided to the requesting system if it is determined that the request is related to an electronic attack, and the authentic data of the data source is provided to the requesting system if it is not determined that the request is related to an electronic attack.

Abstract: Systems and methods for normalizing entry point instructions include receiving a scope of instructions starting at an entry point of executable code. For each instruction in the scope of instructions, a determination is made if the instruction performs an ineffective operation or if the instruction, in combination with another instruction, renders either or both instructions ineffective. Ineffective instructions are filtered such that they do not appear in an output buffer.

Abstract: Apparatus and methods describe herein, for example, a process that can include receiving a potentially malicious file, and dividing the potentially malicious file into a set of byte windows. The process can include calculating at least one attribute associated with each byte window from the set of byte windows for the potentially malicious file. In such an instance, the at least one attribute is not dependent on an order of bytes in the potentially malicious file. The process can further include identifying a probability that the potentially malicious file is malicious, based at least in part on the at least one attribute and a trained threat model.

Abstract: A technique includes determining pairwise relationships among entities associated with a first electronic mail organization and entities associated with a second electronic mail organization. The technique includes controlling receipt of an electronic message originating from a sender associated with the first email organization based on the determined pairwise relationships.

Abstract: Automated malware signature generation is disclosed. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature.

Abstract: There is provided a method of reducing false positive rate by using available contextual information on any sample, such as file name of the sample at a client machine, file path folder structure of the sample at client machine, download location of the sample and others, thus narrowing down the search space in first step of generic statistical classification and introducing new specific classifiers deliberately trained for each case.

Abstract: Provided are methods and systems for mitigating a distributed denial of service (DDoS) event. The method may commence with sending a request to a health monitor concerning a state of a network. The method may continue with attributing a lack of response to the request from the health monitor to be an indication of a collapse of a collapsible virtual data circuit associated with network data traffic. The collapsible virtual data circuit may be designed to collapse in response to the DDoS event in the network. The method may include redirecting the network data traffic associated with the collapsible virtual data circuit based on the indication of the collapse of the collapsible virtual data circuit.

Abstract: A content management system for collecting files from one or more submitters in a collection folder. A collector, who generates the collection folder, can invite one or more submitters to submit one or more files to the collection folder. The submitted files are scanned for malicious content. The one or more submitters have limited rights to the collection folder. The limited rights can include uploading rights and prohibiting a submitter from viewing files that other submitters associated with the collection folder submitted. Thus, the collection folder is able to store files from the one or more submitters, but prevent them from viewing other's submissions.

Abstract: A software detection device, the device including a memory and a processor coupled to the memory and the processor configured to execute a process, the process including generating at least one notification in response to at least one countermeasure process applied to a program to address a vulnerability to a software attack, each of the at least one notification including a countermeasure identifier to identify a countermeasure process performed, monitoring the at least one generated notification, and determining presence of the software attack based on the monitoring.

Abstract: Disclosed herein are systems and methods for generating a request for information on a file to perform an antivirus scan. In one aspect, an exemplary method comprises, intercepting the file, synchronously calculating a first hash of a portion of the file, searching in a verdict cache, when the hash is found, determining whether the hash belongs to a list of malicious files, when it belongs to the list of malicious files, synchronously calculating a second hash, searching for the second hash in the verdict cache, and pronouncing a final decision as to harmfulness of the file, when the first hash does not belong to the list of malicious files, granting access to the file, asynchronously generating a request for information about the file, calculating a second hash, searching for the information in a verdict cache, and pronouncing a decision as to harmfulness of the file.

Abstract: According to one embodiment, a malware detection and visualization system includes one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module comprises logic, upon execution by the one or more processors, that accesses a first set of information that comprises (i) information directed to a plurality of observed events and (ii) information directed to one or more relationships that identify an association between different observed events of the plurality of observed events; and generates a reference model based on the first set of information, the reference model comprises at least a first event of the plurality of observed events, a second event of the plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein at least one of (i) the plurality of observed events or (ii) the one or more relationships constitutes an anomalous behavior is provided.

Abstract: A security system using automatic and scalable log pattern learning in security log analysis is provided. The security system includes one or more management services configured to generate security logs, and a security log analysis service operatively coupled to the one or more management services. The security log analysis service is configured to collect the security logs generated by the one or more management services, implement an incremental learning process to generate a set of log patterns from the collected security logs, parse the collected security logs using the set of log patterns, and analyze the parsed security logs for one or more security applications.

Abstract: A system featuring a cloud-based malware detection system for analyzing an object to determine whether the object is associated with a cyber-attack. Herein, subscription review service comprises a data store storing subscription information. The subscription information includes identifier for the customer and one or more identifiers each associated with a corresponding customer submitter operable to submit an object to the cloud-based malware detection system for analysis. The first customer submitter receives credentials provided by the subscription review service to establish communications with the cloud-based malware detection system.

Abstract: Mitigation of gratuitous conditions on an electric power delivery system is disclosed herein. Intelligent electronic devices (IEDs) may take actions on the electric power delivery system based on commands received via communications channels and based on detected electrical conditions. When a gratuitous condition (such as a cyber attack) is detected, a block command is provided to the IEDs such that the IEDs do not effect actions corresponding with commands received over a communications system. Communications may pass through a condition monitor of a communications device to detect insecurity and either block the communications or command the IED to enter interlock mode.

Abstract: Embodiments are directed to a computing device having execution hardware including at least one processor core, and non-volatile memory that stores verification module and a private symmetric key unique to the computing device. The verification module, when executed on the execution hardware, causes the execution hardware to perform pre-execution local authenticity verification of externally-supplied code in response to a command to launch that code. The local authenticity verification includes computation of a cryptographic message authentication code (MAC) of the externally-supplied code based on the private symmetric key, and verification of the MAC against a stored local authenticity verification value previously written to the non-volatile memory. In response to a positive verification of the of the MAC, execution of the externally-supplied code is permitted.

Abstract: Managed devices containing a Trusted Platform Module (TPM) to provide a trusted environment generate a device certificate at initialization of the TPM and send the device certificate to a management console for storing in a certificate database. Upon detecting a file of interest, the TPM signs the file, adding to a signature list created by previous managed devices. The signature list can be used to analyze the spread of the file across the system of managed devices, including tracking the file to the first managed device to have had a copy, without requiring real-time access to the managed devices during the spread of the file. In some embodiments, additional security measures may be taken responsive to determining the first managed device and the path the file has taken across the system of managed devices.

Abstract: A secure live media boot system includes a BIOS that is coupled to a storage subsystem and a non-volatile memory system. The BIOS receives an operating system image. Prior to installing an operating system on a computing device using with the operating system image, the BIOS performs a first measurement action on the operating system image to produce a first operating system measurement that it stores in the non-volatile memory system. The BIOS also stores a read-only version of the operating system image on the storage subsystem. The BIOS subsequently receives a request to install the operating system on the computing device and, in response, performs a second measurement action on the operating system image in order to produce a second operating system measurement. If the BIOS determines that the second operating system measurement matches the first operating system measurement, the BIOS installs the operating system on the computing device.

Abstract: A computer-implemented method for controlling access to credentials may include (i) maintaining, by a computing device, a set of applications for which attempting to access digital credentials comprises anomalous behavior, (ii) monitoring, by the computing device, each application within the set of applications for attempts to access digital credentials, (iii) automatically detecting, while monitoring for attempts to access digital credentials, an attempt of an application in the set of applications to access a digital credential, and (iv) performing, in response to detecting the attempt to access the digital credential, a security action to secure the digital credential. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method comprises, based on receiving a request to analyze at least a first mobile application, scheduling the request for a first sandbox. The first mobile application is analyzed based on the request, wherein the analysis of the first mobile application comprises performing a behavioral analysis of the first mobile application within the first sandbox and performing a static analysis of the first mobile application. A first feature vector is generated based on data resulting from the analysis of the first mobile application. The first mobile application is determined to comprise malware based, at least in part, on comparing the first feature vector with at least a second feature vector, wherein the second feature vector was generated based on at least one of a static analysis and a behavioral analysis of malware.

Abstract: Systems and methods for machine learning and adaptive optimization are provided herein. A method includes continually receiving input that is indicative of client events, including client behaviors and respective outcomes of software trials of a product maintained in a database, continually segmenting open opportunities using the client behaviors and respective outcomes, continually scoring and prioritizing the open opportunities using the client behaviors and respective outcomes for targeting and re-targeting, continually adjusting targeted proposals to open opportunities and sourcing in prospects based on a targeting scheme, continually presenting targeted offers to create expansion opportunities and updating a product roadmap of the product using the open opportunities, the product roadmap including technical specifications for the product.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise a computing device, which allows in-network and network-border protection for Internet of things (IoT) devices by securely partitioning network space and defining service-based access to IoT devices. The disclosed segmented attack prevention system for IoT networks (SAPSIN) segments the IoT network into two virtual networks: a service network and a control network; and define access control rules for each virtual network. In the service network, SAPSIN utilizes a service-based approach to control device access, allowing only configured protocol, applications, network ports, or address groups to enter or exit the network. In control network, The SAPSIN provides the access control rules by defining a threshold for the number of configuration requests within a predetermined time. As a result, SAPSIN protects IoT devices against intrusion and misuse, without the need for device-specific software or device-specific security hardening.

Abstract: A migration service and module for software modules are disclosed. The migration service detects a security flaw in a first environment in which the software modules are running and migrates the software modules or part of the software modules from the first environment to a second environment when a security flaw is detected.

Abstract: A solution is proposed for identifying software components in a computing system. A corresponding method comprises monitoring events relating to one or more software components of the computing system, filtering the events into filtered events according to finalizing events of corresponding event sequences ending with the finalizing events, each of the event sequences relating to a logical operation for a corresponding current software component of the software components being finalized by the finalizing events, and determining corresponding current signatures of the current software components of the filtered events, each of the current signatures being determined according to at least part of a content of the corresponding current software component for use to identify the current software component according to a comparison of the current signature with one or more known signatures of known software components.

Abstract: A method includes establishing a wireless link between a wireless interface of an endpoint and a WAP; exchanging, through the wireless link, network traffic associated with execution of an application at the endpoint; executing, at the endpoint, a security routine to monitor a security status of the endpoint; establishing, through the wireless link, a secure channel that shares the wireless link with the network traffic of the application, the secure channel to extend from the security routine to a supervisor through the wireless link and the WAP; conveying, from the security routine and through the secure channel, an indication of the security status; receiving, at the security routine and through the secure channel, a command to change a setting of the wireless interface associated with a characteristic of the wireless link; and accessing, from the security routine, the wireless interface to effect the change in response to receiving the command.

Abstract: A system and method operable to identify malicious software by extracting one or more features disassembled from software suspected to be malicious software and employing one or more of those features in a machine-learning algorithm to classify such software.

Abstract: Systems for providing a security assessment of a target computing resource, such as a virtual machine or an instance of a virtual machine, include a security assessments provisioning service that provisions third-party-authored rules packages and security assessments into the computing environment of the target computing resource. The third-party rules package includes rules that can operate on telemetry and configuration data of the target computing resource, produced by sensors that are native to the computing environment, but the sensor protocols, message format, and sensitive data are not exposed to the rules. The provisioning service can provide security assessments and/or rules packages that are “native” and are thus able to operate directly on the telemetry and configuration data.

Abstract: Anomalous behavior in a multi-tenant computing environment may be identified by analyzing hardware sensor value data associated with hardware events on a host machine. A privileged virtual machine instance executing on a host machine acquires hardware sensor values and causes the values to be compared to other hardware sensor value data that may be indicative of anomalous behavior; for example, various threshold values, patterns, and/or signatures of hardware counter values generated by analyzing and correlating hardware event counter data. In this manner, potential anomalous behavior on an instance may be determined without having to access customer data or workloads associated with the instance.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for context-adaptive scanning of digital components. In one aspect, a method comprises: selecting a given digital component from among a plurality of digital components based on a current scanning priority of the given digital component; scanning the given digital component, comprising determining a current state of the given digital component; determining a current context of the given digital component based on one or more of: (i) the current state of the given digital component, or (ii) a current scan index of the given digital component that specifies a number of times the given digital component has been scanned; determining an updated scanning priority of the given digital component based on the current context of the given digital component; and re-scanning the given digital component according to the updated scanning priority.

Abstract: A method of identifying security risks in a computer system that includes several computers executing different applications is provided. The method receives event data about threat events associated with a set of applications executing on a set of computers in the computer system. The method, for each event, compares a set of parameters associated with the event with a set of historical parameters maintained for a similar event. The method, based on the comparisons, defines a normality characterization for each event to express a probability of an exploit of the application associated with the event. The method, based on the normality characterization, defines a prioritized display of security risks due to the threat events associated with the set of application.