Abstract: A system may identify a resource deployed in a computer, where discovery protocol data traffic is unencrypted. The system may receive metadata associated with the discovery protocol data traffic, update the computer network based at least in part on the information included in the metadata, and provide a response to the client. The system may authenticate a request from the client to access the resource using an encrypted protocol, and provide, to the client, access to the resource upon authentication, according to a resource attribute.

Abstract: The present invention relates to a system for coordinating operation control and operation maintenance for an urban rail transit and a method using the same, where the system includes: an intelligent operation maintenance subsystem and an intelligent operation control subsystem, the intelligent operation maintenance subsystem and the intelligent operation control subsystem include coordination linkage engine modules respectively, and the intelligent operation maintenance subsystem synchronizes, by using the coordination linkage engine modules, a fault handling plan to the intelligent operation control subsystem. Compared with the prior art, the present invention has the advantages of scientific and reasonable dispatching decision-making, high efficiency and high intelligence.

Abstract: Some embodiments provide a method that collects metrics for one or more paths of a first tunnel implementing a first security association (SA) and for one or more paths of a second tunnel implementing a second SA. The method selects a path based on the collected metrics of the paths of the first and second tunnels. When the selected path belongs to the first tunnel, the method encrypts data transmitted as encrypted payload of the first SA and transmits the encrypted payload in the first tunnel. When the selected path belongs to the second tunnel, the method encrypts data to be transmitted as encrypted payload of the second SA and transmits the encrypted payload in the second tunnel.

Abstract: Systems and methods provide techniques for more effective and efficient predictive monitoring of a software application framework. In response, embodiments of the present invention provide methods, apparatuses, systems, computing devices, and/or the like that are configured to enable effective and efficient predictive monitoring of a software application framework using incident signatures for the software application that are generated by using a natural language processing machine learning framework, a structured data processing machine learning model, and an incident severity level detection machine learning model.

Abstract: A method may include receiving, via a secure deployment management (SDM) system, configuration data associated with an industrial device, identifying, via the SDM system, a presence of a secure deployment management (SDM) node associated with the industrial device, and establishing, via the SDM system, a secure communication channel between the SDM system and the SDM node using one or more security protocols. The method may also involve sending, via the SDM system, the configuration data to the industrial device via the secure communication channel. The industrial device may receive the configuration data without performing one or more security operations on the configuration data.

Abstract: One aspect of the instant application facilitates automatic policy engine selection. During operation, a system can monitor a network including a set of network devices. The system can receive, based on the monitoring, a set of attributes associated with the network. At least two network devices are equipped with a different policy enforcement engine for enforcing one or more given policy rules. The system can apply a unified policy model to determine, based on the set of attributes, an assignment of the one or more given policy rules to the first policy enforcement engine and the second policy enforcement engine for providing an optimized policy enforcement. The system may then select based on the assignment, one or both of the first policy enforcement engine and the second policy enforcement engine. The system may activate the selected one or both policy enforcement engines for enforcing the given policy rules.

Abstract: A level 2 (L2) switch receives a packet of upstream communication and a packet of downstream communication that are transmitted from a network device. Further, in a case where it is determined whether or not the received packet is a packet of upstream communication, and when it is determined that the packet is of session upstream communication and is a packet at a session start time, the L2 switch acquires session information and destination information included in the packet of the upstream communication, and stores in a session table. Further, when it is determined that the packet is of upstream communication and is not a packet at a session start time, and destination information of the packet is different from destination information stored in the session table, the L2 switch updates the destination information of the packet to the destination information stored in the session table.

Abstract: A communication system provides secure communication between two nodes in a self-organizing network without the need for a centralized security or control device. A first node of the two nodes is provisioned with one or more security profiles, auto-discovers a second node of the two nodes, authenticates the second node based on a security profile of the one or more security profiles, selects a security profile of the one or more security profiles to encrypt a communication session between the two nodes, and encrypts the communication session between the two nodes based on the selected security profile. The second node also is provisioned with the same one or more security profiles, authenticates the first node based on a same security profile as is used to authenticate the second node, and encrypts the communication session based on the same security profile as is used for encryption by the first node.

Abstract: A connected device at a client network implements a local data classification service for classifying data based on a data classification service of a remote provider network. The local data classification service receives a request to classify data at one or more data sources of the client network. The request is initiated from a client device of the client network according to a management interface for a data classification service of a remote provider network (e.g., using the same API request used by the remote classification service). The local data classification service obtains at least some of the data from the one or more data sources of the client network. The local data classification service classifies the obtained data according to different types of sensitivity using the data classification engine in the execution environment without the data being exposed outside of a data isolation boundary of the client network.

Abstract: Systems and methods include, responsive to a scan by the CASB system of a plurality of users associated with a tenant in a Software-as-a-Service (SaaS) application where the scan includes identifying malware in content in the SaaS application and performing Data Loss Prevention (DLP) in the content in the SaaS application, maintaining records associated with a plurality of incidents for the malware and the DLP; providing a User Interface (UI) for the tenant including an analytics view with a plurality of summary tiles including visualizations of the plurality of incidents for the malware and the DLP for the tenant; and providing the UI for the tenant including a table listing any of the plurality of incidents for the malware and the DLP for the tenant, including any of unique data objects, unique users internal to the tenant, and unique external entities, associated with the plurality of incidents.

Abstract: Obtaining one or more metrics associated with a network location. Determining, based on the one or more metrics and one or more prefatory check conditions, a prefatory status of the network location, the prefatory status indicating a benign status, malicious status, or a suspicious status. If the prefatory status of the network location indicates the benign status or the malicious status, providing a notification of the prefatory status in response to the prefatory status being determined. If the prefatory status of the network location indicates a suspicious status, obtaining a document object model of the network location. Obtaining a screenshot of an entire page of content at the network location. Generating a null hypothesis based on the document object model, the null hypothesis including a potential brand list, the potential brand list including one or more potential brands. Obtaining a set of reference images for each of the one or more potential brands of the potential brand list.

Abstract: Provided are asynchronous data ingestion and enrichment systems and methods. The systems comprise a plurality of components (e.g., ingestion components, enrichment components, and/or publishing components). Instead of passing data from one component to another, the data is sent to a messaging queue that formats and hold the data until the subsequent component is ready to receive it. Additionally, each component comprises a central microservice and a plurality of instances, the central microservice configured to communicate with each instance of the plurality of instances.

Abstract: A network interface has an input port, which is designed to accept messages from a first device or first network, and an output port, which is designed to forward the messages to a second device or second network. A memory is provided for a timetable. The network interface is designed to forward messages arriving at the input port during open times defined by the timetable to the output port and to discard messages arriving at the input port during closed times defined by the timetable. A configuration unit is designed to accept and store in the memory a timetable defined by a monitoring unit as a shared secret for the network interface and at least one sender of messages, and/or to negotiate a timetable with at least one sender of messages as a shared secret.

Abstract: An image processing apparatus includes: a first hardware processor that sets cooperative processing including first processing and second processing that cooperate with each other in a server that provides a service that determines the cooperative processing; a second hardware processor that receives a command to execute the first processing; a third hardware processor that generates alternative processing in place of the first processing in a case where it is detected that the command cannot be received after the cooperative processing has been set; and a fourth hardware processor that executes the alternative processing.

Abstract: Disclosed are systems and methods for firewall configuration. A request can be transmitted to a DNS server. A response to the DNS request can include an Internet Protocol (IP) address. A firewall rule can be generated permitting access to the IP address. The firewall rule can be configured to be valid until expiration of a time-to-live value in the response to the DNS request. Thus, firewall rules can be automatically created as needed by executed processes, eliminating the need for manual firewall rule creation. As the firewall rule is invalid after the expiration of the time-to-live value, risks associated with maintaining out-of-date firewall rules are eliminated, as is the requirement to manually remove or modify out-of-date firewall rules.

Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.

Abstract: A system for storing data includes a controller, an Ethernet switch and a storage device. The controller is configured to receive data routing instructions, and manage forwarding rules of a switch forwarding table to implement the data routing instructions. The Ethernet switch is configured to receive data, access the switch forwarding table, and route the data to the storage device using the switch forwarding table.

Abstract: A method for operating a system hosted on a mobile entity is disclosed, wherein the system is operable to connect to a communication network. The method, performed by a controller of the system, comprises seeking to establish a trust relationship with a cooperating system hosted on a mobile entity, and, if a trust relationship with the cooperating system is established, performing at least one of: initiating use of a resource provided by the cooperating system, or initiating provision of a resource for use by the cooperating system. Also disclosed is a method for operating a function comprising a digital representative of a system hosted on a mobile entity, wherein the system is operable to connect to a communication network.

Abstract: Techniques for outbound/inbound lateral traffic punting based upon process risk are disclosed. In some embodiments, a system/process/computer program product for outbound/inbound lateral traffic punting based upon process risk includes receiving, at a network device on an enterprise network, process identification (ID) information from an endpoint (EP) agent executed on an EP device, in which the process ID information identifies a process that is associated with an outbound or inbound network session on the EP device on the enterprise network, and the EP agent selected the network session for punting to the network device for inspection; monitoring network communications associated with the network session at the network device to identify an application identification (APP ID) for the network session; and performing an action based on a security policy using the process ID information and the APP ID.

Abstract: Techniques for providing domain name and URL visual verifications to increase security of operations on a device. The techniques include a visual indicator and/or warning to a user on the user's computing device that a domain or URL requested by the user and the device is unpopular, new, unknown, inauthentic, associated with malware or phishing, or in some other way, risky. The techniques include identifying a domain name in a communication received by a computing device and then determining a popularity ranking and/or an age of the domain name. The device can render, for display on a screen of the device, a visual indicator having the popularity ranking and/or the age of the domain name. Also, the techniques can include identifying a URL in a communication received by a computing device and then rendering, for display on a screen of the device, a visual indicator having the entire URL.

Abstract: To prevent un-authorized accesses to data and resources available in workloads on an organization's or enterprise's computer network, various improvements to automated computer network security processes to enable them to enforce network security policies using native network security mechanisms to control communications to and/or from workload units of applications running on different nodes within hybrid computer network infrastructures having both traditional hardware resources and virtual resources provided by private and public cloud infrastructure services.

Abstract: Disclosed herein are systems and methods for storing patient medical information on a local processing device, anonymizing a portion of that medical information and storing it on a second processing device, exposing that anonymized medical information to a third processing device coupled to the second processing device through a network, and restricting users of the third processing device to only accessing HIPAA compliant medical information. Alarms are included for indicating the improper transfer of HIPAA data.

Abstract: In some implementations, a user plane (UP) device may receive a control packet indicating a logout associated with a subscriber session. The UP device may store an indication of the logout associated with the subscriber session. The UP device may determine, after storing the indication, that the logout associated with the subscriber session has not been completed within a subscriber logout period. The UP device may transmit an error indication indicating that the logout has not been completed within the subscriber logout period. In some implementations, a control plane (CP) device may receive the error indication indicating that the logout associated with the subscriber session has not been completed. The CP device may process the logout based at least in part on receiving the error indication. The CP device may transmit, based on processing the logout, a logout notification associated with the logout.

Abstract: The methods and systems relate to improvements to threat modeling systems through the use of crowdsourcing. Specifically, the methods and systems relate to generating recommendations based on crowdsourced threat modeling contributions. For example, the methods and systems automate the threat modeling process by leveraging data in order to drive consistent and measurable quality of threat models and enable threat models to provide aggregated views of risk concentration at any altitude.

Abstract: Network traffic inspection is disclosed. An application executing on a client device as an operating system that uses a virtual private network (VPN) stack of the operating system intercepts a first IP packet. The application determines that a policy should be applied to the intercepted first IP packet. The policy is applied to the intercepted first IP packet.

Abstract: Methods of securely storing and providing data in a data storage system, and a corresponding system are described. A method comprises the steps of: connecting the security module to a remote host only within a predetermined remote access time window, wherein said remote access time window is stored on the security module; receiving a file transfer request from the remote host to the security module; authenticating the file transfer request; receiving the file and caching the file within the security module; isolating the remote host from the security module; connecting the security module and the data storage device; transferring the cached file from the security module to be stored in the data storage device; and isolating the security module and the data storage device once file transfer is complete. This provides a secure system where a data storage device is controllably connected to a remote host.

Abstract: A system, method, and computer program product are provided for managing a connection between a device and a network. In use, a first device coupled between a second device and a network is identified. Further, the first device is controlled based on predefined criteria utilizing the second device, for managing a connection between the second device and the network.

Abstract: Disclosed here is a method to determine a user intent when a user device initiates an interactive voice response (IVR) call with a wireless telecommunication network. A processor can detect the IVR call initiated with the network and determine whether the user device is a member of the network. Upon determining that the user device is a member of the network, the processor can obtain user history including interaction history between the user and the network. Based on the user history, the processor can predict the user intent when the user initiates the IVR call. The processor can detect whether user device is a 5G capable device. Upon the determining that the device is 5G capable and based on the predicted user intent, the processor can suggest to the user an application configured to execute on the user device and configured to address the predicted user intent.

Abstract: Examples herein involve a multi-access edge computing (MEC) environment. An example process may include receiving a tenant application that is to be hosted in a MEC environment. The MEC environment may be situated between a user device and an external platform. The process may include assigning an edge service identifier (ESID) to the tenant application. The ESID may be used to indicate that a message, associated with the user device, involves the tenant application. The process may include assigning a host identifier to the tenant application. The host identifier may be used to indicate that report data, associated with execution of the tenant application within the MEC environment, is to be provided to the external platform. The process may include routing communications associated with the tenant application using the ESID and the host identifier.

Abstract: In the IKE or IPSec SA rekeying, whether the rekey exchange includes the cryptographic suite in the payload depends on whether the cryptographic suite used in the old SA is changed on both ends, e.g., the initiator and the responder. If the cryptographic suite is not changed, then the rekey exchange does not include the cryptographic suite. Additionally, in the IPSec SA rekey, if the flowing information is not changed in either end, the rekey exchange further does not include the Traffic Selector (TS). As such, the size of the payload is decreased, which saves bandwidth, more processing time and power in the course of the IKE SA or the IPSec SA rekey.

Abstract: Approaches presented herein enable a security risk manager embedded in an application to manage security vulnerabilities of the application. More specifically, the application comprises code entities such as components, packages, libraries, or microservices. The entities are modified as part of the application development process to have an enabled state, in which these entities are permitted to run normally when called, and a disabled state, in which these entities do not run when called but instead perform a back-out behavior such as generating an error message. At runtime, the application periodically accesses a security vulnerabilities database to check for security alerts. When a relevant security alert is found, the application changes any code entities that are affected by the security alert to the disabled state pending investigation by an operations team. The application notifies the operations team by sending a notification of the security alert to an external security monitoring tool.

Abstract: A facility controlling a communication device to create a disconnected ad hoc network and then to rejoin an internetwork is described. The communication device makes a direct or indirect wireless connection with a participant in a network in which the communication device was formerly a participant. In response to making the connection, the communication device: (1) communicates with a registration authority of the network to synchronize a provisional registration authority state established by the first communication device during a period after the communication device was formally a participant in the network and before the connection was made; and (2) communicates with a security authority of the network to synchronize a security authority state established by the communication device during the period.

Abstract: A method includes receiving, in a first networking platform, an electronic message directed from a first party to a workflow to a second party of the workflow. The method also includes identifying a document attached to the electronic message as relevant to the workflow, and identifying at least a portion of a text content in the electronic message as relevant to the workflow. The method also includes updating the workflow associated with the workflow based on the document attached to the electronic message, when the second party provides the input and storing the document attached to the electronic message in a database, as a new version of the workflow. A system and a non-transitory, computer-readable medium storing instructions to perform the above method are also provided.

Abstract: An event analysis system is provided. During operation, the system can determine an event description associated with the switch from an event log of the switch. The event description can correspond to an entry in a table in a switch configuration database of the switch. A respective database in the switch can be a relational database. The system can then obtain an event log segment, which is a portion of the event log, comprising the event description based on a range of entries. Subsequently, the system can apply a pattern recognition technique on the event log segment based on the entry in the switch configuration database to determine one or more patterns corresponding to an event associated with the event description. The switch can then apply a machine learning technique using the one or more patterns to determine a recovery action for mitigating the event.

Abstract: A computerized method for directing transmission of a data packet within a distributed cloud computing system is disclosed that includes receiving the data packet by a receiving gateway instance deployed within the distributed cloud computing system, when a session corresponding to the data packet is found via a session lookup, forwarding the data packet to a destination in accordance with the session lookup, when the session is not found via the session lookup, determining whether one least one peer firewall instance is available, and when a first peer firewall instance is available and the data packet is a synchronize packet, forwarding the data packet to the first peer firewall instance. In some instances, the data packet is a TCP packet and in others, the data packet is received from either of a spoke gateway or a transit gateway that is deployed within the distributed cloud computing system.

Abstract: Techniques are provided that rotate a device address used to identify a wireless client device on a wireless network. The wireless client device and at least one network infrastructure component identify a plurality of device addresses associated with the wireless client device. In some embodiments, the plurality of device addresses are generated via a corresponding plurality of invocations of a stateful random number generator, such as a cryptographically secure pseudorandom number generator.

Abstract: The portable peripheral (100) of communication with the data network (105) utilizing the internet protocol, comprises: a connector (110) to mechanically connect and establish a removable wired connection between the peripheral and a portable terminal, a first means (115) of wired bidirectional communication with the portable terminal, a second means (120) of bidirectional communication with a data network and a unit security (122) protecting the communication between the first and the second means of communication, this communication being established between the first and the second means of communication, the security unit (122) comprising a system (127) of autonomous DNS management, the means of communication and the security unit being embedded in a unique housing (130) removable from the portable terminal.

Abstract: A hybrid-fabric apparatus comprises a black box memory configured to store a plurality of behavior metrics and an anomaly agent coupled to the black box. The anomaly agent determines a baseline vector corresponding to nominal behavior of the fabric, wherein the baseline vector comprises at least two different behavior metrics that are correlated with each other. The anomaly agent disaggregates anomaly detection criteria into a plurality of anomaly criterion to be distributed among network nodes in the fabric, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics. The variation can be calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector. Anomaly criterion statuses calculated by at least some of the network nodes are aggregated.

Abstract: Described herein is a system for automatically capturing configuration changes to the cloud computing resources. The system for automatically capturing configuration changes may detect changes to configurations of cloud computing resources across the geographic regions, in real-time. The changes may be stored in a central data storage device instantiated by a central cloud computing account. Furthermore, a relationship graph indicating the relationships between the different cloud computing resources may be generated.

Abstract: The present disclosure relates to traffic monitoring through one or more access control servers configured for (i) routing server resource request messages to resource server(s), (ii) extracting information identifying a target server resource from data packets corresponding to one or more received server resource request messages, and (iii) selectively transmitting the received server resource request message to a resource server. The security server(s) is configured to receive a server resource request message data extracted from a server resource request message and initiate a first security response, wherein the initiated first security response is dependent on analysis of the server resource request message data.

Abstract: A system and method for data loss prevention (DLP) is disclosed, the system and method including at least: receiving, by one or more computing devices and from one or more remote sources, one or more data streams each containing a textual data; consolidating, by the one or more computing devices, the one or more data streams into a single data stream, wherein the single data stream includes a field indicating from which of the one or more remote sources the textual data for each of the one or more data streams originates; transmitting, by the one or more computing devices, the single data stream to an analytics engine; determining, with the analytics engine, whether the textual data of each of the one or more data streams contains a sensitive data using a reference table; and based on the determining, transmitting, by the one or more computing devices, a request to the one or more remote sources to delete the textual data.

Abstract: A system and method for providing digital audio services is described. One embodiment is a method for proving digital audio services, comprising receiving, using a communications interface, an audio stream from a content provider; determining a timestamp for a first audio stream segment; determining a timestamp for a second audio stream segment; updating a playlist with a representation of the audio stream; receiving a query for content information; and sending offer information, in response to receiving the query for content information.

Abstract: A method of accessing data includes storing a table that includes a plurality of tablets corresponding to distinct non-overlapping table portions. Respective pluralities of tablet access objects and application objects are stored in a plurality of servers. A distinct application object and distinct tablet are associated with each tablet access object. Each application object corresponds to a distinct instantiation of an application associated with the table. The tablet access objects and associated application objects are redistributed among the servers in accordance with a first load-balancing criterion. A first request directed to a respective tablet is received from a client. In response, the tablet access object associated with the respective tablet is used to perform a data access operation on the respective tablet, and the application object associated with the respective tablet is used to perform an additional computational operation to produce a result to be returned to the client.

Abstract: A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.

Abstract: Methods and systems for automatic provisioning of security policies for content streaming control within a Content Delivery Network (CDN) are provided. According to one aspect, a method for automatic provisioning of security policies for content streaming control by a network node within a CDN that supports at least one streaming media protocol comprises: obtaining a manifest, the manifest being generated in response to a user requesting a streaming content from the CDN; determining a first security policy associated with the user and/or the requested streaming content in accordance with the manifest; updating a set of firewall rules for implementing security policies in accordance with the determined first security policy; and applying the updated set of firewall rules to validate requests from the user for the streaming content. The policies are dynamically configured and may be sparsely provisioned, e.g., downloaded only to the pertinent nodes and activated only when necessary.

Abstract: Various systems and methods for managing quality of storage service in a virtual network are described herein. A system for managing quality of service in a virtual network includes an analytic platform configured to analyze input/output operations by a virtual host on a storage array in a virtual network, the virtual host identified with a virtual network identifier (VNI), and the virtual network identified by a virtual host address (VHA); and a security controller to: receive, from the analytic platform, storage array metrics associated with the VNI and the VHA; determine that the storage array metrics violate a threshold condition; and cause a responsive action to adjust the operating environment of the virtual host to maintain quality of input/output service for hosts sharing the storage array.

Abstract: In a connection reactivation method, a connection of a PDU session established by user equipment on a N3GPP side is reactivated through communications via a 3GPP network. The user equipment accesses both the 3GPP and the N3GPP network and is originally in an idle state on the N3GPP network. An access and mobility management function entity receives a first message from a session management function entity to reactivate the PDU session connection of the user equipment. The access and mobility management function entity sends a second message to the user equipment via the 3GPP access network to instruct the user equipment to reactivate the connection of the PDU session.

Abstract: Some embodiments provide a novel secure method for suppressing address discovery messaging. In some embodiments, the method receives an address discovery record that provides a network address associated with a machine connected to a network. The method then identifies a set of one or more rules for evaluating the received address discovery record to determine whether the address discovery record or its provided network address should be distributed to one or more hosts and/or devices associated with the network. The method then processes the set of rules to determine whether the received address discovery record violates a rule in the set of rules so as to prevent the distribution of its provided network address. When the address discovery record violates a rule, the method discards it in some embodiments.

Abstract: The present invention relates to a computer implemented method, preferably a computer implemented method, and a system, which have been designed to bridge a gap in the End User experience monitoring that has been created by the adoption of cloud based services by Enterprise customer by replicating exactly the actions performed by the user on a cloud based application in order to determine the true end user experience and alert in case of unexpected latency and also by analyzing at the same time the impacts of the Internet network and the local infrastructure of the Enterprise user on the end user experience of the cloud based application that is monitored.

Abstract: Inverse imbalance subspace searching techniques are used to detect potential malware among samples of network communication data. A large number of samples of network communication data, such as proxy log data and/or network flows, are received and analyzed by a malware detection system. A number of the samples are associated with known malware, while other unlabeled samples are either benign or may be associated with unknown malware. An inverse imbalance subspace search may be performed, in which the sample sets are divided into subsets based on random feature thresholds, and each subset is evaluated based on the ratio of known malware samples to unlabeled samples. Unlabeled samples within subsets having high malware sample ratios may be identified, aggregated, and processed as potential malware.