Abstract: A computerized method for directing transmission of a data packet within a distributed cloud computing system is disclosed that includes receiving the data packet by a receiving gateway instance deployed within the distributed cloud computing system, when a session corresponding to the data packet is found via a session lookup, forwarding the data packet to a destination in accordance with the session lookup, when the session is not found via the session lookup, determining whether one least one peer firewall instance is available, and when a first peer firewall instance is available and the data packet is a synchronize packet, forwarding the data packet to the first peer firewall instance. In some instances, the data packet is a TCP packet and in others, the data packet is received from either of a spoke gateway or a transit gateway that is deployed within the distributed cloud computing system.

Abstract: The portable peripheral (100) of communication with the data network (105) utilizing the internet protocol, comprises: a connector (110) to mechanically connect and establish a removable wired connection between the peripheral and a portable terminal, a first means (115) of wired bidirectional communication with the portable terminal, a second means (120) of bidirectional communication with a data network and a unit security (122) protecting the communication between the first and the second means of communication, this communication being established between the first and the second means of communication, the security unit (122) comprising a system (127) of autonomous DNS management, the means of communication and the security unit being embedded in a unique housing (130) removable from the portable terminal.

Abstract: A hybrid-fabric apparatus comprises a black box memory configured to store a plurality of behavior metrics and an anomaly agent coupled to the black box. The anomaly agent determines a baseline vector corresponding to nominal behavior of the fabric, wherein the baseline vector comprises at least two different behavior metrics that are correlated with each other. The anomaly agent disaggregates anomaly detection criteria into a plurality of anomaly criterion to be distributed among network nodes in the fabric, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics. The variation can be calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector. Anomaly criterion statuses calculated by at least some of the network nodes are aggregated.

Abstract: Described herein is a system for automatically capturing configuration changes to the cloud computing resources. The system for automatically capturing configuration changes may detect changes to configurations of cloud computing resources across the geographic regions, in real-time. The changes may be stored in a central data storage device instantiated by a central cloud computing account. Furthermore, a relationship graph indicating the relationships between the different cloud computing resources may be generated.

Abstract: The present disclosure relates to traffic monitoring through one or more access control servers configured for (i) routing server resource request messages to resource server(s), (ii) extracting information identifying a target server resource from data packets corresponding to one or more received server resource request messages, and (iii) selectively transmitting the received server resource request message to a resource server. The security server(s) is configured to receive a server resource request message data extracted from a server resource request message and initiate a first security response, wherein the initiated first security response is dependent on analysis of the server resource request message data.

Abstract: A system and method for data loss prevention (DLP) is disclosed, the system and method including at least: receiving, by one or more computing devices and from one or more remote sources, one or more data streams each containing a textual data; consolidating, by the one or more computing devices, the one or more data streams into a single data stream, wherein the single data stream includes a field indicating from which of the one or more remote sources the textual data for each of the one or more data streams originates; transmitting, by the one or more computing devices, the single data stream to an analytics engine; determining, with the analytics engine, whether the textual data of each of the one or more data streams contains a sensitive data using a reference table; and based on the determining, transmitting, by the one or more computing devices, a request to the one or more remote sources to delete the textual data.

Abstract: A system and method for providing digital audio services is described. One embodiment is a method for proving digital audio services, comprising receiving, using a communications interface, an audio stream from a content provider; determining a timestamp for a first audio stream segment; determining a timestamp for a second audio stream segment; updating a playlist with a representation of the audio stream; receiving a query for content information; and sending offer information, in response to receiving the query for content information.

Abstract: A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.

Abstract: A method of accessing data includes storing a table that includes a plurality of tablets corresponding to distinct non-overlapping table portions. Respective pluralities of tablet access objects and application objects are stored in a plurality of servers. A distinct application object and distinct tablet are associated with each tablet access object. Each application object corresponds to a distinct instantiation of an application associated with the table. The tablet access objects and associated application objects are redistributed among the servers in accordance with a first load-balancing criterion. A first request directed to a respective tablet is received from a client. In response, the tablet access object associated with the respective tablet is used to perform a data access operation on the respective tablet, and the application object associated with the respective tablet is used to perform an additional computational operation to produce a result to be returned to the client.

Abstract: Methods and systems for automatic provisioning of security policies for content streaming control within a Content Delivery Network (CDN) are provided. According to one aspect, a method for automatic provisioning of security policies for content streaming control by a network node within a CDN that supports at least one streaming media protocol comprises: obtaining a manifest, the manifest being generated in response to a user requesting a streaming content from the CDN; determining a first security policy associated with the user and/or the requested streaming content in accordance with the manifest; updating a set of firewall rules for implementing security policies in accordance with the determined first security policy; and applying the updated set of firewall rules to validate requests from the user for the streaming content. The policies are dynamically configured and may be sparsely provisioned, e.g., downloaded only to the pertinent nodes and activated only when necessary.

Abstract: Various systems and methods for managing quality of storage service in a virtual network are described herein. A system for managing quality of service in a virtual network includes an analytic platform configured to analyze input/output operations by a virtual host on a storage array in a virtual network, the virtual host identified with a virtual network identifier (VNI), and the virtual network identified by a virtual host address (VHA); and a security controller to: receive, from the analytic platform, storage array metrics associated with the VNI and the VHA; determine that the storage array metrics violate a threshold condition; and cause a responsive action to adjust the operating environment of the virtual host to maintain quality of input/output service for hosts sharing the storage array.

Abstract: Some embodiments provide a novel secure method for suppressing address discovery messaging. In some embodiments, the method receives an address discovery record that provides a network address associated with a machine connected to a network. The method then identifies a set of one or more rules for evaluating the received address discovery record to determine whether the address discovery record or its provided network address should be distributed to one or more hosts and/or devices associated with the network. The method then processes the set of rules to determine whether the received address discovery record violates a rule in the set of rules so as to prevent the distribution of its provided network address. When the address discovery record violates a rule, the method discards it in some embodiments.

Abstract: In a connection reactivation method, a connection of a PDU session established by user equipment on a N3GPP side is reactivated through communications via a 3GPP network. The user equipment accesses both the 3GPP and the N3GPP network and is originally in an idle state on the N3GPP network. An access and mobility management function entity receives a first message from a session management function entity to reactivate the PDU session connection of the user equipment. The access and mobility management function entity sends a second message to the user equipment via the 3GPP access network to instruct the user equipment to reactivate the connection of the PDU session.

Abstract: The present invention relates to a computer implemented method, preferably a computer implemented method, and a system, which have been designed to bridge a gap in the End User experience monitoring that has been created by the adoption of cloud based services by Enterprise customer by replicating exactly the actions performed by the user on a cloud based application in order to determine the true end user experience and alert in case of unexpected latency and also by analyzing at the same time the impacts of the Internet network and the local infrastructure of the Enterprise user on the end user experience of the cloud based application that is monitored.

Abstract: A method may be provided to operate a first network node of a wireless communication network. The method may include receiving a request from a second network node to activate packet flow descriptor PFD extraction with respect to a session for a wireless device, and receiving application traffic for the wireless device, wherein an address is provided to route the application traffic. The method may also include determining an application identifier for the address responsive to the address for the application traffic being unknown to the first network node, and transmitting a PFD notification to the second network node, wherein the PFD notification includes the application identifier.

Abstract: Inverse imbalance subspace searching techniques are used to detect potential malware among samples of network communication data. A large number of samples of network communication data, such as proxy log data and/or network flows, are received and analyzed by a malware detection system. A number of the samples are associated with known malware, while other unlabeled samples are either benign or may be associated with unknown malware. An inverse imbalance subspace search may be performed, in which the sample sets are divided into subsets based on random feature thresholds, and each subset is evaluated based on the ratio of known malware samples to unlabeled samples. Unlabeled samples within subsets having high malware sample ratios may be identified, aggregated, and processed as potential malware.

Abstract: Disclosed herein is a security training apparatus configured to operate an interactive cybersecurity training application, which provides customized and tailored cybersecurity training to each employee of an organization. The security training apparatus uses augmented reality to facilitate customized cybersecurity training for each user. The augmented reality is a computer application, which deals with the combination of real world images of personal workspace environment of each user where the cyber-crime may occur and computer generated data associated with cybersecurity risk objects that may aid the cyber-crime. The interactive cybersecurity training comprises the use of live video imagery of the personal workspace environment of each user, which is digitally processed and augmented by the addition of computer generated graphics associated with the cybersecurity risk objects. The cybersecurity risk objects are selected based on the items within the personal workspace environment for each user.

Abstract: It is made possible to realize bidirectional communication safely on the cloud side, and on-premises side in a job execution system. It is checked whether or not there is an agent with the same logical name at time of agent registration. In a case that there is the same logical name, transfer performance required of each agent is checked, and communication is performed by rewriting a logical name during transfer by using an existing logical name for an agent required of the highest transfer performance, and using a logical name which is a new unique alias for the other agent.

Abstract: The present disclosure provides an exception stack handling method, system, electronic device and storage medium and relates to the field of mobile Internet. The method may include: at the level of any executor in a distributed stream-type processing system including at least two executors, performing the following processing of: obtaining at least one exception stack from a message middleware when the executor in an idle state each time, collected exception stacks generated by users being stored in the message middleware; as for any exception stack, obtaining an anti-obfuscation map file corresponding to the exception stack, and performing anti-obfuscation processing for the exception stack by using the anti-obfuscation map file. The solution of the present disclosure may be applied to improve the processing speed.

Abstract: The disclosure herein describes enabling authentication of a user's identity based on a user identification (ID) token. An enrollment request is received by an identity platform from a computing device of the user. The enrollment request includes face data and payment account data associated with a payment account of the user. A face identification template of the user is generated based on the face data. Based on verifying the user's identity using data in the enrollment request, an ID token is generated including the face identification template and the payment account data. The ID token is then provided to the computing device of the user, wherein the computing device is enabled to verify the user's identity based on comparison of the captured image data of the face of the user to the face identification template of the ID token during transactions associated with the computing device.

Abstract: A method, system and computer-usable medium for constructing a distribution of interrelated event features. The constructing a distribution of interrelated event features includes receiving a stream of events, the stream of events comprising a plurality of events; extracting features from the plurality of events; constructing a distribution of the features from the plurality of events; and, analyzing the distribution of the features from the plurality of events.

Abstract: A method, system and computer-usable medium for constructing a distribution of interrelated event features. The constructing a distribution of interrelated event features includes receiving a stream of events, the stream of events comprising a plurality of events; extracting features from the plurality of events; constructing a distribution of the features from the plurality of events; and, analyzing the distribution of the features from the plurality of events.

Abstract: The technology disclosed relates to a method, system, and non-transitory computer-readable media that detects malicious communication between a command and control (C2) cloud resource on a cloud application and malware on an infected host, using a network security system. The network security system reroutes the cloud traffic to the network security system. The incoming requests of the cloud traffic are directed to a cloud application in the plurality of cloud applications, and wherein the cloud application has a plurality of resources. The network security system analyzes the incoming requests, determines that the incoming requests are targeted at one or more malicious resources in the plurality of resources.

Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.

Abstract: Aspects of the disclosed technology comprise generating firewall rules based on traffic, outputting the generated firewall rules to an output file, and using the output file to set firewall rules in a network. The firewall rules may be generated without a priori knowledge of the network; alternatively no firewall rules are required. Generated rules may be tuned for user preferences to adjust for the number of generated firewall rules, and their over or under inclusiveness to non-historic traffic data.

Abstract: The technology disclosed herein enables micro-segmentation of virtual computing elements. In a particular embodiment, a method provides identifying one or more multi-tier applications comprising a plurality of virtual machines. Each application tier of the one or more multi-tier applications comprises at least one of the plurality of virtual machines. The method further provides maintaining information about the one or more multi-tier applications. The information at least indicates a security group for each virtual machine of the plurality of virtual machines. Additionally, the method provides identifying communication traffic flows between virtual machines of the plurality of virtual machines and identifying one or more removable traffic flows of the communication traffic flows based, at least in part, on the information. The method then provides blocking the one or more removable traffic flows.

Abstract: Example security systems for use between at least one upstream router and at least one downstream router, are described. A group or pool of security devices can be used to provide stateful security to bidirectional packet flows between upstream and downstream routers. The packets of the bidirectional flows are forwarded to particular security devices based on a consistent hash ring process. For a given flow, bidirectional state information is synchronized among some, but not all, of the security devices. The security devices among which such bidirectional flow state information is shared are determined using the same consistent hash ring process.

Abstract: A method for configuring, via a website, a device to provide printing services to a local network is described. The method includes creating, via a website, a service host object that comprises a network address of a device on a local network and a service host name. The method also includes configuring, via the website, one or more printing settings for one or more printing services. The method further includes sending an indication to the device on the local network to run a service manager. The method additionally includes sending an indication to the service manager to run the one or more printing services on the local network based on the one or more printing service settings.

Abstract: Systems, methods, and apparatuses for providing dynamic, prioritized spectrum utilization management. The system includes at least one monitoring sensor, at least one data analysis engine, at least one application, a semantic engine, a programmable rules and policy editor, a tip and cue server, and/or a control panel. The tip and cue server is operable utilize the environmental awareness from the data processed by the at least one data analysis engine in combination with additional information to create actionable data.

Abstract: A security configuration file is received from a first application, the security configuration file including information of an authority. The first application assigns the authority to a second application to enable the second application to trigger jobs at the first application, and the second application provides shared services to a plurality of applications including the first application. A query is received from the second application and in response the authority is sent to the second application. A request for a token is received from the second application, the request including the authority. A token including the authority is sent to the second application. The second application sends the token to the first application when the second application triggers jobs at the first application.

Abstract: Methods and systems for providing a user interface and workflow for interacting with time series data, and applying portions of time series data sets for refining regression models. A system can present a user interface for receiving a first user input selecting a first model from a list of models for modeling the apparatus, generate and display a first chart depicting a first time series data set depicting data from a first sensor, generate and display a second chart depicting a second time series data set depicting a target output of the apparatus, receive a second user input of a portion of the first time series data set, and generate and display a third chart depicting a third time series data set depicting an output of the selected model and aligned with the second chart of the target output and updated in real-time in response to the second user input.

Abstract: A system and method for cloud native discovery and protection. The method includes discovering instances of a plurality of cloud assets in a cloud native environment based on a plurality of application programming interface (API) endpoints in the cloud native environment, wherein the plurality of API endpoints is identified based on cloud credentials for each of the plurality of cloud assets; determining at least one cloud asset instance that lacks active security protection based on a configuration of at least one entity deployed in the cloud native environment; and reconfiguring at least a portion of the cloud native environment with respect to the at least one cloud asset instance that lacks active security protection.

Abstract: A system, method, and computer-readable medium are disclosed for management of a distributed web application firewall (WAF) cluster that supports one or more protected applications. A WAF cluster infrastructure is configured for the protected applications. The WAF cluster includes one or more WAFs that are used to route traffic directed to the protected applications. The WAF cluster infrastructure is validated as to be current and updated. The validated WAF cluster infrastructure is then used as routing service.

Abstract: Disclosed are systems and methods for firewall configuration. A request can be transmitted to a DNS server. A response to the DNS request can include an Internet Protocol (IP) address. A firewall rule can be generated permitting access to the IP address. The firewall rule can be configured to be valid until expiration of a time-to-live value in the response to the DNS request. Thus, firewall rules can be automatically created as needed by executed processes, eliminating the need for manual firewall rule creation. As the firewall rule is invalid after the expiration of the time-to-live value, risks associated with maintaining out-of-date firewall rules are eliminated, as is the requirement to manually remove or modify out-of-date firewall rules.

Abstract: A method is suggested for providing a response, wherein the method comprises: obtaining a challenge from a host, determining the response based on the challenge, determining an auxiliary value based on the response or the challenge, providing the auxiliary value to the host, obtaining a random value from the host, checking the validity of the challenge based on the random value, and providing the response to the host only if the challenge is valid. Also, according methods running on the host and system are provided. Further, corresponding devices, hosts and systems are suggested.

Abstract: Some embodiments provide a method for performing services on a host computer that executes several machines in a datacenter. The method configures a first set of one or more service containers for a first machine executing on the host computer, and a second set of one or more service containers for a second machine executing on the host computer. Each configured service container performs a service operation on data messages associated with a particular machine. For each particular machine, the method also configures a module along the particular machine's datapath to identify a subset of service operations to perform on a set of data messages associated with the particular machine, and to direct the set of data messages to a set of service containers configured for the particular machine to perform the identified set of service operations on the set of data messages.

Abstract: An indexable authentication system is provided for authenticating users and/or groups across multiple sessions. The indexable authentication system may include an authentication server, security component, communication component, credential database, authentication credential, credential index medium, origin terminal, access provisioning component, content filtering component, payment processing component, and provider aspects. Authorized sessions may be stored on a user device for future authentication actions. A method for authenticating users across multiple sessions using the indexable authentication system is also provided.

Abstract: Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU-CP) nodes in an O-RAN environment in the mobile network.

Abstract: Methods for authenticating a genuine presence of a human involve directing one or more modulated probes towards a body part of the human, receiving a response to the probes from the body part, and analyzing the response to determine whether it contains spectral characteristics that match a class of responses to such probes for the human body part in a human population. Replay attacks are countered by varying the modulation of the probe temporally, spatially, and spectrally each time authentication is performed. The probes may include electromagnetic radiation, acoustic beams, or particle beams that generate a detected reflection, absorption pattern, scintillation, or fluorescence response of the body part. The analysis of the response may be directed to one or more of temporal, spatial, and spectral variations in accordance with the nature of the probes and the modulation.

Abstract: In an example aspect, a method includes receiving, using a hardware processing device, a first classification of a network address associated with a login attempt as an account validator actor. The method also includes based on the first classification, updating, using the hardware processing device, a system deny list to include the network address for a first length of time. The method also includes after expiration of the first length of time removing the network address from the system deny list, receiving a second of classification of the network address as an account validator actor, and updating the system deny list to include the network address for a second length of time.

Abstract: Aspects of the subject disclosure include, for example, selecting a first edge device of a first network to provide a part of a service to a communication device, establishing a first session between the first edge device and a device of a second network for a duration of the service, wherein the first session is associated with a first portion of an address, establishing a second session between the first edge device and the communication device in accordance with an access technology to facilitate a transfer of first data associated with the first part of the service to the communication device, wherein the second session is associated with a second portion of the address, and wherein the second portion of the address identifies the access technology, and transferring the first data to the communication device in accordance with the address, wherein the address comprises a third portion that identifies the communication device. Other embodiments are disclosed.

Abstract: An apparatus for managing a security policy of a firewall according to an embodiment includes a rule request module that receives one or more requested rules to be applied to a firewall, a rule merge module that merges a pre-applied rule of the firewall and the one or more requested rules when the number of rules applied to the firewall exceeds a maximum number of rule registrations of the firewall due to the requested rule, and a firewall interface module that receives the pre-applied rule from the firewall and provides the pre-applied rule to the rule merge module, and re-registers a merged rule merged through the rule merge module in the firewall, and the rule merge module is configured to merge the pre-applied rule and the one or more requested rules so that a security vulnerable space occurring due to the merging is minimized.

Abstract: Disclosed here is a method to determine a user intent when a user device initiates an interactive voice response (IVR) call with a wireless telecommunication network. A processor can detect the IVR call initiated with the network and determine whether the user device is a member of the network. Upon determining that the user device is a member of the network, the processor can obtain user history including interaction history between the user and the network. Based on the user history, the processor can predict the user intent when the user initiates the IVR call. The processor can detect whether user device is a 5G capable device. Upon the determining that the device is 5G capable and based on the predicted user intent, the processor can suggest to the user an application configured to execute on the user device and configured to address the predicted user intent.

Abstract: Methods, apparatus, systems and articles of manufacture to prevent illicit proxy communications from affecting a monitoring result are disclosed. An example method includes accessing a log of communications of a proxy server, the log of communications including a plurality of records, each of the plurality of records corresponding to a requesting device that transmitted a communication to the proxy server, identifying a first internet protocol (IP) address subnet in the log of communications, the first IP address subnet associated with a block of IP addresses, filtering the plurality of records for a first set of records associated with communications originating from the first IP address subnet, and in response to determining the first set of records does not include a record associated with a heartbeat communication, adding the first IP address subnet to a blacklist of the proxy server.

Abstract: The present disclosure is directed to monitoring internal process memory of a computer at a time with program code executes. Methods and apparatus consistent with the present disclosure monitor the operation of program code with the intent of detecting whether received program inputs may exploit vulnerabilities that may exist in the program code at runtime. By detecting suspicious activity or malicious code that may affect internal process memory at run-time, methods and apparatus described herein identify suspected malware based on suspicious actions performed as program code executes. Runtime exploit detection may detect certain anomalous activities or chain of events in a potentially vulnerable application during execution. These events may be detected using instrumentation code when a regular code execution path of an application is deviated from.

Abstract: An information processing apparatus includes a first port, a second port, a storage device, and a determining unit. The first port is to be connected to a first network having a first security level. The second port is to be connected to a second network having a second security level. The second security level is lower than the first security level. The storage device holds first setting information for connection to the first network and second setting information for connection to the second network. The determining unit makes network connection to at least the first port in accordance with the second setting information and determines, on the basis of a result from the network connection to at least the first port in accordance with the second setting information, whether the network connection to the first port is made properly.

Abstract: A firewall service for a cloud computing environment is described that uses an application identifier-based ruleset to process data packets. An application identifier-based rule may provide an action to be taken on a received packet based on the source application identifier, the destination application identifier, and/or an identification token associated with the source application. A firewall controller may verify applications of the computing environment, provide unique application identifiers, and manage the application identifier rules for one or more firewalls of the computing environments.

Abstract: Some embodiments provide a method for a gateway datapath that executes on a gateway device to implement logical routers for a set of logical networks and process traffic between the logical networks and an external network. The method receives a data message at the gateway device. To process the data message, the method executes a set of processing stages that includes a processing stage for a particular logical router. As part of the processing stage for the particular logical router, the method (i) uses an access control list (ACL) table to determine whether the data message is subject to rate limiting controls defined for the particular logical router and (ii) only when the data message is subject to rate limiting controls, determines whether to allow the data message according to a rate limiting mechanism for the particular logical router.

Abstract: Systems and methods for detecting and mitigating cyber-attacks directed to connected vehicles. A method includes classifying a behavior of a connected vehicle into at least one classification with respect to a location of data transmission relative to the connected vehicle, wherein the at least one classification includes any of local and remote; determining a plurality of vehicle-related cyber-attack indicators related to the behavior of the connected vehicle; performing risk analysis based on a first combination of vehicle-related cyber-attack indicators and the classification, wherein performing the risk analysis further comprises matching the first combination to a plurality of second combinations of cyber-attack indicators of a plurality of known attack patterns, wherein each of the plurality of known attack patterns has at least one classification matching the at least one classification of the connected vehicle; and performing at least one mitigation action based on the risk analysis.

Abstract: A method for processing security events by applying a rule-based alarm scheme may be provided. The method includes generating a rule index of rules and an indicator of compromise index for each of the rules. The method includes also processing the incoming security event by applying the rules, increasing a current rule counter relating to a triggered rule, and increasing a current indicator of compromise counter pertaining to the triggered rule. Furthermore, the method includes generating a pseudo security event from received data about known attacks and related indicators of compromise, processing the pseudo security events by sequentially applying the rules, increasing a current rule counter of pseudo security events, and increasing a current indicator of compromise counter for pseudo security events, and sorting the rules and sorting within each rule the indicator of compromise values in the indicator of compromise index.