Abstract: A program processing device (100) includes: an entry address masking unit (110) to generate a fake entry address, which is obtained by masking an entry address with the use of a save value copied from a setting value stored in a storage, and to replace an entry address used by an application program with the fake entry address; a memory monitoring unit (111) to determine whether the fake entry address is loaded during execution of the application program; and an entry address unmasking unit (112) to generate a new entry address, which is obtained by loading the setting value from the storage and unmasking the fake entry address with the use of the setting value, and to replace the fake entry address with the new entry address, when the fake entry address is loaded.

Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application.

Abstract: Testing software applications often requires a balancing of thoroughness versus the time and computing resources available to perform such tests. Certain data handling operations may potentially expose data to unauthorized parties. However, not all data is equal; some data requires a greater degree of protection than other data, which may be based on a security context (e.g., rule, law, policy, etc.). By generating rules determined by a particular context, extraneous tests on data outside of the context, may be omitted. Unnecessary tests may be omitted and the results of each analysis process correlated to identify actual vulnerabilities and omit false positives, such as vulnerabilities to data that does not require the same degree of care to avoid unauthorized exposure.

Abstract: The invention relates to a method for improving the security in an electronic communication network, in which lures and decoys are distributed in the communication network. The aim of the invention is that of providing a systemisation for the selection and positioning of lures and decoys, by means of which the lures and decoys are distributed as optimally as possible in the communication network.

Abstract: In some aspects, a computing system may use a machine learning model to determine whether a computer security policy should be modified to reduce the likelihood of a cyber security incident. Through the use of a machine learning model, unsafe combinations of access grants or permissions may be identified and modified to prevent cyber security incidents from occurring. The computing system may input a representation of a computer security policy into a machine learning model, which has been trained on a dataset that includes representations of computer security policies. The computing system may generate output indicating a likelihood that the first computing system will be involved in a cyber security incident. Based on the output satisfying a first threshold, the computing system may generate a recommendation to modify the first computer security policy. The computing system may modify the first computer security policy based on the recommendation.

Abstract: Various embodiments include systems and methods of implementing automated assessment scheduling. A set of scheduling parameters may be received, including at least a frequency corresponding to how often assessments are to be completed via a particular automated assessment and a type of assessment to perform in the particular automated assessment. Based at least in part on the set of scheduling parameters, an assessment configuration may be generated. The assessment configuration includes a set of attributes defining how the particular automated assessment is to be performed. At least one scan engine resource of a set of scan engine resources may be identified for utilization in the particular automated assessment. Based at least in part on the assessment configuration and using the at least one scan engine resource, the particular automated assessment may be automatically initiated.

Abstract: Data is received that characterizes artefacts associated with each of a plurality of layers of a first machine learning model. Fingerprints are then generated for each of the artefacts in the layers of the first machine learning model. These generated fingerprints collectively form a model indicator for the first machine learning model. It is then determined whether the first machine learning model is derived from another machine learning model by performing a similarity analysis between the model indicator for the first machine learning model and model indicators generated for each of a plurality of reference machine learning models each comprising a respective set of fingerprints. Data characterizing the determination can be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: A comparison means compares a first risk analysis result with a second risk analysis result. The first risk analysis result includes a first risk evaluation value. The second risk analysis result includes a second risk evaluation value. Based on the result of the comparison, a display means displays the first risk evaluation value in such a manner that a first risk evaluation value for which there is a second risk evaluation value, in the second risk analysis result, for an attack step of which an attack destination coincides with an asset included in the first risk analysis result and an attack method coincides with an attack method included in the first risk analysis result can be distinguished from a first risk evaluation value for which there is no such second risk evaluation value.

Abstract: An integrated circuit (IC) applicable to performing system protection through dynamic voltage change may include a monitoring circuit, at least one power voltage generation circuit and a voltage adjustment circuit. The monitoring circuit monitors at least one security checking result of a security engine to determine whether at least one security event occurs. The at least one power voltage generation circuit generates at least one internal power voltage within the IC according to at least one input voltage received from outside of the IC, to provide the internal power voltage to at least one internal component of the IC. In response to occurrence of the at least one security event, the voltage adjustment circuit controls the at least one power voltage generation circuit to dynamically adjust the at least one internal power voltage, to control the internal power voltage randomly exceed predetermined voltage range thereof, thereby performing the system protection.

Abstract: Examples of the present disclosure describe systems and methods for exploit detection via induced exceptions. One embodiment of a method can include generating an inspection point, the inspection point causing an exception when a set of software instructions encounters the inspection point during an execution of the set of software instructions by a processor, registering an exception handler to handle the exception associated with by the inspection point; receiving, in response to the set of software instructions encountering the inspection point, an indication of an exception, accessing a context record associated with the execution of the set of software instructions, evaluating the context record to determine if an exploit is present using the first reputation information, and based on a determination that an exploit is present, performing a corrective action for the exploit.

Abstract: The disclosed computer-implemented method for enforcing strict network connectivity and storage access during online payments may include (i) determining that a webpage in a tab of a browser application executing on the computing device includes a payment page for an e-commerce website, (ii) based on determining that the webpage includes a payment page, providing formjacking attack protection by monitoring network connectivity and storage access by the browser tab, (iii) based on the formjacking attack protection, identifying a potentially malicious attempt to hijack information entered into at least one web form included in the payment page, and (iv) in response to identifying the potentially malicious attempt, preventing the potentially malicious attempt from hijacking the information entered into the at least one web form included in the payment page. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The invention provides a device with cryptographic function, which includes: a hardware unit, exhibiting hardware-intrinsic properties; a key generating unit, generating a private key according to the hardware-intrinsic properties, and generating a public key according to the private key, for exchanging public keys with an outside device to convert communication payload information into first encrypted information based on the received public key; and a session operational unit, establishing a session key configured to encrypt the first encrypted information into second encrypted information to be transmitted between the cryptographic device with cryptographic function and the outside device. The key generating unit further optionally generates a secret key according to the hardware-intrinsic properties for securing data at rest in the cryptographic device.

Abstract: Aspects of the subject disclosure may include, for example, obtaining a request for a communication service from a user equipment, based on the obtaining of the request, assigning a first identifier to the user equipment as part of the communication service, obtaining first data from the user equipment as part of the communication service, analyzing at least the first data in accordance with at least one algorithm to determine that the user equipment is likely misconfigured in an amount that is greater than a threshold, resulting in a determination, based on the determination, mapping the first identifier to a second identifier associated with the user equipment, generating a message based on the mapping, and transmitting the message. Other embodiments are disclosed.

Abstract: A method for detecting network anomalies comprises monitoring a network that provides public-facing application services and monitoring at least one external public Internet platform outside of the network to obtain volumetric problem report data about the application services. The external public Internet platform is nonspecific to the application services. Responsive to the volumetric problem report data from the external public Internet platform(s) exceeding a threshold, at least one internal network event logging tool is queried for alerts, and from the alerts, at least one anomaly associated with the volumetric problem report data is identified and an anomaly report about the at least one anomaly is generated. Responsive to generating the anomaly report, it may be determined whether the at least one anomaly has a known remediation, and if so, the known remediation may be initiated automatically. Network administrator(s) may also be automatically notified.

Abstract: Methods, systems and computer program products are provided for integrating risk and threat intelligence from various sources, to provide real-time awareness of potential threats to a computer network, which are now described herein in terms of an example enterprise system.

Abstract: A method and a system for performing a search in a dataset in a mainframe session are disclosed. The method includes receiving at least one keyword associated with at least one query. The method includes identifying at least one from among at least one step containing the at least one keyword and at least one paragraph containing the at least one keyword based on the at least one query. The method includes tagging at least one identifier to at least one from among the at least one identified step and the at least one identified paragraph. Next, the method includes verifying the at least one tagged identifier. Thereafter, the method includes displaying at least one from among the at least one identified step and the at least one identified paragraph.

Abstract: System and methods are provided for building intelligence around IoT devices that can prioritize an attack attack sphere, such that scanning and protection can be focused on risky spheres before others that may be less at risk. The attack spheres include specific device types, vendors, geographic locations, demographics, or organizations. Priority based vulnerability scanning and protection is utilized along with the concept of attack spheres to define priority zones which may be unique. Priority computation based on trend analysis and predictive analysis is used to determine the vulnerability of specific devices and groups of devices. This will significantly reduce the attack exposure and ensures the proactive damage control.

Abstract: A method for deep packet inspection (DPI) in a software defined network (SDN). The method includes configuring a plurality of network nodes operable in the SDN with at least one probe instruction; receiving from a network node a first packet of a flow, the first packet matches the at least one probe instruction and includes a first sequence number; receiving from a network node a second packet of the flow, the second packet matches the at least one probe instruction and includes a second sequence number, the second packet is a response of the first packet; computing a mask value respective of at least the first and second sequence numbers indicating which bytes to be mirrored from subsequent packets belonging to the same flow; generating at least one mirror instruction based on at least the mask value; and configuring the plurality of network nodes with at least one mirror instruction.

Abstract: Techniques for electronic privacy protection are disclosed. A first data record is received, including one or more sensitive data fields and one or more non-sensitive data fields. One or more encrypted data fields are generated by encrypting the one or more sensitive data fields using an encryption key. One or more hashed data fields are generated by hashing the one or more sensitive data fields using a hash function. A first mapping is stored, associating at least a portion of the first data record with the encryption key. A second data record is stored, including the one or more non-sensitive data fields, the one or more encrypted data fields, and the one or more hashed data fields.

Abstract: Providing policy check functionality to file uploads is disclosed. An attempted file upload is detected at a browser isolation system. A user of a client is prompted to provide a credential associated with the file and usable to access contents of the file. A policy is applied to the file upload.

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Abstract: An information processing system (10) comprises: a distance acquisition unit (110) that specifies an iris area containing an iris of a target from a visible-light image of the target, and acquires an iris distance that is a distance to the iris area; an iris image acquisition unit (120) that acquires an iris image of the target by changing a focal length according to the iris distance; a score computing unit (130) that calculates a score relating to deviation of a focus in the iris image, based on the iris image; and a correlation update unit (140) that updates correlation between the iris distance and the focal length at a moment of acquisition of the iris image, based on the score. According to such an information processing system, since the correlation is updated with good accuracy, it is possible to acquire the appropriate iris image.

Abstract: A method for deep packet inspection (DPI) in a software defined network (SDN). The method includes configuring a plurality of network nodes operable in the SDN with at least one probe instruction; receiving from a network node a first packet of a flow, the first packet matches the at least one probe instruction and includes a first sequence number; receiving from a network node a second packet of the flow, the second packet matches the at least one probe instruction and includes a second sequence number, the second packet is a response of the first packet; computing a mask value respective of at least the first and second sequence numbers indicating which bytes to be mirrored from subsequent packets belonging to the same flow; generating at least one mirror instruction based on at least the mask value; and configuring the plurality of network nodes with at least one mirror instruction.

Abstract: A system determines, in a graph which represents a system of components: vulnerability nodes representing known vulnerabilities to the system, including exposed and non-exposed vulnerability nodes associated with an exploitation likelihood; and dependency nodes representing components in the system, including direct and indirect dependency nodes associated with an exposure factor indicating an amount of degradation based on exploitation of an associated vulnerability. The system calculates, across all non-exposed vulnerability nodes and all direct dependency nodes, a score which indicates an attack volume based on at least: a respective second likelihood associated with a non-exposed vulnerability node; an exposure factor associated with a dependency node which represents a component directly degraded based on exploitation of a vulnerability; and a loss of utility of the component.

Abstract: A method and system for detecting anomalous network activity in a cloud-based compute environment. The method comprises receiving configuration data and network activity observations for a set of virtual entities in the cloud-based compute environment; creating a profile for each virtual entity in the set of virtual entities, when the virtual entity does not already have an associated profile; dynamically updating the virtual entity of a profile with the respective network activity observations of the virtual entity; and determining whether anomalies have been detected.

Abstract: An intrusion prevention system can be embedded in an industrial controller to detect possible attacks on the corresponding physical system of the industrial controller. The intrusion prevention system can analyze the payload of network packets received at the industrial controller and predict what harm the payload of the network packet could cause to the physical system if executed by the industrial controller. To predict how the payload of a network packet may affect the physical system, the intrusion prevention system can perform a simulation with the payload of the network packet. The simulation can incorporate a model of the physical system, a copy of the logic used by the industrial controller and information relating to the current state of the system. The result of the simulation can be new predicted states for the physical system that can be evaluated to determine if a safety violation has occurred.

Abstract: Various embodiments include systems and methods to implement predictive scan autoscaling by a security platform to predict scanning loads associated with computing resources. Predictive scan autoscaling may improve the security posture of computing resources by improving the speed by which a security platform may scan for threats of a cyberattack. The security platform may predict scanning loads based on data indicative of previous scanning loads over one or more periods of time. The security platform may combine predicted scanning loads with requests for scans received from various client networks.

Abstract: Examples described herein relate to a system and method for managing the security of an edge enclosure. The edge enclosure is deployed in a mobile environment and travels between a base location and a task location to perform a task. The task is defined and configured at a chassis manager by a management device. A server in the edge enclosure processes data associated with the task. The chassis manager detects a loss of communication between the chassis manager and the management device. The chassis manager performs a security action based on task status. The task status is either ongoing or completed. The security action performed at the edge enclosure protects the data present in the server from tampering. The management device transmits alerts to the customers of the edge enclosure after the task is completed.

Abstract: Disclosed are techniques for identifying unique byte sequences for malware families. A method can include receiving a collection of malware signature samples, grouping the samples in the collection by malware family, and for each family: identifying unique byte sequences in the samples and a number of instances of the unique byte sequences across the samples, adding the identified unique byte sequences to a dictionary for the malware family, retrieving a dictionary of at least another malware family, comparing the unique byte sequences in the dictionary for the malware family with byte sequences in the dictionary of the another malware family, identifying a conflicting byte sequence based on (i) the comparison and (ii) determining that a number of instances of the conflicting byte sequence is more than a threshold number of instances, and removing the identified conflicting byte sequence from the dictionary for the malware family.

Abstract: A system, method, and computer-readable media for establishing a framework for managing application permissions in a group-based communication system. Upon receipt, from an application in a group-based communication system, of an attempt to access a target internet domain, an application manifest associated with the application is accessed. The manifest includes a list of approved internet domains previously approved by an administrator of the group-based communication system which the application may access. Following access of the manifest, it is determined whether the target internet domain is included in the list of approved internet domains. If the target internet domain is included in the list of approved internet domains, the application is allowed to access the target internet domain. If the target internet domain is not included in the list of one or more approved internet domains, access to the domain by the application is denied.

Abstract: A method for deep packet inspection (DPI) in a software defined network (SDN). The method includes configuring a plurality of network nodes operable in the SDN with at least one probe instruction; receiving from a network node a first packet of a flow, the first packet matches the at least one probe instruction and includes a first sequence number; receiving from a network node a second packet of the flow, the second packet matches the at least one probe instruction and includes a second sequence number, the second packet is a response of the first packet; computing a mask value respective of at least the first and second sequence numbers indicating which bytes to be mirrored from subsequent packets belonging to the same flow; generating at least one mirror instruction based on at least the mask value; and configuring the plurality of network nodes with at least one mirror instruction.

Abstract: The application relates to a method of attesting a state of a computing environment comprising a plurality of components and a plurality of dependency relationships between the plurality of components. The method comprising the steps of A) generating a directed acyclic graph comprising a plurality of nodes and a plurality of directed edges connecting the nodes, comprising and B) generating an attest of the state of the computing environment using the directed acyclic graph. Generating a directed acyclic graph comprises: A1) associating a node with each component; A2) associating a node with each dependency relationship and assigning the node with a hash value of data descriptive of said dependency relationship; A3) connecting, using directed edges—each node associated with a dependency relationship to a node(s) associated with a component(s) included in the respective dependency relationship; and A4) assigning each node with a hash value of all of its subnodes.

Abstract: Various aspects described herein relate to presenting electronic patient data accessing information. Data related to a plurality of access events, by one or more employees, of electronic patient data can be received. A set of access events of the plurality of access events can be determined as constituting, by the one or more employees, possible breach of the electronic patient data. An alert related to the set of access events can be provided based on determining that the set of access events constitute possible breach of the electronic patient data.

Abstract: Disclosed is phishing classifier that classifies a URL and content page accessed via the URL as phishing or not is disclosed, with URL feature hasher that parses and hashes the URL to produce feature hashes, and headless browser to access and internally render a content page at the URL, extract HTML tokens, and capture an image of the rendering. Also disclosed are an HTML encoder, trained on HTML tokens extracted from pages at URLs, encoded, then decoded to reproduce images captured from rendering, that produces an HTML encoding of the tokens extracted, and an image embedder, pretrained on images, that produces an image embedding of the image captured. Further, phishing classifier layers, trained on the feature hashes, the HTML encoding, and the image embedding, process the URL feature hashes, HTML encoding and image embeddings to produce a likelihood score that the URL and the page accessed presents a phishing risk.

Abstract: A Web site comprise detection method and system are disclosed. The method includes obtaining a resource identifier associated with a remote computer, and then receiving source code associated with the resource identifier. The method also includes parsing the source code, analyzing the source code to determine an indicator of compromise is present in the source code, determining that the indicator of compromise is associated with malware meta-data, and storing the resource identifier associated with the source code associated with the malware meta-data in a database.

Abstract: A system includes at least one hardware processor and at least one memory storing instructions that cause the at least one hardware processor to perform operations. The operations include configuring a processing stack in an execution node process. The processing stack includes a telemetry application programming interface (API). At least one configuration of a trace event is retrieved using an API call received by the execution node process. Telemetry information of the trace even is collected using the telemetry API based on the at least one configuration. An event table is updated based on the telemetry information.

Abstract: Computer technology for protecting data security in a computerized system for recommending content to users where, a processing unit generates an identifier for a first data record relating to a user device based on a first machine learning model. Then, the processing unit sends the identifier to a service provider, and the service provider uses the identifier to determine one or more contents to be sent to the user device. Creating and using a decision tree machine learning (ML) model and a cluster ML model with training records and a transformed records.

Abstract: Methods and descriptions are described herein for using user-specific parameters to detect malicious activity in an interaction by a user. In particular, the system may receive user action data representing user actions for users relative to applications. The system may generate, using first user action data representing first user actions of a first user, parameters specific to the first user for determining whether interactions of the first user represent malicious activity. The system may receive, for the first user, a request for a pending interaction with a particular application. The system may then use a first user model trained on the first user action data to identify a set of parameters for identifying the malicious activity. The system may validate the request, in real time, by using the set of parameters to generate a likelihood that the request represents malicious activity.

Abstract: Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. In some embodiments, a system can receive, from a first capturing agent deployed in a virtualization layer of a first device, data reports generated based on traffic captured by the first capturing agent. The system can also receive, from a second capturing agent deployed in a hardware layer of a second device, data reports generated based on traffic captured by the second capturing agent. Based on the data reports, the system can determine characteristics of the traffic captured by the first capturing agent and the second capturing agent. The system can then compare the characteristics to determine a multi-layer difference in traffic characteristics. Based on the multi-layer difference in traffic characteristics, the system can determine that the first capturing agent or the second capturing agent is in a faulty state.

Abstract: An electronic apparatus and a security protection method are disclosed. The electronic apparatus includes a security protection apparatus and a first processor. Security isolation exists between the security protection apparatus and the first processor. The first processor is configured to operate when driven by software, and the software includes an operating system and/or an application. The security protection apparatus is configured to: perform security detection on the software, and when detecting that the software is tampered with, perform a security protection operation on the electronic apparatus. In this way, the electronic apparatus may be monitored in real time during an operating process of the electronic apparatus, to avoid theft or modification of important data such as key data and improve security.

Abstract: A system and method for the secure and private demonstration of cloud-based cyber-security tools. Using an advanced sandboxing design patterns, isolated instances of virtual networks allow a potential client to compare their existing cyber defense tools against a set of cloud-based tools. Capitalizing on non-persistent and secure sandboxes allow the invention to demonstrate fully functional and devastating cyber-attacks while guaranteeing strict privacy and security to both existing customers and potential ones. Additionally, instantiating separate sandboxed observed systems in a single multi-tenant infrastructure provide each customer with the ability to rapidly create actual representations of their enterprise environment offering the most realistic and accurate demonstration and comparison between products.

Abstract: A method includes performing, by a terminal with an access card, a first relay attack check for the access card in accordance with a local value associated with the terminal and a local value associated with the access card; determining, by the terminal, that the access card has passed the first relay attack check, and based thereon, performing, by the terminal with the access card, an authentication check of the access card in accordance with the local value associated with the terminal, the local value associated with the access card, and a local challenge value associated with the terminal; and determining, by the terminal, that the access card has passed the first relay attack check and the authentication check, and based thereon, validating, by the terminal, the access card.

Abstract: Disclosed herein are methods, systems, and computer-readable media for blocking attempts at runtime redirection and attempts to change memory permissions during runtime. The present disclosure describes features that enable runtime detection of an attempt to redirect routines or change memory permissions, and determining whether to allow or deny the attempt. Such features may include changing memory write permissions on memory segments, such as those segments used by dynamic loaders after call associations have been saved or otherwise created. Other features may include swapping the addresses of system routines (e.g., open, read, write, close, etc.) to new routines that perform the same function as well as additional functionality configured to detect attempts to redirect or change memory permissions. Once detected by the new routine during runtime, a determination may be made to deny or allow the call based on a policy.

Abstract: An endpoint protection system is provided. The system comprises: an endpoint agent deployed to an endpoint device, wherein the endpoint agent is built-into one or more existing applications running on the endpoint device and is configured to capture network session activity between the endpoint device and one or more internet servers to detect a phishing attack using a set of machine learning algorithm trained classifiers, and block the phishing attack; and an endpoint management system in remote communication with the endpoint agent, wherein the endpoint management system is configured to train and develop the set of classifiers, and receive information about the detected phishing attack and an incident report from the endpoint agent, the endpoint agent provides a graphical user interface running on the endpoint device allowing an end user to configure one or more protections provided by the endpoint agent.

Abstract: Apparatuses, methods, and systems for controlling views of a website. One method includes generating selected variant data including data of the A view and data of the B view, providing the selected variant data including data of an A view or data of a B view to a state management library, generating, by the state management library, a UI (user interface) of a website based on the data of the A view data or the data of the B provided to the state management library, controlling displaying underlying data of a website view on a user browser based on the UI generated by the state management library, wherein the website view is generated by a front-end framework, wherein the front-end framework provides input to a website DOM which controls the website view on the user browser, and manipulating views of the website with the front-end framework based on the selected variant data.

Abstract: In an implementation, a request for one or more attachments stored in an application document store is received from a requestor and by an application agent associated with an application. For each attachment identified in the request, the application agent: 1) requests the attachment from a data privacy integration (DPI) kernel service; 2) receives a download link to an attachment in the application document store; 3) downloads, using the download link, the attachment from the application document store; 4) informs the DPI kernel service that a download of the attachment is complete; and 5) receives a message from the DPI kernel service that the download link has been deactivated. The application agent returns the one or more attachments to the requestor.

Abstract: A method and a system for intercepting dirty data is disclosed, the method includes: starting a vulnerability detection task and loading an application and an underlying code for communication between the application and a database; acquiring the underlying code and editing the detection logic code to obtain an underlying detection code; acquiring an original request of an application and initiating a replay request through an active IAST so that the application obtains a data stream in response to the replay request; communicating, by the application, with the database through a network to trigger the underlying detection code to start; examining a type of a structured query language of the data stream according to the underlying detection code; constructing and sending an exception structured query language to the database; and returning, by the database, error information to the application and stopping writing the data stream into the database.

Abstract: Systems, methods, and computer-readable storage media for protecting data, the data protection system can include one or more processing circuits including memory and at least one processor configured to receive, via a vendor security tool application, a cybersecurity insurance request from the entity, the cybersecurity insurance request including entity data of an entity and determine a cybersecurity posture with proof based on the entity data. The at least one processor is further configured to determine, utilizing one or more insurance parameters, at least one cybersecurity insurance plan corresponding to a cybersecurity attribute to protect the entity based on the cybersecurity posture with proof. The at least one processor is further configured to provide the at least one cybersecurity insurance plan. The at least one processor is further configured to receive an acceptance of the at least one cybersecurity insurance plan and record the acceptance in a compliance dataset.

Abstract: In an embodiment, a process for graph search and visualization includes receiving a query graph, and calculating one or more vectors for the query graph, where the one or more vectors each identifies a corresponding portion of the query graph. The process includes identifying one or more graphs similar to the query graph including by comparing the calculated one or more vectors for the query graph with one or more previously-calculated vectors for a different set of graphs and outputting the identified one or more similar graphs. The comparison with the previously-calculated vector(s) may be based on previously-calculated vector(s) processed by grouping the one or more vectors into at least one group of vectors, identifying a representative graph for each of the at least one group of vectors; and storing the at least one group of vectors and a respective identified representative graph.

Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local nodes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.