Abstract: Disclosed are database systems, computing devices, methods, and computer program products for identifying recurring sequences of user interactions with an application. In some implementations, a server of a database system provides a user interface of the application for display at a computing device. The database system stores data objects identifying a first plurality of user interactions with the application. The server receives information representing a second plurality of user interactions with the application. The server updates the database system to further identify the second user interactions. The server identifies a recurring sequence of user interactions from the first and second user interactions as resulting in a first target state of the application. The server updates the database system to associate the recurring sequence of user interactions with the first target state of the application.

Abstract: Methods and systems for providing browser extension are disclosed. In some embodiments, the browser extension system includes a communication device in communication with a computing device and a networked system. The browser extension system also includes a processor configured to perform operations comprising: maintaining data associated with the computing device; detecting, through a browser extension application running on the computing device, a field in a web page associated with the networked system and provided by a web browser application running on the computing device; and in response to detecting the field: (i) automatically populating the field, through the browser extension application, with a secure token mapped to the data, (ii) detecting, through the browser extension application, a submission script associated with the web page, and (iii) automatically executing the submission script to submit the secure token through the browser extension application to the networked system.

Abstract: A network management system is configured to detect one or more malicious activities at one or more devices connected to a network. The network management system is configured to determine a malware root of the one or more malicious activities and generate a network-wide indicating a hierarchical relationship between the malicious activities spawned by the malware root and the malware root. The malicious activities spawned by the malware root represented in the network-wide malware include the one or more malicious activities and include a plurality of malicious activities spawned across a plurality of devices connected to the network.

Abstract: A system, method, and apparatus for identifying and removing malicious applications are disclosed. An example apparatus includes an executable application configured to collect data regarding processes operating on a client device during a time period. The executable application is also configured to purposefully access, during the time period, an application server using a web browser on the client device in an attempt to trigger a malicious application potentially located on the client device. The executable application is configured to transmit, after the time period, the collected data to an analysis server to determine whether the malicious application is located on the client device.

Abstract: Techniques are described for detecting and attributing automatic unauthorized redirects originating from executable code contained within an advertisement hosted within a web page or application displayed on an end user's mobile or desktop computing devices.

Abstract: A system obtains security data of interconnected networks. The visibility of the security data is asymmetric for each interconnected network relative to the other. The security data is continuously stored and used in real-time or near real-time to identify services of the interconnected networks that require safeguards against a potential cyberattack. The interworking system determines a security parameter that relates the security data to the potential cyberattack and communicates the security parameter to the interconnected networks. The interconnected networks can safeguard against the potential cyberattack based on the security parameter.

Abstract: A network anomaly data detection method includes the following steps: receiving access request data transmitted by a client; searching historical access request data corresponding to a user session identifier in the access request data; acquiring a header character string of the access request data; performing word segmentation processing on the header character string according to a preset step length so as to obtain a word segmentation set; obtaining a word segmentation weight matrix according to the historical access request data and the word segmentation set; inputting the word segmentation weight matrix into an anomaly data detection model so as to obtain a data anomaly probability; and judging whether anomaly data exists in the header character string according to the data anomaly probability.

Abstract: A computer-implemented method according to an aspect includes training a cognitive network, utilizing metadata associated with historic data threats, inputting metadata associated with a current data threat into the trained cognitive network, identifying, by the trained cognitive network, one or more stored instances of data determined to be vulnerable to the current data threat, and adjusting one or more security aspects of the one or more stored instances of data determined to be vulnerable to the current data threat.

Abstract: A sensor monitoring system includes a plurality of image capture devices. Each image capture device includes one or more sensors to detect image data representing an environment about the image capture device, communications circuitry to receive sensor data from a sensor device and remote sensor data including at least one of a second image of the sensor or second position data regarding the sensor device, and processing circuitry to validate the sensor device based on the sensor data, determine first position data regarding the sensor device based on at least one of the first network connection or the remote sensor data, determine that the sensor device is in an image capture range based on the first position data, retrieve one or more images of the sensor device, and generate an alert based on the first position data.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity of the entity, the security related activity being based upon the observable derived from the electronic data source, the security related activity being of analytic utility; converting the security related activity to entity behavior catalog data, the entity behavior catalog providing an inventory of entity behaviors; and, accessing an entity behavior catalog based upon the entity behavior catalog data; and performing a security operation via a security system, the security operation using the entity behavior catalog data stored within the entity behavior catalog based upon the security related activity.

Abstract: Systems and methods are described herein for automatically identifying spam in social media comments based on comparison of the context or topic of the popular or trending post with the context or topic of each comment associated with the post. Content of a social media post is processed to identify a topic of the social media post. A plurality of comments associated with the social media post are accessed and the topic of each comment is compared to the topic of the social media post and, if the topics do not match, the comment is identified as spam. A notification is generated for display to an administrator of the social media platform on which the social media post resides identifying the comment as spam.

Abstract: A method for providing an automatically enhanced model of one or more networks, the method may include (a) determining missing next hop points; (b) finding multiple linkable pairs of relevant network elements interfaces, wherein a relevant network element interface is associated with one of the missing next hop points; and virtually linking relevant first network element interfaces of the multiple linkable pairs and the relevant second network element interfaces of the multiple linkable pairs to provide the automatic enhanced model of the one or more network. The virtually linking may include virtually adding one or more artificial network elements between the relevant first network element interfaces of the multiple linkable pairs and the relevant second network elements interfaces of the multiple linkable pairs.

Abstract: A method for changing a processor instruction randomly, covertly, and uniquely, so that the reverse process can restore it faithfully to its original form, making it virtually impossible for a malicious user to know how the bits are changed, preventing them from using a buffer overflow attack to write code with the same processor instruction changes into said processor's memory with the goal of taking control of the processor. When the changes are reversed prior to the instruction being executed, reverting the instruction back to its original value, malicious code placed in memory will be randomly altered so that when it is executed by the processor it produces chaotic, random behavior that will not allow control of the processor to be compromised, eventually producing a processing error that will cause the processor to either shut down the software process where the code exists to reload, or reset.

Abstract: Data retrieval from connected devices for a data-driven anomaly detection system while complying with performance and/or availability requirements of services that rely on operation of the connected devices. Determining the amount of data, type of data, and retrieval frequency for detecting performance anomalies for each connected device that is relied upon by services so as to maintain required performance and/or availability to the service. The required parameters being the subject of an SLA for the service or the connected devices, such as IoT devices.

Abstract: Aspects of the disclosure relate to identifying potentially malicious messages and generating instream alerts based on real-time message monitoring. A computing platform may monitor a plurality of messages received by a messaging server associated with an operator. Subsequently, the computing platform may detect that a message of the plurality of messages is potentially malicious. In response to detecting that the message of the plurality of messages is potentially malicious, the computing platform may execute one or more protection actions. In executing the one or more protection actions, the computing platform may generate an alert message comprising information indicating that the message of the plurality of messages is potentially malicious. Then, the computing platform may send the alert message to the messaging server, which may cause the messaging server to deliver the alert message to a computing device associated with an intended recipient of the message.

Abstract: Systems and methods are provided for automatically analyzing emails that have been flagged as being potentially malicious (e.g., phishing attempts) to determine whether the permit or block the email. The systems and methods can use a scoring framework to determine whether the email is part of a phishing attempt. A set of rules are provided, and points are awarded to the email based on which of a set of rules are satisfied for the email. An email that exceeds a scoring threshold can be identified as a phishing attempt for potential evaluation, and can be routed to a security analyst for further analysis and process. After a predetermined period of time, the system can rerun analysis of emails which have not been identified as phishing attempts and determine if such emails now exceed the scoring threshold.

Abstract: A method for phishing detection using uniform resource locators is discussed. The method includes accessing data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a suspect Uniform Resource Locator (URL). The method includes assigning a rule score based on partial rule scores of each portion of the suspect URL, the rule score indicating a phishing potential based on URL rules. The method includes determining a uniqueness score of the suspect URL, the uniqueness score indicating a degree of uniqueness of the suspect URL from a plurality of known phishing URLs. The method also includes determining a URL phishing score based, at least in part, on the rules scores and the uniqueness score for the suspect URL.

Abstract: A method for mitigating network abuse includes obtaining a first set of network traffic messages of network traffic currently received by a network service and determining, via a first model, whether network abuse is occurring based on the first set of network traffic messages. When the network abuse is occurring, the method includes obtaining a second set of current network traffic messages. The method also includes, for each network traffic message in the second set of network traffic messages, labeling, via a second model, the network traffic message as an abusing network traffic message or a non-abusing network traffic message. The method also includes generating, via a third model, at least one network traffic rule. Each network traffic rule, when implemented, reduces an effect of the abusing network traffic messages.

Abstract: Described is a system for producing indicators and warnings of adversarial activities. The system receives multiple networks of transactional data from different sources. Each node of a network of transactional data represents an entity, and each edge represents a relation between entities. A worldview graph is generated by merging the multiple networks of transactional data. Suspicious subgraph regions related to an adversarial activity are identified in the worldview graph through activity detection. The suspicious subgraph regions are used to generate and transmit an alert of the adversarial activity.

Abstract: This method is a process that improves the execution time and maintains very precise clustering effectiveness utilizing a unique algorithm (identified as PPK means) that optimizes a process that is referred to as K-means clustering. The PPK means algorithm utilizes estimation values of signatures of new centroids for speed improvement and encoded data to provide a level of privacy protection. A system comprises a processor, operably coupled to memory, and that executes the computer-executable components, wherein the computer-executable components comprise: an encoding component that encodes a set of real-time valued vectors as bit vectors; and a clustering component that performs K-means clustering on the bit encoded vectors.

Abstract: A system and method enabling an entity to prove its identity and provide authentic documents/data/information therein at any time required based upon data retrieved from an independent cryptographically verifiable source (ICVS) through a secured channel is disclosed. The system enables a virtual and secure browser on a user computing device allowing a user to login and retrieve authentic information pertaining to the user from the ICVS in a verifiable and untamperable manner. The retrieved information is bounded with origination information of the ICVS and the bounded information is provided to relying entities as authentic information for verification. Also, cryptographic value of the authentic information can be stored in an immutable storage such as blockchain, so that the cryptographic value is used by the relying-party to validate integrity of the authentic information.

Abstract: A method of operating an Internet of Things device is described. In the method, an electrical power is supplied to electrical circuitry in the Internet of Things device. The Internet of Things device is communicatively coupled to a computer network using circuitry of a transceiver and a communications module of the Internet of Things device. A detecting circuit is operated to indirectly monitor a level of activity of the communications module. If the level of activity of the communications module is determined to exceed a threshold value, a volume of communications between the Internet of Things device and the computer network is curtailed.

Abstract: A system analyzes periodically collected data associated with entities, for example, users, servers, or systems. The system determines anomalies associated with populations of entities. The system excludes anomalies from consideration to increase efficiency of execution. The system may rank the anomalies based on relevance scores. The system determines relevance scores based on various factors describing the sets of entities. The system may present information describing the anomalies based on the ranking. The system may use a machine learning based model for predicting likelihoods of outcomes associated with sets of entities. The system generates alerts for reporting the outcomes based on the predictions.

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Abstract: Disclosed herein is application specific integrated circuit (ASIC) redesign for security and analysis testing tool, which includes hardware description language code with on-chip security circuitry for detecting and mitigating hardware Trojan horses (HTHs) in an ASIC chip. The testing tool is used between a design stage of the ASIC chip and a synthesis phase of production of the ASIC chip to add test circuitry to the ASIC chip in order to facilitate testing and protecting of the ASIC chip from the HTHs long after production. The test circuitry facilitates search for HTHs, HTH triggering events, and changes made to the ASIC if the HTH has been activated.

Abstract: A request control device, when receiving a request issued from a client to a Web system, causes a sandbox in which an environment of the Web system is reproduced to inspect the request. The request control device transfers the request to the Web system if an inspection result of the request in the sandbox does not indicate detection of an attack. The request control device does not transfer the request to the Web system if the inspection result of the request indicates detection of an attack.

Abstract: A computer system for communicating with an industrial system includes: a data collection server for receiving equipment data from the industrial system and providing a data stream by pre-processing the equipment data according to a plurality of pre-determined rules; a first uni-directional interface for transmitting the data stream to one or more further computer systems; and a second uni-directional interface for receiving a data packet from the one or more further computer systems, the data packet including a control instruction that allows a modification of at least a particular rule of the plurality of the pre-determined rules. The first uni-directional interface includes a data diode. The second unidirectional interface receives the control instruction in a first part of the data packet. The first uni-directional interface receives the first part of the data packet in a size limitation that corresponds to amounts of data required to identify the modification.

Abstract: A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.

Abstract: A cryptography module for a computing device. The cryptography module is designed to check at least one memory area of a memory device which the computing device may access, as the result of which a result of the check is obtained, and to store the result at least temporarily.

Abstract: A multiplier is utilized to quantify a cybersecurity risk level of a portfolio of entities (e.g., companies) and enable actions to mitigate that quantified risk. In doing so, features or attributes of one or more companies in a portfolio are compared to features or attributes of one or more companies that experienced an adverse cybersecurity event (e.g. a data breach). Further, a degree of dependency, such as a matrix of a number of shared vendors and the proximity of those vendors to the companies, can be measured between (1) portfolio companies and one or more companies that experienced a cybersecurity event, and/or (2) the portfolio companies themselves to better quantify the risk. That is, to more meaningfully analyze a cybersecurity event that occurred at one or more companies and better predict the likelihood of an occurrence at portfolio companies, embodiments can determine an n-degree interdependency between companies.

Abstract: A program execution device capable of protecting a program against unauthorized analysis and alteration is provided. The program execution device includes an execution unit, a first protection unit, and a second protection unit. The execution unit executes a first program and a second program, and is connected with an external device that is capable of controlling the execution. The first protection unit disconnects the execution unit from the external device while the execution unit is executing the first program. The second protection unit protects the first program while the execution unit is executing the second program.

Abstract: A system and method for detecting and blocking bots are presented. The method includes receiving unlabeled data regarding a visitor of a web source, grouping the received unlabeled data with similar characteristics into a group of data, detecting, based on the group of data, at least one anomaly, and determining, based on the at least one detected anomaly, several visitors to be blacklisted.

Abstract: Systems, methods, and apparatuses for anomalous user behavior detection and risk-scoring individuals are described. User activity data associated with a first computing device of a first user is received from an agentless monitoring data source different from the first computing device. The user activity data includes a user identifier. An active directory (AD) identifier and employee-related information from a human resources database are determined based on the user identifier. Based on the employee-related information and/or AD identifier, a probability of an adverse event is determined. When the probability of the adverse event exceeds a predetermined threshold, a logging agent is activated on the first computing device and additional user activity data is received from the logging agent.

Abstract: A computer-implemented system and method for device discovery and recovery in a secure network comprises registering a plurality of devices, where the devices form the secure network at a location. Communication between the plurality of registered devices is enabled, and messages passed between the plurality of devices are collected. The method further comprises determining which one of the plurality of devices is a compromised device by using a consensus network that includes the plurality of devices of the secure network.

Abstract: A system and method for network cybersecurity analysis that uses user and entity behavioral analysis combined with network topology information to provide improved cybersecurity. The system and method involve gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network. Risks and vulnerabilities associated with user entities may be represented, in part or in whole, by the behavioral analyses and monitoring of those user entities.

Abstract: Protecting from automatic reconnection with Wi-Fi access points having bad reputations. In some embodiments, a method may include determining that the mobile device is within range of a Wi-Fi access point, determining that the mobile device is configured to automatically reconnect to the Wi-Fi access point, receiving a request to indicate whether the Wi-Fi access point has a bad reputation, accessing an access point reputation database to determine whether the Wi-Fi access point has a bad reputation, sending an indication that the Wi-Fi access point has a bad reputation, and, in response to the indication that the Wi-Fi access point has a bad reputation, protecting the mobile device from the Wi-Fi access point by performing a remedial action at the mobile device.

Abstract: Presented herein are systems and methods to determine whether a dynamic host configuration protocol (DHCP) server in DHCP snooping environment is a trusted device without requiring trusted port configuration. In one or more embodiments, a DHCP snooping-enable switch/router adds an indicator to a message intended for a DHCP server, thereby notifying the DHCP server that the DHCP switch/router is enabled for or capable of “detection of trusted DHCP server.” The DHCP server includes a unique trusted identifier in its reply that the DHCP switch/router uses to verify whether the DHCP server can be considered a trusted device.

Abstract: Various embodiments include methods, components and wireless devices configured to identify illegitimate base station. The processor of the wireless device may determine that a device in communication with the wireless device is a suspect base station. The processor may send a fabricated message to the device, and may receive one or more response messages from the device. The processor may determine whether one or more of the response messages received from the device is an appropriate response or an inappropriate response to the fabricated message. In response to determining that a response message is an inappropriate response, the processor may determine that the device is an illegitimate base station. In response to determining that the device is an illegitimate base station, the wireless device may perform a protective action.

Abstract: According to certain embodiments, an electronic device comprises a communication module; a plurality of sensors and configured to obtain sensing data; at least one processor operatively connected to the plurality of sensors and the communication module; and a memory operatively connected to the at least one processor, wherein the memory stores instructions that, when executed, cause the at least one processor to perform a plurality of operations comprising: transmitting the sensing data to a server through the communication module; receiving, from the server, information on a similarity between the sensing data and a first cluster among a plurality of clusters clustering data related to user activities, through the communication module, wherein the similarity is identified based on a center similarity score between the sensing data and the first cluster, a score that is a function of a variance of the first cluster, a score that is a function a distance between the first cluster and other clusters, and an int

Abstract: Techniques are disclosed relating to generating trained machine learning modules to identify whether user interfaces accessed by a computing device match user interfaces associated with a set of Internet domain names. A server computer system receives a set of Internet domain names and generates screenshots for user interfaces associated with the set of Internet domain names. The server computer system then trains machine learning modules that are customized for the set of Internet domain names using the screenshots. The server then transmits the machine learning modules to the computing device, where the machine learning modules are usable by an application executing on the computing device to identify whether a user interface accessed by the device matches a user interface associated with the set of Internet domain names. Such techniques may advantageously allow servers to identify whether user interfaces are suspicious without introducing latency and increased page load times.

Abstract: A malware detection method and system using a memory map. A malware detection method may include collecting, by processing circuitry, a plurality of memory maps from a plurality of client devices, a client program being installed in each of the plurality of client devices, analyzing, by the processing circuitry, a plurality of memory addresses of the plurality of memory maps to obtain an analysis result, and determining, by the processing circuitry, whether malware is present in one of the plurality of client devices based on the analysis result.

Abstract: Techniques for performing cyber-security alert analysis and prioritization according to machine learning employing a predictive model to implement a self-learning feedback loop. The system implements a method generating the predictive model associated with alert classifications and/or actions which automatically generated, or manually selected by cyber-security analysts. The predictive model is used to determine a priority for display to the cyber-security analyst and to obtain the input of the cyber-security analyst to improve the predictive model. Thereby the method implements a self-learning feedback loop to receive cyber-security alerts and mitigate the cyberthreats represented in the cybersecurity alerts.

Abstract: Methods and systems for managing health of devices in an Internet of Things (IoT) environment. A method includes detecting an occurrence of at least one event on a device of a plurality of devices and determining a change in ambience in the device. The method also includes detecting at least one anomaly in the device if the determined change in the ambience of the at least one device does not satisfy threshold criteria determined for the at least one event. The method further includes determining at least one root cause for the at least one anomaly detected in the device.

Abstract: A substitution apparatus for installation in a vehicle in which a plurality of in-vehicle control apparatuses are implemented, the substitution apparatus including a control unit and a substitute unit. The control unit is configured to control the substitute unit based on transmission data transmitted from the in-vehicle control apparatuses, specify an abnormal in-vehicle control apparatus based on the transmission data, disable the specified abnormal in-vehicle control apparatus, and apply, to the substitute unit, a program for exhibiting functions otherwise normally executed by the specified abnormal in-vehicle control apparatus. The substitute unit is configured to substitute for the disabled in-vehicle control apparatus by executing the applied program.

Abstract: Systems and methods for software application usage detection on a user device and other computing device are disclosed. The software application usage detection is done by monitoring the network usage of the application or by usage recognition using methods provided by operating systems. The system identifies a set of applications and monitors their usage. The system is enabled to monitor the behaviors of users and control the same using smart rules set up based on user preferences to prevent over usage and usage in un-acceptable conditions.

Abstract: Aspects of the present disclosure relate to systems and methods for partitioning an OS or hypervisor utilized on a computing device from the process of proxy control. For example, a proxy may be installed on a separation kernel or firmware on a computing device that routes all data traffic received via a network connection to a cloud which performs various services such as IP reputation management, URL reputation detection and validation, malicious file filtering through potential malware detection.

Abstract: Clustering and outlier detection in anomaly and causation detection for computing environments is disclosed. An example method includes receiving an input stream having data instances, each of the data instances having multi-dimensional attribute sets, identifying any of outliers and singularities in the data instances, extracting the outliers and singularities, grouping two or more of the data instances into one or more groups based on correspondence between the multi-dimensional attribute sets and a clustering type, and displaying the grouped data instances that are not extracted in a plurality of clustering maps on an interactive graphical user interface, wherein each of the plurality of clustering maps is based on a unique clustering type.

Abstract: Techniques herein enable a tenant of a multi-tenant database to select a programming language to interact with a platform that uses a default programming language. A tenant-specific engine may manage a runtime context associated with the tenant in which a tenant may input code that is translated into the default programming language and executed. During execution, the tenant-specific engine may enforce various multi-tenant protections associated with the tenant. For example, the tenant-specific engine may monitor the runtime context and operations of the translated code, and may enforce computational limitations of the tenant as the translated code is executed.

Abstract: Exemplary embodiments can identify the toxic PI combinations and flag these combinations for evaluation. Because organization policies on toxic PI combinations can constantly evolve, the system may be continuously updated with the latest policies. Exemplary embodiments may be used as part of an automated code review for application development and for monitoring of existing applications and programs. Thus, exemplary embodiments take the guesswork out of identifying risks in applications and programs by providing an automated tool that can scan and identify toxic combinations in accordance with various policies.

Abstract: Various embodiments relate to a memory controller, including: a memory interface connected to a memory; an address and command logic connected to the memory interface and a command interface, wherein the address and control logic is configured to receive a memory read request; a memory scrubber configured to cycle through memory locations and to read data from those locations; a region selector configured to determine when a memory location read by the memory scrubber is within an integrity checked memory region; a runtime integrity check (RTIC) engine connected to a read data path of the memory interface, wherein the RTIC engine is configured to calculate an integrity check value for the RTIC region using data read from the checked memory region by the memory scrubber; and a RTIC controller configured to compare the calculated integrity check value for the checked memory region to a reference integrity check value for the checked memory region.