Abstract: A method for deep packet inspection (DPI) in a software defined network (SDN). The method includes configuring a plurality of network nodes operable in the SDN with at least one probe instruction; receiving from a network node a first packet of a flow, the first packet matches the at least one probe instruction and includes a first sequence number; receiving from a network node a second packet of the flow, the second packet matches the at least one probe instruction and includes a second sequence number, the second packet is a response of the first packet; computing a mask value respective of at least the first and second sequence numbers indicating which bytes to be mirrored from subsequent packets belonging to the same flow; generating at least one mirror instruction based on at least the mask value; and configuring the plurality of network nodes with at least one mirror instruction.

Abstract: An intrusion prevention system can be embedded in an industrial controller to detect possible attacks on the corresponding physical system of the industrial controller. The intrusion prevention system can analyze the payload of network packets received at the industrial controller and predict what harm the payload of the network packet could cause to the physical system if executed by the industrial controller. To predict how the payload of a network packet may affect the physical system, the intrusion prevention system can perform a simulation with the payload of the network packet. The simulation can incorporate a model of the physical system, a copy of the logic used by the industrial controller and information relating to the current state of the system. The result of the simulation can be new predicted states for the physical system that can be evaluated to determine if a safety violation has occurred.

Abstract: Various embodiments include systems and methods to implement predictive scan autoscaling by a security platform to predict scanning loads associated with computing resources. Predictive scan autoscaling may improve the security posture of computing resources by improving the speed by which a security platform may scan for threats of a cyberattack. The security platform may predict scanning loads based on data indicative of previous scanning loads over one or more periods of time. The security platform may combine predicted scanning loads with requests for scans received from various client networks.

Abstract: A system determines, in a graph which represents a system of components: vulnerability nodes representing known vulnerabilities to the system, including exposed and non-exposed vulnerability nodes associated with an exploitation likelihood; and dependency nodes representing components in the system, including direct and indirect dependency nodes associated with an exposure factor indicating an amount of degradation based on exploitation of an associated vulnerability. The system calculates, across all non-exposed vulnerability nodes and all direct dependency nodes, a score which indicates an attack volume based on at least: a respective second likelihood associated with a non-exposed vulnerability node; an exposure factor associated with a dependency node which represents a component directly degraded based on exploitation of a vulnerability; and a loss of utility of the component.

Abstract: An information processing system (10) comprises: a distance acquisition unit (110) that specifies an iris area containing an iris of a target from a visible-light image of the target, and acquires an iris distance that is a distance to the iris area; an iris image acquisition unit (120) that acquires an iris image of the target by changing a focal length according to the iris distance; a score computing unit (130) that calculates a score relating to deviation of a focus in the iris image, based on the iris image; and a correlation update unit (140) that updates correlation between the iris distance and the focal length at a moment of acquisition of the iris image, based on the score. According to such an information processing system, since the correlation is updated with good accuracy, it is possible to acquire the appropriate iris image.

Abstract: Examples described herein relate to a system and method for managing the security of an edge enclosure. The edge enclosure is deployed in a mobile environment and travels between a base location and a task location to perform a task. The task is defined and configured at a chassis manager by a management device. A server in the edge enclosure processes data associated with the task. The chassis manager detects a loss of communication between the chassis manager and the management device. The chassis manager performs a security action based on task status. The task status is either ongoing or completed. The security action performed at the edge enclosure protects the data present in the server from tampering. The management device transmits alerts to the customers of the edge enclosure after the task is completed.

Abstract: A method and system for detecting anomalous network activity in a cloud-based compute environment. The method comprises receiving configuration data and network activity observations for a set of virtual entities in the cloud-based compute environment; creating a profile for each virtual entity in the set of virtual entities, when the virtual entity does not already have an associated profile; dynamically updating the virtual entity of a profile with the respective network activity observations of the virtual entity; and determining whether anomalies have been detected.

Abstract: Disclosed are techniques for identifying unique byte sequences for malware families. A method can include receiving a collection of malware signature samples, grouping the samples in the collection by malware family, and for each family: identifying unique byte sequences in the samples and a number of instances of the unique byte sequences across the samples, adding the identified unique byte sequences to a dictionary for the malware family, retrieving a dictionary of at least another malware family, comparing the unique byte sequences in the dictionary for the malware family with byte sequences in the dictionary of the another malware family, identifying a conflicting byte sequence based on (i) the comparison and (ii) determining that a number of instances of the conflicting byte sequence is more than a threshold number of instances, and removing the identified conflicting byte sequence from the dictionary for the malware family.

Abstract: A system, method, and computer-readable media for establishing a framework for managing application permissions in a group-based communication system. Upon receipt, from an application in a group-based communication system, of an attempt to access a target internet domain, an application manifest associated with the application is accessed. The manifest includes a list of approved internet domains previously approved by an administrator of the group-based communication system which the application may access. Following access of the manifest, it is determined whether the target internet domain is included in the list of approved internet domains. If the target internet domain is included in the list of approved internet domains, the application is allowed to access the target internet domain. If the target internet domain is not included in the list of one or more approved internet domains, access to the domain by the application is denied.

Abstract: Disclosed is phishing classifier that classifies a URL and content page accessed via the URL as phishing or not is disclosed, with URL feature hasher that parses and hashes the URL to produce feature hashes, and headless browser to access and internally render a content page at the URL, extract HTML tokens, and capture an image of the rendering. Also disclosed are an HTML encoder, trained on HTML tokens extracted from pages at URLs, encoded, then decoded to reproduce images captured from rendering, that produces an HTML encoding of the tokens extracted, and an image embedder, pretrained on images, that produces an image embedding of the image captured. Further, phishing classifier layers, trained on the feature hashes, the HTML encoding, and the image embedding, process the URL feature hashes, HTML encoding and image embeddings to produce a likelihood score that the URL and the page accessed presents a phishing risk.

Abstract: Various aspects described herein relate to presenting electronic patient data accessing information. Data related to a plurality of access events, by one or more employees, of electronic patient data can be received. A set of access events of the plurality of access events can be determined as constituting, by the one or more employees, possible breach of the electronic patient data. An alert related to the set of access events can be provided based on determining that the set of access events constitute possible breach of the electronic patient data.

Abstract: The application relates to a method of attesting a state of a computing environment comprising a plurality of components and a plurality of dependency relationships between the plurality of components. The method comprising the steps of A) generating a directed acyclic graph comprising a plurality of nodes and a plurality of directed edges connecting the nodes, comprising and B) generating an attest of the state of the computing environment using the directed acyclic graph. Generating a directed acyclic graph comprises: A1) associating a node with each component; A2) associating a node with each dependency relationship and assigning the node with a hash value of data descriptive of said dependency relationship; A3) connecting, using directed edges—each node associated with a dependency relationship to a node(s) associated with a component(s) included in the respective dependency relationship; and A4) assigning each node with a hash value of all of its subnodes.

Abstract: A method for deep packet inspection (DPI) in a software defined network (SDN). The method includes configuring a plurality of network nodes operable in the SDN with at least one probe instruction; receiving from a network node a first packet of a flow, the first packet matches the at least one probe instruction and includes a first sequence number; receiving from a network node a second packet of the flow, the second packet matches the at least one probe instruction and includes a second sequence number, the second packet is a response of the first packet; computing a mask value respective of at least the first and second sequence numbers indicating which bytes to be mirrored from subsequent packets belonging to the same flow; generating at least one mirror instruction based on at least the mask value; and configuring the plurality of network nodes with at least one mirror instruction.

Abstract: A Web site comprise detection method and system are disclosed. The method includes obtaining a resource identifier associated with a remote computer, and then receiving source code associated with the resource identifier. The method also includes parsing the source code, analyzing the source code to determine an indicator of compromise is present in the source code, determining that the indicator of compromise is associated with malware meta-data, and storing the resource identifier associated with the source code associated with the malware meta-data in a database.

Abstract: A method includes performing, by a terminal with an access card, a first relay attack check for the access card in accordance with a local value associated with the terminal and a local value associated with the access card; determining, by the terminal, that the access card has passed the first relay attack check, and based thereon, performing, by the terminal with the access card, an authentication check of the access card in accordance with the local value associated with the terminal, the local value associated with the access card, and a local challenge value associated with the terminal; and determining, by the terminal, that the access card has passed the first relay attack check and the authentication check, and based thereon, validating, by the terminal, the access card.

Abstract: A system includes at least one hardware processor and at least one memory storing instructions that cause the at least one hardware processor to perform operations. The operations include configuring a processing stack in an execution node process. The processing stack includes a telemetry application programming interface (API). At least one configuration of a trace event is retrieved using an API call received by the execution node process. Telemetry information of the trace even is collected using the telemetry API based on the at least one configuration. An event table is updated based on the telemetry information.

Abstract: Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. In some embodiments, a system can receive, from a first capturing agent deployed in a virtualization layer of a first device, data reports generated based on traffic captured by the first capturing agent. The system can also receive, from a second capturing agent deployed in a hardware layer of a second device, data reports generated based on traffic captured by the second capturing agent. Based on the data reports, the system can determine characteristics of the traffic captured by the first capturing agent and the second capturing agent. The system can then compare the characteristics to determine a multi-layer difference in traffic characteristics. Based on the multi-layer difference in traffic characteristics, the system can determine that the first capturing agent or the second capturing agent is in a faulty state.

Abstract: An endpoint protection system is provided. The system comprises: an endpoint agent deployed to an endpoint device, wherein the endpoint agent is built-into one or more existing applications running on the endpoint device and is configured to capture network session activity between the endpoint device and one or more internet servers to detect a phishing attack using a set of machine learning algorithm trained classifiers, and block the phishing attack; and an endpoint management system in remote communication with the endpoint agent, wherein the endpoint management system is configured to train and develop the set of classifiers, and receive information about the detected phishing attack and an incident report from the endpoint agent, the endpoint agent provides a graphical user interface running on the endpoint device allowing an end user to configure one or more protections provided by the endpoint agent.

Abstract: Disclosed herein are methods, systems, and computer-readable media for blocking attempts at runtime redirection and attempts to change memory permissions during runtime. The present disclosure describes features that enable runtime detection of an attempt to redirect routines or change memory permissions, and determining whether to allow or deny the attempt. Such features may include changing memory write permissions on memory segments, such as those segments used by dynamic loaders after call associations have been saved or otherwise created. Other features may include swapping the addresses of system routines (e.g., open, read, write, close, etc.) to new routines that perform the same function as well as additional functionality configured to detect attempts to redirect or change memory permissions. Once detected by the new routine during runtime, a determination may be made to deny or allow the call based on a policy.

Abstract: Methods and descriptions are described herein for using user-specific parameters to detect malicious activity in an interaction by a user. In particular, the system may receive user action data representing user actions for users relative to applications. The system may generate, using first user action data representing first user actions of a first user, parameters specific to the first user for determining whether interactions of the first user represent malicious activity. The system may receive, for the first user, a request for a pending interaction with a particular application. The system may then use a first user model trained on the first user action data to identify a set of parameters for identifying the malicious activity. The system may validate the request, in real time, by using the set of parameters to generate a likelihood that the request represents malicious activity.

Abstract: Computer technology for protecting data security in a computerized system for recommending content to users where, a processing unit generates an identifier for a first data record relating to a user device based on a first machine learning model. Then, the processing unit sends the identifier to a service provider, and the service provider uses the identifier to determine one or more contents to be sent to the user device. Creating and using a decision tree machine learning (ML) model and a cluster ML model with training records and a transformed records.

Abstract: An electronic apparatus and a security protection method are disclosed. The electronic apparatus includes a security protection apparatus and a first processor. Security isolation exists between the security protection apparatus and the first processor. The first processor is configured to operate when driven by software, and the software includes an operating system and/or an application. The security protection apparatus is configured to: perform security detection on the software, and when detecting that the software is tampered with, perform a security protection operation on the electronic apparatus. In this way, the electronic apparatus may be monitored in real time during an operating process of the electronic apparatus, to avoid theft or modification of important data such as key data and improve security.

Abstract: A system and method for the secure and private demonstration of cloud-based cyber-security tools. Using an advanced sandboxing design patterns, isolated instances of virtual networks allow a potential client to compare their existing cyber defense tools against a set of cloud-based tools. Capitalizing on non-persistent and secure sandboxes allow the invention to demonstrate fully functional and devastating cyber-attacks while guaranteeing strict privacy and security to both existing customers and potential ones. Additionally, instantiating separate sandboxed observed systems in a single multi-tenant infrastructure provide each customer with the ability to rapidly create actual representations of their enterprise environment offering the most realistic and accurate demonstration and comparison between products.

Abstract: In an implementation, a request for one or more attachments stored in an application document store is received from a requestor and by an application agent associated with an application. For each attachment identified in the request, the application agent: 1) requests the attachment from a data privacy integration (DPI) kernel service; 2) receives a download link to an attachment in the application document store; 3) downloads, using the download link, the attachment from the application document store; 4) informs the DPI kernel service that a download of the attachment is complete; and 5) receives a message from the DPI kernel service that the download link has been deactivated. The application agent returns the one or more attachments to the requestor.

Abstract: Apparatuses, methods, and systems for controlling views of a website. One method includes generating selected variant data including data of the A view and data of the B view, providing the selected variant data including data of an A view or data of a B view to a state management library, generating, by the state management library, a UI (user interface) of a website based on the data of the A view data or the data of the B provided to the state management library, controlling displaying underlying data of a website view on a user browser based on the UI generated by the state management library, wherein the website view is generated by a front-end framework, wherein the front-end framework provides input to a website DOM which controls the website view on the user browser, and manipulating views of the website with the front-end framework based on the selected variant data.

Abstract: Systems, methods, and computer-readable storage media for protecting data, the data protection system can include one or more processing circuits including memory and at least one processor configured to receive, via a vendor security tool application, a cybersecurity insurance request from the entity, the cybersecurity insurance request including entity data of an entity and determine a cybersecurity posture with proof based on the entity data. The at least one processor is further configured to determine, utilizing one or more insurance parameters, at least one cybersecurity insurance plan corresponding to a cybersecurity attribute to protect the entity based on the cybersecurity posture with proof. The at least one processor is further configured to provide the at least one cybersecurity insurance plan. The at least one processor is further configured to receive an acceptance of the at least one cybersecurity insurance plan and record the acceptance in a compliance dataset.

Abstract: In an embodiment, a process for graph search and visualization includes receiving a query graph, and calculating one or more vectors for the query graph, where the one or more vectors each identifies a corresponding portion of the query graph. The process includes identifying one or more graphs similar to the query graph including by comparing the calculated one or more vectors for the query graph with one or more previously-calculated vectors for a different set of graphs and outputting the identified one or more similar graphs. The comparison with the previously-calculated vector(s) may be based on previously-calculated vector(s) processed by grouping the one or more vectors into at least one group of vectors, identifying a representative graph for each of the at least one group of vectors; and storing the at least one group of vectors and a respective identified representative graph.

Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local nodes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.

Abstract: A method and a system for intercepting dirty data is disclosed, the method includes: starting a vulnerability detection task and loading an application and an underlying code for communication between the application and a database; acquiring the underlying code and editing the detection logic code to obtain an underlying detection code; acquiring an original request of an application and initiating a replay request through an active IAST so that the application obtains a data stream in response to the replay request; communicating, by the application, with the database through a network to trigger the underlying detection code to start; examining a type of a structured query language of the data stream according to the underlying detection code; constructing and sending an exception structured query language to the database; and returning, by the database, error information to the application and stopping writing the data stream into the database.

Abstract: A method for holding an anomalous privileged operation, that includes receiving, by a privileged operations monitor executing on a client device, a privileged operation request to copy data or modify data, obtaining a plurality of metrics for the privileged operation request, calculating an anomaly score for the privileged operation request, based on the plurality of metrics, making a first determination, based on the anomaly score, that the privileged operation request is anomalous, and based on the first determination, placing a hold on the privileged operation request.

Abstract: A system and method for detecting cybersecurity risk on a resource in a computing environment utilizes static analysis of a cloned resource and runtime data from the live resource. The method includes: configuring a resource deployed in a computing environment to deploy thereon a sensor, the sensor configured to detect runtime data; detecting runtime data from the sensor of the resource; generating an inspectable disk based on an original disk of the resource; initiating inspection based on the detected runtime data for a cybersecurity object on the inspectable disk; detecting the cybersecurity object on an inspectable disk; and initiating a mitigation action on the resource.

Abstract: Systems and methods are described for identifying other instances of messages corresponding to a reported malicious message. A report of a malicious message from a user of a plurality users using a messaging system is received. Responsive to the report of the malicious message, plain text of content selected from the malicious message is provided. Thereafter, one or more segments of the plain text are selected as key content for construction of a search. A search is then executed in the messaging system for one or more other malicious messages corresponding to the reported malicious message using the selected one or more segments of the plain text with one or more match criteria or no criteria. The one or more other malicious messages corresponding to the reported malicious message are identified in the messaging system.

Abstract: The present invention discloses a hacking detection method, including: deploying a plurality of trap IP addresses in a trap IP address list; collecting access logs from a plurality of network devices to create a connection record list, wherein the connection record list includes a plurality of connection records; and comparing the trap IP address list and the connection record list to obtain a suspicious source list. The suspicious source list includes a plurality of suspicious source IP addresses. The suspicious source IP addresses match a portion of the trap IP addresses in the trap IP address list.

Abstract: A security appliance samples data about software defined infrastructures (SDIs) of a cloud computing environment to incrementally build models that map resource attributes indicated in fields to data types. The security appliance uses the model(s) to provide context sensitive help in policy rule constructions.

Abstract: Aspects of the subject disclosure may include, for example, a device including a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations of receiving a smart contract for tracking a position of a mobile device from a quantum blockchain; issuing a token uniquely identifying location data for the position of the mobile device; receiving location data including the token from the mobile device, wherein the position of the mobile device is determined by displacement from an initial position using a quantum accelerometer; verifying the location data using the token; and storing the location data in the quantum blockchain. Other embodiments are disclosed.

Abstract: Embodiments are directed to protection of communications between a trusted execution environment and a hardware accelerator utilizing enhanced end-to-end encryption and inter-context security. An embodiment of an apparatus includes one or more processors having one or more trusted execution environments (TEEs) including a first TEE to include a first trusted application; an interface with a hardware accelerator, the hardware accelerator including trusted embedded software or firmware; and a computer memory to store an untrusted kernel mode driver for the hardware accelerator, the one or more processors to establish an encrypted tunnel between the first trusted application in the first TEE and the trusted software or firmware, generate a call for a first command from the first trusted application, generate an integrity tag for the first command, and transfer command parameters for the first command and the integrity tag to the kernel mode driver to generate the first command.

Abstract: A processing system operates by: detecting an access anomaly associated with an access request from a requestor for a set of encoded data slices, the access anomaly having an unfavorable access pattern, wherein the set of encoded data slices is dispersed storage error encoded and stored in at least one storage unit of the storage network; denying the access request in response to detecting the access anomaly; generating, based on the unfavorable access pattern, an anomaly detection indicator identifying the requestor; and sending the anomaly detection indicator to other devices of the storage network.

Abstract: A method and a system for phishing detection includes converting unauthenticated web content to a browser image, determining that the browser image has a visual similarity to visual characteristics of a legitimate website, determining that a top-level domain (TLD) of the unauthenticated web content is different from a TLD of the legitimate website, and responsively determining that the unauthenticated web content is a phishing attack.

Abstract: An apparatus for defending against control flow attack, including: a key acquisition module, configured to acquire response data, which is output by a physical unclonable function PUF module to an input stimulus, and store the response data in a register as key data to be used; an encryption module, configured to encrypt target execution data in a program control flow based on the key data in the process of the processor executing the program control flow, the target execution data including at least one of a target instruction at an indirect jump destination address and a function call return address; a decryption module, configured to decrypt the encrypted target execution data when the processor is to execute the target execution data; and an execution module, configured to continue to execute the program control flow based on the decrypted target execution data.

Abstract: System and methods for the processing of data in a secure and safe manner are disclosed. Embodiments of such system and methods may ensure the operation of cross compartment policies in a manner that is dependent on the inherent properties of the data being operated on as well as the operations that are performed on that data.

Abstract: Various aspects described herein relate to presenting electronic patient data accessing information. Data related to a plurality of access events, by one or more employees, of electronic patient data can be received. A set of access events of the plurality of access events can be determined as constituting, by the one or more employees, possible breach of the electronic patient data. An alert related to the set of access events can be provided based on determining that the set of access events constitute possible breach of the electronic patient data.

Abstract: According to some embodiments, a method is performed by a software defined wide area network (SD-WAN) edge router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers. The method comprises: originating a SD-WAN system route for advertising reachability to the edge router, the system route comprising an encryption key associated with the edge router; and transmitting the system route to one or more SD-WAN border routers. The method may further comprise: receiving a packet destined for the edge router from one of the one or more SD-WAN border routers, wherein the packet is at least partially encrypted with the encryption key associated with the edge router; and decrypting the received packet.

Abstract: A system and method for detecting phishing cyberattacks. The method involves parsing a code segment retrieved using a suspect uniform resource locator (URL) to identify any links included in the code segment. From these links, additional code segments may be recovered in accordance with a code segment recovery scheme. Thereafter, analytics are performed on the retrieved and possibly recovered code segments. The analytics include determining whether any of the code segments is correlated with a code segment associated with a known prior phishing cyberattack. Upon completing the analytics, an alert message including meta-information associated with results from the analytics is generated to identify that the URL is associated with a known prior phishing cyberattack when one or perhaps a combination of code segments associated with the URL are correlated to any code segment associated with a known prior phishing cyberattack.

Abstract: An ML (machine learning) training logs are parsed for generating a set of heterogenous graphs having embedded nodes connected with edges determined with link prediction and denoting a hierarchical relationship between nodes. Each graph represents benign behavior from executing one of the files of a training database in the sandbox, wherein the nodes are embedded in the graph using GCN (graph convolution network) to calculate a real-valued vector with fixed dimension. A runtime module to receive an untagged file in real-time for analysis from a network component, and generates a graph of runtime behavior from sandbox of the suspicious file for comparison against the training graphs.

Abstract: A security system for an in-vehicle network includes a gateway including at least one processor, wherein the at least one processor is configured to transition an intrusion detection and prevention system (IDPS) loaded into the gateway from a function off mode to a first monitoring mode and detect an intrusion into a general message and a diagnostic message on the in-vehicle network, transition from the first monitoring mode to a second monitoring mode and stop detecting the intrusion into the general message when there is a request to stop transmitting the general message from outside, detect the intrusion into the diagnostic message, and detect and block the general message introduced into the in-vehicle network.

Abstract: The present disclosure includes apparatuses, methods, and systems for partitioning system data from user data in memory. In an example, a method can include receiving system data at a memory, assigning the system data a first address within a first range of memory addresses, storing the system data in a first portion of the memory operated with a first set of trim settings in response to the system data having the first address within the first range of memory addresses, receiving user data, assigning the user data a second address within a second range of memory addresses, and storing the user data in a second portion of the memory operated with a second set of trim settings in response to the user having the second address within the second range of addresses.

Abstract: A system and method for identifying cloud identity misuse based on run-time time data and static analysis is presented. The method includes: detecting a workload in a cloud computing environment; configuring the workload to deploy a sensor configured to detect data respective of a runtime process executed on the workload; detecting an original disk associated with the workload; generating an inspectable disk based on the original disk; inspecting the inspectable disk for a cybersecurity object; detecting in a log of the cloud computing environment an event based on an identifier of the workload; inspecting a code object for an identity object, the code object utilized in deploying the workload in the cloud computing environment; associating the runtime process with the event based on: an identifier of the workload, the identity object, and the cybersecurity object; and generating an enriched log including an identifier of the runtime process.

Abstract: Various approaches for providing intermediary threat detection. In some cases, the intermediary threat detection is performed by a communication control port that operatively couples with a portable computing device to protect the portable computing device from network based vulnerabilities and exploits.

Abstract: Methods and systems for connecting data with non-standardized schemas in connected graph data exchanges. For example, the system generates a custom data structure corresponding to a user identifier for a user profile that includes pointers between user profile attributes (e.g., individual fields/categories within the user profile) and existing assets in a connected graph (e.g., an existing application, software profile for an application, data set, connections, etc.). The system then connects the custom data structure corresponding to the user identifier to the existing assets in the connected graph.

Abstract: A computer system is provided. The computer system includes a memory and at least one processor coupled to the memory and configured to provide phishing attack protection based on identity provider verification. The at least one processor is further configured to capture an image of a browser web page to which the user has navigated and identify the domain name associated with the browser web page. The at least one processor is further configured to determine that the captured image matches an image of a known identity provider web page. The at least one processor is further configured to detect a phishing attempt in response to the determination that the images match and that the domain name associated with the browser web page differs from the domain name associated with the identity provider web page.