Abstract: An application downloaded from the network onto a target (production) machine can be validated in a sandbox environment. An execution report can be generated during the validation. When the validated application is executed on the target machine, operations performed by the application are limited based on the execution report.

Abstract: A method, computer program product, and a system where a processor(s) determines that a destination has been retained as a link in an application. The processor(s) monitors connections of the application to the destination retained as the link, where connecting is providing a locator of the destination to a server(s) to obtain an address for the destination. The processor(s) determines an average time period measured from providing the locator to the server(s) to obtaining the address. The processor(s) retains the returned address for each connection within a given time period. The processor(s) determines that the application has initiated a new connection to the destination and the new connection is incomplete after a time period calculated relative to the average time period has lapsed. The processor(s) provides selectable options in a user interface of the application that are the retained address(es).

Abstract: Embodiments are provided for integrating feedback into alert managing processes having defined alert policies. These policies define conditions that, when satisfied by certain detected activities, triggers an alert to be sent to a client. A determination is made that a current detected activity does satisfy the condition(s). Subsequent to determining that the set of conditions is satisfied and prior to actually generating the alert, the current detected activity is determined to share a relationship with previously received feedback that caused the alert policy to be modified. After being modified, the alert policy specified whether the alert is to be sent to the client, modified and then sent, suspended, or disabled. The alert is then either generated or refrained from being generated based on the alert policy.

Abstract: A threat information evaluation apparatus that evaluates threat information includes an allocation unit that allocates threat information in an input threat information list to a security operator or an evaluation unit, and an evaluation unit that evaluates the threat information allocated to the evaluation unit. The allocation unit calculates an estimation accuracy on the basis of evaluation performed by the evaluation unit and evaluation determined by the security operator, and allocates the threat information on the basis of the estimation accuracy.

Abstract: A local area social networking server limits social networking activity to people likely to be in close physical proximity to one another and likely to be engaged in similar activities, even people previously unknown to each other, by only permitting social networking between computing devices that are connected to one another through a common local area network. The server identifies recipient devices for a message that (i) are coupled to the same local area network as the sending device, (ii) are associated with demographic characteristics that match those specified for the message as intended recipients, and (iii) are indicated by receptivity data to be receptive to the message and the sender.

Abstract: Techniques to facilitate network security analysis and attack response are disclosed herein. In at least one implementation, a passive analysis system receives a copy of network traffic, performs deep analysis on the copy of network traffic, and generates security data points based on the deep analysis. The passive analysis system then provides the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.

Abstract: Web server security is assessed. Some embodiments analyze data exchanged with a web server to determine a risk associated with accessing the web server. For example, one or more of a type of web application accessed via the web server, a type of interpreted language used to implement the web server, and/or a type and/or version of an http server operable on the web server are examined. Based on the analysis, the risk associated with accessing the web server is determined. Some embodiments then block access to the web server based on the analysis. Alternatively, in some embodiments, a user may be alerted to the risk, and then allowed to proceed upon accepting the risks. Some embodiments share the determined risk assessment with other client devices via a web server risk data store.

Abstract: The invention makes it possible to reuse a verification script without manually modifying the internal parameters of the verification script. A verification automation apparatus 1 adapts a verification script to a system that is to be verified. The verification automation apparatus 1 includes: a verification script acquisition unit 101 that acquires a verification script that includes an execution script for verification work and execution enabling requirements for executing the execution script; a verification configuration search unit 104 that searches the system to be verified, for configurations for which the execution script is executable, using environment information regarding the system to be verified, and the execution enabling requirements; and an execution script materializing unit 105 that materializes the execution script based on the configuration that has been found through the search, so as to be executable in the system to be verified.

Abstract: A computer system includes an operating system, a memory coupled to the operating system, and a processor (e.g., an anti-debug processor) coupled to the operating system. The operating system receives, from a debug process, a request to create an essential debug object for attachment to a target process. The anti-debug processor scans a kernel memory of the operating system for the essential debug object and verifies a presence of the essential debug object in the kernel memory, and scans the kernel memory to identify a process that has stored in the kernel memory the essential debug object. The anti-debug processor then halts the debug process, without using an internal interface or function of the operating system, thereby preventing the debug process from attaching to the target process.

Abstract: The implementations described herein provide a tool for identifying security issues and applying security policies to the service(s) and/or microservices. Rather than a user (such as an administrator) reactively diagnosing security incidents, the systems and methods described herein may provide a tool by which the user can proactively monitor the use of the services and microservices for security issues and control the user of such microservices and services via policies. The systems and methods allow API granular policy control to determine which APIs may be granted or denies access based on a variety of criteria, such as but not limited to the source of the request, the specific API being called, temporal conditions, geography and so forth. The user can identify security concerns or issues on a per API basis.

Abstract: Aspects of the present disclosure relate to threat detection of executable files. A plurality of static data points may be extracted from an executable file without decrypting or unpacking the executable file. The executable file may then be analyzed without decrypting or unpacking the executable file. Analysis of the executable file may comprise applying a classifier to the plurality of extracted static data points. The classifier may be trained from data comprising known malicious executable files, known benign executable files and known unwanted executable files. Based upon analysis of the executable file, a determination can be made as to whether the executable file is harmful.

Abstract: The present application relates to ensuring data consistency between a modular device and an external system. Techniques are described for ensuring data consistency between devices at a control device using configuration signatures. A control device can receive and store a baseline configuration signature for a first modular device. Upon initialization of the first modular device, the control device can receive a current configuration signature from the first modular device. The control device can compare the current configuration signature with the baseline configuration signature and, if a mismatch is found, generate a notification indicating that data subsequently received from the first modular device is of uncertain integrity.

Abstract: Embodiments of the disclosure provide a method and system for task orchestration. A method may include: providing, by a task master control unit, an execution instruction of a task related to a module in an application container to a node agent service unit in an auxiliary application container bound to the application container, the auxiliary application container sharing a file system with the application container; and executing, by the node agent service unit, a command for completing the task, in response to acquiring the execution instruction of the task.

Abstract: Disclosed is a method and system for verifying a regex group. The method comprises verifying of a regex group by creating a flow id through a processor for the regex group when source reaches the sink. The flow id is used for tracking the flow of the regex group. The processor checks in case the flow id is a previously tested flow id. When the flow id is not the previously tested flow id, the processor passes one or more run tasks through a processor forming a queue. The processor tests for one or more vulnerabilities to be associated with the regex group based on the passing, wherein the testing is used to qualify the regex group as a valid regex group.

Abstract: A network-accessible service such as a web site may authenticate users through a login process. In order to detect possibly fraudulent login events, the service may implement a framework based on recorded login events. For example, attributes of multiple recorded login events may be analyzed to create a framework that can be applied to attributes of newly received login requests to predict whether the newly received login requests are fraudulent. The framework may comprise criteria, algorithms, rules, models, and/or techniques, and may be constructed using various means such as pattern recognition, machine learning, and/or cluster analysis.

Abstract: Computer-implemented threat detection method and systems are provided. The method comprises discovering threat data associated with a first entity, translating the threat data to one or more threat models, translating the one or more threat models, using a threat model parameter generator, to at least a parameter threat model and translating the parameter threat model to one or more identification queries. The one or more identification queries may be executed and the generated results may be translated to result data in a first format. The one or more result data models may be published from the result data in one or more formats or to one or more locations.

Abstract: A computer-implemented method to determine which port in a container is a service port. The method includes identifying, a first container, wherein the first container comprises a plurality of ports. The method further includes, training a neural network, wherein the neural network is configured to identify at least one service port from the plurality of ports. The method further includes, monitoring, by a network monitor, a set of data sent to the first container comprising a first parameter. The method includes, identifying a first service port of the plurality of ports. The method further includes, marking the first service port.

Abstract: There is disclosed in one example a computer-implemented anti-ransomware method, including: selecting a file for inspection; assigning the file to a type class according to a file type identifier; receiving an expected byte correlation for the type class; computing, according to a byte distribution of the file, a byte correlation for the file; comparing, via statistical analysis, the byte correlation to the expected byte correlation; and determining that the file has been compromised, including determining that the file has a byte correlation that deviates from the expected byte correlation by more than a threshold, taking a ransomware remediation action for the file.

Abstract: The present disclosure relates to methods and apparatus that collect data regarding malware threats, that organizes this collected malware threat data, and that provides this data to computers or people such that damage associated with these software threats can be quantified and reduced. The present disclosure is also directed to preventing the spread of malware before that malware can damage computers or steal computer data. Methods consistent with the present disclosure may optimize tests performed at different levels of a multi-level threat detection and prevention system. As such, methods consistent with the present disclosure may collect data from various sources that may include endpoint computing devices, firewalls/gateways, or isolated (e.g. “sandbox”) computers. Once this information is collected, it may then be organized, displayed, and analyzed in ways that were not previously possible.

Abstract: A bus control device is enabled for placement between an input port to which a suspect device would be connected and the bus. In this manner, all message received from the suspect device, such an infotainment system, must pass through the bus control device. A separate intrusion detection device is coupled to the bus. The bus control device is arranged to output a notification message to the intrusion detection device, the notification message comprising information about the received message. The intrusion detection device is arranged to determine the validity of the received message responsive to the received notification message.

Abstract: A method for analyzing relationships between clusters of devices includes selecting a first device from a first cluster of devices and selecting a second device from a second cluster of devices. Information related to a first communication link associated with the first device and information related to a second communication link associated with the second device is obtained. A similarity metric is computed based on the obtained information. The similarity metric represents a similarity between the first communication link and the second communication link associated with the second device. A relationship between the first and second clusters is determined using the computed similarity metric. When a cyberattack is detected on the devices in the first cluster or the second cluster, protection of all devices in the first cluster and the second cluster is modified based on the determined relationship in order to defend the respective clusters from the cyberattack.

Abstract: Methods, systems, and apparatus for resource locator remarketing are presented. In one aspect, a method includes receiving visitation data from a publisher, the visitation data specifying a device identifier and a resource locator specifying a resource that was provided to a user device; identifying a content feed that includes regular expressions, each regular expression specifying matching character strings and a set of content items that are eligible to be provided to user devices corresponding to visitation data including a resource locator matching one of the regular expressions; identifying, a first matching regular expression that matches the resource locator specified by the visitation data; selecting a content item from the content items that correspond to the first matching regular expression; and providing data that causes presentation of the selected content item to the user device.

Abstract: In one embodiment, a system is configured to identify, based on predetermined criteria, a first set of users of an online system who belong to a population segment. The system may monitor activities performed by the first set of users on the online system over a predetermined period of time and store the monitored activities as time-series data. A feature set associated with the first set of users may be generated by transforming the time-series data into a frequency domain. The system may train a machine-learning model using the feature set and other feature sets to determine whether activities associated with a given set of users exhibit diurnal behavior pattern. Using the trained machine-learning model, the system may determine whether activities performed by a second set of users on the online system exhibit diurnal behavior pattern.

Abstract: Described systems and methods enable a swift and efficient detection of fraudulent Internet domains, i.e., domains used to host or distribute fraudulent electronic documents such as fraudulent webpages and electronic messages. Some embodiments use a reverse IP analysis to select a set of fraud candidates from among a set of domains hosted at the same IP address as a known fraudulent domain. The candidate set is further filtered according to domain registration data. Online content hosted at each filtered candidate domain is further analyzed to identify truly fraudulent domains. A security module may then prevent users from accessing a content of such domains.

Abstract: The present disclosure relates to information prompt methods and apparatus. One example method includes determining a first communication object from a target communication object set, obtaining first interaction information corresponding to the first communication object, receiving input information by using an information input interface of the first communication object, determining a matching degree between the input information and the first communication object based on the input information and the first interaction information, and performing prompt if the matching degree is less than a first threshold.

Abstract: A device includes a processor and a memory. The processor effectuates operations including monitoring enterprise network traffic associated with one or more user equipment (UE). The processor further effectuates operations including comparing the enterprise network traffic to a UE profile associated with each of the one or more UE. The processor further effectuates operations including determining whether the comparison indicates that a predetermined threshold has been exceeded. The processor further effectuates operations including in response to the indication that the predetermined threshold has been exceeded, generating an alert, wherein exceeding the predetermined threshold is indicative of a denial of service attack on an enterprise network or an attempt to remove enterprise data via the one or more UE.

Abstract: A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.

Abstract: Implementations of this specification include identifying a plurality of transactions to be executed in the blockchain, wherein the transactions are arranged in an execution order, wherein the transactions include one or more smart contract calls to smart contracts each having a whitelist identifying one or more accounts that are authorized to execute the smart contract, and wherein the execution order includes a smart contract call to a smart contract that does not have a whitelist arranged after the plurality of transactions; identifying groups of transactions within the plurality of transactions; instructing nodes of the blockchain network to execute each of the groups of transactions in parallel; determining that the nodes of the blockchain network have completed executing all of the groups of transactions; and in response, instructing the nodes of the blockchain network to execute the smart contract call that does not include a whitelist.

Abstract: To address technical problems facing managing multiple sources of information from multiple vehicles, vehicular computing power may be exploited to process such information before sharing with others, which may help reduce network traffic overhead. A technical solution to improve this information processing over vehicular networks by using a hybrid Named Function Network (NFN) and Information Centric Network (ICN), such as in a hybrid NFN/ICN. An NFN may be used to orchestrate computations in a highly dynamic environment after decomposing the computations into a number of small functions. A function may include a digitally signed binary supplied by a car vendor or other trusted authority and executed within a controlled environment, such as a virtual machine, container, Java runtime-environment, or other controlled environment.

Abstract: A system accesses information regarding a topology of an arrangement of resources, where one of the resources is a multi-tiered resource having a plurality of layers. Based on the information regarding the topology of the arrangement of resources, the system selects one or more layers of the multi-tiered resource for deployment of a deception server that has a reduced security mechanism to act as a decoy to attract attackers of the system. The system deploys the deception server at the selected one or more layers of the multi-tiered resource.

Abstract: Systems and methods for management of data files using a plurality of interconnected operations associated with a plurality of roles are provided. A method involves receiving, from a user terminal, a request to access a portion of the plurality of interconnected operations corresponding to one of the plurality of roles, obtaining a human representation of the portion, and transmitting the human representation to the user terminal for display thereon. The human representation (i.e., an Episodic Social Network representation) is a spatial arrangement one or more affinity groups blocks interconnected via one or more conditional situation blocks, where each of the affinity groups represents a non-exclusive data file classification associated with a set of temporal and non-temporal characteristics and where each of the conditional situation blocks defines a set of conditions for transferring the data file from one of the affinity groups to another of the affinity groups.

Abstract: A program management system includes: a terminal device having a terminal processing unit capable of executing processing to create a computer program, and a terminal communication unit capable of transmitting the computer program created by the terminal processing unit to an outside; and an external device having an external device storage unit storing therein the computer program transmitted from the terminal device, and an external device processing unit capable of executing processing to give approval to the computer program stored in the external device storage unit. The external device storage unit stores therein appropriateness of approval of the computer program as first status information together with the computer program. The external device processing unit is capable of executing processing to manage the computer program based on the first status information.

Abstract: A system and method for identifying and circumventing a security scanner includes monitoring incoming traffic to a web application, identifying a portion of the incoming traffic as security scanner traffic by comparing the incoming traffic to a security scanner traffic profile, and circumventing the security scanner by providing dummy content or signaling the web application to provide dummy content. The security scanner traffic profile is created by receiving web application traffic generated by a plurality of security scanners; identifying web application traffic features common to at least a portion of the plurality of security scanners by modelling using artificial intelligence, machine learning, and the like; and generating the security scanner traffic profile based on the identified web application traffic features.

Abstract: Methods, systems, and computer program products comprising computer readable instructions for generating efficiency metrics for knowledge workers. Data for symbol contributions of a knowledge worker is used for calculating Knowledge Discovery Efficiency (KEDE), which is a ratio between the symbol contributions of the knowledge worker for a time period indicated by a time aggregation type and a predetermined constant representing an estimated maximum amount of symbol contributions that can be contributed for the time period indicated by the time aggregation type. Templates and fraudulent values of the contributions are excluded from the calculation.

Abstract: Systems, methods, and apparatuses enable one or more security microservices to optimize a security configuration of a networked environment by applying security policies to resource groups passively to determine whether network sets, resource groups, or security policies should be modified, prior to active enforcement. When security policies are applied passively, security actions that are performed in response to a violation of security policy do not impact network traffic. The one or more security microservices evaluate the results of the passive application of security policies to determine whether there is at least one recommended modification to network sets, resource groups, or security policies. When there is at least one recommended modification, the modification is applied.

Abstract: A networking behavior detector and a networking behavior detection method thereof for an indoor space are provided. The networking behavior detector receives a plurality of radio frequency (RF) signals in the indoor space and converts the RF signals to a plurality of digital signals. Next, the networking behavior detector calculates an energy value of each digital signal and filters out the digital signal, the energy value of which is smaller than a threshold, of the digital signals to generate an analysis signal. Finally, the networking behavior detector retrieves a plurality of energy feature values of each analysis signal to generate a feature datum, and analyzes the feature data through an identification model to generate an identification result. The identification result corresponds to one of a plurality of networking behaviors.

Abstract: A method for reassigning exit internet protocol (IP) addresses in a virtual private network (VPN), the method including selecting a first exit IP address for communicating data associated with a user device having an established VPN connection, receiving a notification that indicates occurrence of a network event associated with the first exit IP address, and communicating, during the established VPN connection, data associated with the user device using a second exit IP address, different from the first exit IP address. Various other aspects are contemplated.

Abstract: A technique for determining the safety of the content of beacon transmissions. A user device extracts beacon identification information from a beacon transmission. The user device queries the beacon registry to obtain the targeted content. The user device provides the targeted content and beacon identification information to a validation service. The validation service evaluates the targeted content and the beacon identification information for safety. The validation service determines a score based on that evaluation and sends the score to the user device. The user device alerts the user or performs background actions such as suppression of transmission of beacon contextual data to other apps on user device based on the score.

Abstract: A system for detecting and preventing execution of malware on a target system includes an interface for receiving training data. The training data includes domain names known to be legitimate and domain names known to be associated with malware. The system is configured to train a first model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names using a supervised learning methodology. The system configured to train a second model to predict a correct domain name associated with domain names in the training data using an unsupervised learning methodology. The system configured to train a third model to classify the domain names in the training data as being legitimate domain names or malware-associated domain names based on an output of the first learning model and an output of the second learning model.

Abstract: Systems and methods are described for managing services of a computing device over a mobile network where requests for managed or unmanaged services are translated to corresponding IP addresses sent to the computing device and corresponding requests sent to the translated IP addresses are either permitted, rated, quality controlled or secured if the computing device has a valid data plan or is otherwise permissioned for using the mobile network, are denied if filtered and if the computing device does not have a valid data plan or is not otherwise permissioned and the request corresponds to the first address, and are permitted, rated, quality controlled or not secured even if the computing device does not have a valid data plan or is not otherwise permissioned if the request corresponds to the second address.

Abstract: A threat detection system for a mobile communication system, and a global device and a local device thereof are provided. The threat detection system is used for detecting and defensing low and slow distributed denial-of-service (LSDDoS) attacks. The global device is located in a core network of the mobile communication system, and is used for training a tensor neural network (TNN) model to build a threat classifier. The threat classifier is used for the local device to identify a plurality of threat types. The local device inputs the to-be-identified data into the threat classifier to generate a classification result corresponding to one of the threat types.

Abstract: An approach is provided for embedding information into probe data. The approach involves retrieving a probe data set comprising a plurality of probe data points collected from a probe device. The approach also involves determining the information to embed, wherein the information is a bit string of a specified length. The approach further involves iteratively selecting at least one bit of the bit string to embed into at least one probe data point of the plurality of probe data points to generate an embedded probe data set until at least a predetermined portion of the bit string is embedded. The approach further involves providing the embedded probe data set as an output.

Abstract: A method for reassigning exit internet protocol (IP) addresses in a virtual private network (VPN), the method comprising activating a first exit IP address for communicating data associated with a user device having an established VPN connection; deactivating, during the established VPN connection, the first exit IP address based at least in part on determining that an amount of data communication associated with the first exit IP address satisfies a data threshold; and activating, during the established VPN connection, a second exit IP address, different from the first exit IP address, for communicating data associated with the user device based at least in part on deactivating the first exit IP address. Various other aspects are contemplated.

Abstract: A machine compromised by malicious activity is detected by identifying an anomalous port opened on an entity of a network. The anomalous port is detected through collaborative filtering using usage patterns derived from normal network traffic using open ports of entities on the network. The collaborative filtering employs single value decomposition with alternating least squares to generate a recommendation score identifying whether an entity having a newly-opened port is likely to be used for malicious activity.

Abstract: Systems and methods for providing pre-emptive intercept warning for online privacy or security are disclosed. In one embodiment, at a privacy security appliance comprising at least one computer processor, a method for may include: (1) establishing a virtual private network (VPN) connection with a computer application executed by a client device; (2) receiving, over the VPN connection, an internet protocol (e.g., HTTP or HTTPS) request for a website host; (3) communicating the internet protocol request to the website host; (4) receiving a response to the internet protocol request from the website host; (5) inspecting the response for privacy or security issues with embedded links in the response; (6) scoring the embedded links based on the inspection; (7) generating a mock webpage based on the response comprising the scoring for the embedded links; and (8) delivering the mock webpage with the scoring to the application over the VPN. The mock webpage may include links to the embedded links.

Abstract: Methods and systems for generating an attack path based on user and system risk profiles are presented. The method comprises determining user information associated with a computing device; determining system exploitability information of the computing device; determining system criticality information of the computing device; determining a risk profile for the computing device based on the user information, the system exploitability information, and the system criticality information; and generating an attack path based on the risk profile. The attack path indicates a route through which an attacker accesses the computing device. The system exploitability information indicates one or more of: the vulnerability associated with the computing device, an exposure window associated with the computing device, and a protection window associated with the computing device.

Abstract: Embodiments include a method, system and computer program product for detecting impersonation attempts in social media messaging. Aspects include receiving, via a social media network, a message from a sender to a recipient and analyzing a content of the message to extract factual statements from the message. Aspects also include analyzing a profile of the recipient to extract facts from the profile and comparing each of the factual statements to the facts from the profile. Based on a determination that one of the factual statements are verifiable by at least one of the facts, aspects include assigning a likelihood score to the factual statements. Aspects further include calculating a legitimacy score for the message based at least in part on the likelihood score of each verified factual statement from the message and transmitting the legitimacy score and the message to the recipient.

Abstract: A method and system for detecting impersonated network traffic by a protected computing device and a network protection system. The method includes the computing device receiving installation of a browser application, the browser application configured to generate requests to communicate with other computers via the World Wide Web and receiving a configuration for the browser application. The browser application is configured to obtain a short-lived password (SLP) in coordination with generating a request and insert the short-lived password into the generated request before transmitting the request. The SLP is synchronized with an expected value generated by the network protection system. The transmitted request is passed to the network protection system and treated as legitimate network traffic by the network protection system only if the network protection system detects and verifies the SLP.

Abstract: Embodiments provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement the method of identifying an exploit kit, the method comprising: receiving, by the processor, a web page; extracting, by the processor, a plurality of features of the web page; and determining, by the processor, whether the web page is associated with an exploit kit, through an ensemble classifier model trained using the extracted features.

Abstract: Various embodiments are generally directed to techniques for control flow protection with minimal performance overhead, such as by utilizing one or more micro-architectural optimizations to implement a shadow stack (SS) to verify a return address before returning from a function call, for instance. Some embodiments are particularly directed to a computing platform, such as an internet of things (IoT) platform, that overlaps or parallelizes one or more SS access operations with one or more data stack (DS) access operations.