Abstract: Methods and systems for managing notifications relating to execution of microservices are described herein. A format of notifications relating to execution of a plurality of microservices may be defined. The format may provide that all notifications generated based on the format comprise code. The code may indicate, for example, an identity of one of a plurality of microservices, a version of the code, an occurrence of an issue in execution of the one of the plurality of microservices, and/or one or more scripts which may be executed to address an issue of the notification. Two or more notifications may be received, and the one or more notifications may be formatted based on the defined format. A third notification may be generated based on a comparison of the two or more notifications. The third notification may be transmitted to a computing device.

Abstract: The disclosure is directed to a system for testing known bad destinations while in a production network. The system can include a source controller and a destination controller in a production network. The source controller and the destination controller can have a configuration of a predetermined set of one or more known bad external destinations to test a security control device of the production network intermediary to the source controller and the destination controller. The source controller can be configured to communicate test traffic generated to a known bad external destination. The test traffic can pass through the security control device with a network identifier of the known bad external destination. The destination controller can be configured to receive the test traffic forwarded by a network device of the production network.

Abstract: Techniques are described herein for, without rebooting a computing device, unloading at least a component of a kernel-mode component of the computing device and loading an updated version of the component of the kernel-mode component. The techniques may be performed by an integrity manager associated with the kernel-mode component. The integrity manager may also determine integrity of the kernel-mode component by causing the kernel-mode component to perform an action associated with a known reaction, determining whether the known reaction occurred, and in response, performing a remediation action or notifying a remote security service. Further, the integrity manager may determine whether any computing device lists include representations of components or connections associated with the kernel-mode component. The integrity manager may then remove the representations from the lists or remove the representations from responses to requests for contents of the computing device lists.

Abstract: A system includes a processor coupled to an integrated circuit. The processor includes a non-volatile memory to store instructions to perform a boot process. The boot process is discontinued to prevent unauthorized use of the processor if a value received from the integrated circuit in response to a first value sent to the integrated is not valid.

Abstract: The present disclosure relates to a method for performing a software update in a control unit of a motor vehicle. The present disclosure provides that, during driving operation of the motor vehicle, a first analysis device of the motor vehicle is used to predict, for a predefined future time interval in which the control unit is operated in order to generate control data, an idle time interval in which the generation of the control data of at least one software module of the control unit is interrupted during the driving operation at least for a predefined minimum duration because of a vehicle state existing then, and the software update is started at the beginning of the idle time interval.

Abstract: A watermark image may be generated that includes a first set of encoded pixels each of which is assigned a first transparency value and a second set of encoded pixels each of which is assigned a second transparency value, the second transparency level being different from the first transparency level. The encoded pixels may be distributed among a set of blank pixels such that each encoded pixel neighbors one or more blank pixels in the watermark image, and in particular at least two blank pixels in the watermark image. Herein, each blank pixel may be assigned the second transparency value. The watermark image may be overlaid and blended over a background source image to create an encoded source image. A decoder system may recover encoded information from the encoded source image.

Abstract: A method includes issuing a suspend command to a data storage device at an information handling system. In response to receiving the suspend command, the data storage device generates a one-time password that is stored at the data storage device. The one-time password is provided to a process executing at the information handling system that stores the one-time password at a memory device at the information handling system. Operation of the data storage device is transitioned to an energy saving state.

Abstract: Software applications to be installed on user devices are monitored. Authenticity of the applications is evaluated using trust factors. In some cases, the trust factors relate to security associated with a network being accessed by a user device. In response to the evaluation, an action is performed such as configuring or disabling execution of one or more components of an application.

Abstract: An analyzer module forms a hypothesis on what are a possible set of cyber threats that could include the identified abnormal behavior and/or suspicious activity with AI models trained with machine learning on possible cyber threats. The Analyzer analyzes a collection of system data, including metric data, to support or refute each of the possible cyber threat hypotheses that could include the identified abnormal behavior and/or suspicious activity data with the AI models. A formatting and ranking module outputs supported possible cyber threat hypotheses into a formalized report that is presented in 1) printable report, 2) presented digitally on a user interface, or 3) both.

Abstract: There is provided mechanisms for handling access to a service in a network. A method is performed by a network controller. The method comprises obtaining an indication of the service is accessible in the network. The indication is received from a network switch operatively connecting a server of the service to the network. The indication causes a timer to start. The method comprises obtaining an indication of a client requesting to access the service. The indication is received from the network switch. The method comprises recording, only when the timer has not yet expired, identity information of the client in an access control list. The method comprises providing the access control list at least to the network switch upon expiration of the timer.

Abstract: A computer-implemented method for detecting cyber-attacks affecting a computing device includes retrieving a plurality of sensor datasets from a plurality of sensors, each sensor dataset corresponding to involuntary emissions from the computing device in a particular modality and extracting a plurality of features from the plurality of sensor datasets. One or more statistical models are applied to the plurality of features to identify one or more events related to the computing device. Additionally, a domain-specific ontology is applied to designate each of the one or more events as benign, failure, or a cyber-attack.

Abstract: Systems and methods for multi-tiered sandbox based network threat detection are provided. According to one embodiment, a file is received by a virtual sandbox appliance. The file is caused to exhibit a first set of behaviors by running the file within a virtualization application based environment of the virtual sandbox appliance. The virtualization application based environment acts as an intermediary between executable code, an operating system (OS) application programming interface (API), and an instruction set of a particular computer architecture. The file is further caused to exhibit a second set of behaviors by running the file within a container based environment of the virtual sandbox appliance. Differences, if any, between the first set of behaviors and the second set of behaviors are determined. Finally, the file is classified as malicious when the differences are greater than a predefined or configurable threshold.

Abstract: Systems and methods for providing an improved cellular user quality of experience (QoE) are disclosed. The system can comprise a database from multiple data points to monitor and analyze cellular user experiences holistically. The system supplements conventional quality of service (QoS) metrics with user-side, application provider, and internet provider data, among other things. The data can be used to create highly granular service maps. The data can also be used in methods for analyzing and solving network issues, including slowdowns, dropped calls, and network availability are also disclosed. Improved analysis of network, user equipment (UE), and application issues can locate and solve QoE issues, improving cellular customer satisfaction, retention, and loyalty.

Abstract: A delivering email system is configured to receive a request to send an email to a recipient, identify an authentication method of a sender account for the email, modify email headers of the email to include an indication of the authentication method, generate digital signatures for the email that include the email headers within a scope of the digital signatures, modify the email such that an email header of the email includes the digital signatures, and transmit the email, including the indication of the authentication method and the digital signatures, to the recipient at a receiving email system. The receiving email system is configured to receive the email, determine that the email headers are unaltered by validating the digital signatures against a public key of the sender domain, determine whether the authentication method indicated meets a criteria, and execute a security response against the email if not.

Abstract: A method of detecting patterns for automated filtering of data is provided. The method includes receiving network traffic including bad traffic and good traffic, wherein an attack is known to be applied to the bad traffic, and the good traffic is known to be free of an applied attack. Processing the good and bad traffic includes generating, for each unique packet, each potential unique combination of the packet's fields, storing each combination with associated bad match and good match counters, and incrementing a combination's respective good and bad match counters for each occurrence it matches one of the packets of the respective good and bad traffic. The combinations are sorted based on the good match counter associated with each combination, a number of fields in each combination, and the bad match counter associated with each combination. One or more combination is selected based on results of the sorting for provision to a network traffic filtering component.

Abstract: A computerized-method for real-time detection of financial transactions suspicious for money-laundering, by processing high-speed streaming financial data. In a computerized-system receiving a financial data stream comprised of data points. Operating a Fused-Density (FD)-based clustering module that is configured to: (i) read the data points; (ii) maintain a grid system; (iii) maintain one or more provisional clusters (PROC)s; (iv) associate each data point with a grid or merge it to a PROC; (v) systemize the grid system and the PROCs; (vi) trim one or more grids and remove one or more PROCs; (vii) form one or more shape devise clusters based on the PROCs; and (viii) transmit the one or more shape devise clusters for analysis thereof, thus, enabling detection of financial transactions suspicious for money-laundering according to the one or more shape devise clusters which were formed out of the high-speed streaming financial data with money-laundering changing trends.

Abstract: Methods and systems utilizing sandbox outputs for files, such as dynamic file analysis (DFA) reports, regardless of size, to automatically create rules. From these rules, the maliciousness of the file is determined, and if the file is malicious, i.e., malware, the malware is classified into malware families.

Abstract: In general, this disclosure describes a network device to determine a cause of packets being dropped within a network. An example method includes generating, by a traffic monitor operating on a network device, an exception packet that includes a unique exception code that identifies a cause for a component in the network device to discard a transit packet, and a nexthop index identifying a forwarding path being taken by the transit packet experiencing the exception. The method also includes forwarding the exception packet to a collector to be processed.

Abstract: Disclosed is a method of encrypted storage of data, applied to a client having an application (APP) installed thereon. The method includes: generating an encryption key based on a preset algorithm; dividing the encryption key into m portions, and respectively storing the portions in m media of the client, where m is a natural number greater than 1; and encrypting target data by using the encryption key.

Abstract: An information security system that includes an information security engine configured to detect an attack by a malicious software element in a network. The information security engine is further configured to transfer the malicious software element from the network to the emulated network in response to detecting an attack. The information security engine is further configured to select defense strategies for restricting communications using different port configurations and to implement each defense strategy within the emulated network. The information security engine is further configured to execute a duplicate of the malicious software element in the emulated network and to determine a performance level for each of the defense strategies against the duplicate of the malicious software element. The information security engine is further configured to select a defense strategy with a highest performance level and to implement the selected defense strategy within the network.

Abstract: A method of operating a mobile device includes displaying a user interface as an image, the user interface being composed of a plurality of widgets, storing a privacy policy identifying at least one of the widgets, capturing a screenshot image corresponding to the screenshot image, excluding the at least one of the widgets from the screenshot image to create a modified screenshot image, and transmitting the modified screenshot image over a network to a monitoring server.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for voice and graphical user interfaces. One of the methods includes receiving an audio input, analyzing the audio input to determine a requested task, determining response data in response to the requested task, determining at least a first part of the response data to be presented as an audio output and at least a second part of the response data to be presented as a visual output, forwarding the first part of the response data to an audio output for presentation to a user, forwarding the second part of the response data to a visual output for presentation to a user; and forwarding to at least one of the audio output and the visual output data describing sources and/or assumptions used to construct the response data.

Abstract: According to one embodiment, a method detecting and mitigating a privilege escalation attack on an electronic device is described. The method involves operations by a user agent mode operating within a user space and a kernel driver mode operating within a kernel space. The kernel driver mode, in response to detecting an initial activation of a process being monitored, stores metadata associated with an access token. This metadata includes the initial token state information. Responsive to detecting an event associated with the process being monitored, the kernel mode driver extracts a portion of current state information for the access token for comparison to a portion of the stored token state information. Differences between content within the current state information and the stored token state information are used, at least in part, by the user agent mode to detect a privilege escalation attack.

Abstract: A computing device comprising a secure browser extension for a web browser monitors for satisfaction of one or more operating conditions to identify whether one or more unauthorized applications are installed on the computing device. Based on satisfaction of at least one operating condition, the secure browser extension of the computing device sends an HTTP request to a known service via the web browser. The secure browser extension receives a response to the HTTP request via the web browser. The secure browser extension determines whether the received response is an HTTP response (e.g., from an unauthorized application) or a non-HTTP response (e.g., from the known service). Based on determining the received response is an HTTP response, the secure browser extension terminates the web browser session and generates a notification for display at the computing device that indicates web browser communications are compromised.

Abstract: Example techniques herein filter and classify security-relevant events from monitored computing devices. A control unit can receive event records of various types, each event record associated with a monitored device. The control unit can provide, for each event record matching a corresponding pattern of a pattern set associated with the respective event type, a respective match record. Each match record can include an identifier of the corresponding pattern and data of the respective event record. The control unit can provide, for each match record satisfying a corresponding condition of a condition set, a respective candidate record including a tag associated with the corresponding condition. The control unit can provide, for each candidate record satisfying a tag criterion, a result record. Some examples can receive a modification record and use it to provide an updated condition set used for determining candidate records.

Abstract: An apparatus is provided including at least one platform; an intrusion prevention system configured to communicative couple with the at least one platform; a firewall configured to communicative couple with the at least one platform; at least one first data storage configured to communicative couple with the at least one platform; and at least one second data storage configured to communicative couple with the at least one platform. The at least one platform is configured to perform a plurality of operations that collective protect one or more networked devices.

Abstract: Telemetry data from client file reputation queries is collected over time. Directories/sub-directories under which files of queries are located are identified. The files including the reputations for the files under a given directory/sub-directory are identified and used to calculate the reputation score for the directory/sub-directory. The directory/sub-directory is then classified based on the calculated score for the directory/sub-directory. After the classification of directories/sub-directories, reputation for a file with unknown reputation is then determined based on the classification of the directory/sub-directory under which the file is located.

Abstract: Described is an improved approach to remove data outliers by filtering out data correlated to detrimental events within a system. One or more detrimental even conditions are defined to identify and handle abnormal transient states from collected data for a monitored system.

Abstract: A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

Abstract: A method and apparatus for performing automated collaboration is provided. Automated collaboration may include identifying a first document generated by a first user using a networked application, identifying a collaborative similarity between the first document and a second document generated by a second user, generating a collaboration suggestion based on the collaborative similarity, transmitting the collaboration suggestion to the first user via the networked application, and initiating a collaboration session between the first user and the second user. The collaborative similarity may be identified based on a similarity between content of the first document and content of the second document, based on a similarity between information associated with the first document and information associated with the second document, or based on a combination of content and associated information similarities.

Abstract: A firewall may identify a uniform resource locator (URL) being transmitted to a user device, the URL link pointing to a host system. The firewall can then modify the URL link to point instead to a sandbox system. Once a user at the user device selects the URL link (e.g., by clicking or touching it in a browser), the firewall receives the user device's HTTP request and directs it to the sandbox system, which generates a new HTTP request that is then sent through the firewall to the host system. The host system then sends host content to the sandbox system instead of to the user device. The user device may then be presented with a representation of the host content as rendered at the sandbox system (e.g., through a remote desktop interface).

Abstract: Disclosed herein are methods, systems, and processes for containing compromised credentials using deception systems. A request to authenticate a credential is received at a honeypot and a determination is made that the request includes context information that correlates the credential with network components that are part of the network. A protected host in the network associated with the credential is identified and the credential is authenticated by validating the credential with the protected host. A determination is made that the credential is compromised and the credential is deactivated.

Abstract: A security appliance is used to evaluate the software defined infrastructure. The security appliance includes a data ingestion and query engine. The data ingestion and query engine is configured to retrieve data associated with a resource in the software defined infrastructure, the data stored in a tree structure, extract selective information for the resource from the retrieved data, and generate a NI model for the resource, with the NI model including a plurality of fields and associated value types. A path document for each of the fields is generated, with the path document including a plurality of attributes related to the resource in the software defined infrastructure. The generated path document for each of the fields of the NI model is stored in a data store of the security appliance.

Abstract: Some aspects as disclosed herein are directed to, for example, a system and method of configuring one or more configurable database work file limits and performing one or more actions in response to reaching or approaching the work file limits. The method may comprise determining, by a computing device, a user identifier associated with a user and an application identifier associated with an application. The computing device may determine, based on the user identifier and the application identifier, a workfile storage usage threshold associated with the user and the application. The computing device may determine whether a workfile storage usage associated with the user and the application approaches or exceeds the workfile storage usage limit.

Abstract: Examples disclosed herein relate to security indicator scores. The examples enable obtaining a security indicator created by a first user where the security indicator may comprise a first observable, and obtaining, from a first source entity, a first sighting of the first observable. The first sighting of the first observable may indicate that the first observable has been observed by the first source entity where the first source entity is associated with a first level of source reliability. The examples enable determining a number of sightings of the first observable. The examples enable determining a first observable score based on the number of sightings of the first observable and the first level of source reliability, and determining an indicator score associated with the security indicator based on the first observable score. The indicator score may be presented to a community of users via a user interface.

Abstract: Pre-filtering detection of an injected script on a webpage accessed by a computing device. The method may include receiving an indication of access to the webpage at a web browser of the computing device; identifying a web form associated with the webpage; determining that the webpage has been previously visited by the computing device; recording at least one current domain associated with at least one current object request made by the web form; determining a difference of a count of the at least one current domain associated with the at least one current object request and a count of at least one historical domain associated with at least one historical object request previously made by the webpage; identifying the webpage as suspicious based on determining that the difference is greater than zero and less than a domain threshold; and initiating a security action on the webpage based on the identifying.

Abstract: Disclosed are a system comprising a computer-readable storage medium storing at least one program, and a computer-implemented method for digital inventories. An application interface module receives a request message from a user device at a physical store location linked to an online marketplace. The request message indicates a request to determine availability of a target item at the physical store location. The user device is linked to a user. In response to the request message, a database management module accesses inventory data of the online marketplace. An inventory engine determines whether the target item is available at the physical store location. Based on a determination that the target item is not available at the target store, a graphics processing module generates a digital representation of the user and the target item for display within a user interface rendered on the user device.

Abstract: An information handling system may include a processor, an external port communicatively coupled to the processor and configured to receive an external information handling resource and couple the external information handling resource to the processor, and a basic input/output system comprising a program of instructions executable by the processor.

Abstract: The present invention relates to an online diagnostic platform, and a permission management method and a permission management system thereof. The permission management method includes: when user information of a registered user is received, assigning a role in a role set to the registered user; determining a permission corresponding to the role; and generating a menu corresponding to the registered user, where the menu includes one or more function portals, the function portal being used for requesting execution of a diagnostic service function. The method uses security control policies such as the registered user, the role and the permission, and is flexible in management and relationship configuration. In addition, the permission management system is separated from a service system, has good expansibility, and can ensure stable running and data security of the system.

Abstract: A trust chain having client system and a remote system in a secure connection, wherein an intermediary system associated with the network flow path serves as a signing entity to establish an end to end transitive trust. The intermediate system is a corroborative entity in the operations technology realm of the client system. The remote system serves as the host for a plurality of services in the information technology realm. A two way handshake during the initial secure exchange protocol between a local client application and a remote service is extended to a three way handshake that includes a nonce issued by the remote service on the remote system and a digital signature for the nonce issued by a signature service on an associated intermediate system. The nonce signature is verified authoritatively at the remote system based on the signing certificate of the intermediate system for explicit proof of association.

Abstract: Some embodiments of the invention provide a framework for simulating the operation of a blockchain system. Simulation may produce quantitative, practical estimates of how varying certain aspects of the system's design affects its performance, cost, and/or other metrics of interest. Some embodiments provide a unified simulation framework which enables designers and operators to use the data produced from one test or model in another, and allowing the system's parameters and/or protocol to be optimized relative to one or more objective functions.

Abstract: An application executing on a mobile computing platform provides independent data channels over a mobile network to multiple separate computing systems that each maintain some data pertinent to problem determination and resolution when an incident arises in a monitored information technology (IT) environment. The application maintains and separately exercises the channels to provide timely information in a user interface that composites data to present a single interface with a multi-sourced contextual rendering. Some systems may include an IT monitoring system and a separate incident management system among its sources. Channels may include extended functionality to improve security or other aspects of communication with mobile platforms.

Abstract: An example system includes a processor to receive a current session and previous sessions associated with an account. The processor can split the current session and the previous sessions into action windows. The processor can calculate a window similarity score for each action window of the current session using a pair-wise comparison with action windows of each of the previous sessions. The processor can aggregate the window similarity scores to generate a replay likelihood score for the current session with respect to each of the previous sessions. The processor can classify the current session as a replay attack in response to detecting that a replay likelihood score of the current session exceeds a threshold.

Abstract: Systems, methods, and software can be used to provide secure sensor data. In some aspects, a computer-implemented method includes: receiving, at a sensor security evaluation application executing on a device, sensor data from a sensor on the device; determining, by the sensor security evaluation application, a security confidence score associated with the sensor data; and transmitting, from the sensor security evaluation application, the security confidence score and the sensor data to a smart machine processor on the device.

Abstract: According to one embodiment, an apparatus comprises a processor and memory. Communicatively coupled to the processor, the memory includes a detection module that, when executed, conducts an analysis of a received object to determine if the received object is associated with a malicious attack. The detection module is configurable, and thus, certain capabilities can be enabled, disabled or modified. The analysis is to be altered upon receipt of a configuration file that includes information to alter one or more rules controlling the analysis conducted by the detection module.

Abstract: A computer-implemented method for implementing protocol-independent anomaly detection within an industrial control system (ICS) includes implementing a detection stage, including performing byte filtering using a byte filtering model based on at least one new network packet associated with the ICS, performing horizontal detection to determine whether a horizontal constraint anomaly exists in the at least one network packet based on the byte filtering and a horizontal model, including analyzing constraints across different bytes of the at least one new network packet, performing message clustering based on the horizontal detection to generate first cluster information, and performing vertical detection to determine whether a vertical anomaly exists based on the first cluster information and a vertical model, including analyzing a temporal pattern of each byte of the at least one new network packet.

Abstract: There is provided a method to detect phishing websites so as to protect users from sending their sensitive information to criminal servers. When browsing a web site having an input form asking sensitive information, the input fields are recorded (i.e. username field and password field). Then false credentials are generated and submitted in background. The new control layer then checks the response page content whether it includes an input form and if there is an input, it checks whether the form has the same fields as the first form. If the responded page does not have a form, or it has a form but includes different fields than the initial page's form, then the original site is identified as phishing.

Abstract: In one aspect of the present description, operations are described for detecting whether programming code of a first computer program has been modified by a second computer program. In one embodiment, the modification detecting includes registering a first section of programming code of the first computer program in a first registry data structure. To detect a modification, the registered first section of programming code may be validated. In one embodiment, the validating includes comparing the section of programming code actually located at the first memory address to the registered first section of programming code. In another aspect, various selectable remedial actions may be taken upon detecting modification of programming code of the first computer program. Other features and aspects may be realized, depending upon the particular application.

Abstract: Certain aspects herein provide a system and method for performing behavior analysis for a computing device by a computing system. In certain aspects, a method includes detecting an event occurring at the computing device at a first time, determining, based on the detecting, an event category of the event, and collecting first one or more behaviors associated with the determined event category occurring on the computing device based. The method also includes comparing the first one or more behaviors with a dataset indicating one or more expected behaviors of the computing device associated with the event. Upon determining that at least one of the first one or more behaviors corresponds to an unexpected behavior based on the comparing, the method further includes taking one or more remedial actions.

Abstract: The present disclosure describes a system for saving metadata on files and using attribute data files inside a computing system to enhance the ability to provide user interfaces based on actions associated with non-executable attachments like text and document files from untrusted emails, to block execution of potentially harmful executable object downloads and files based on geographic location, and to a create a prompt for users to decide whether to continue execution of potentially harmful executable object downloads and files. The system also records user behavior on reactions to suspicious applications and documents by transmitting a set of attribute data in an attribute data file corresponding to suspicious applications or documents to a server. The system interrupts execution of actions related to untrusted phishing emails in order to give users a choice on whether to proceed with actions.