Abstract: A system is described for protecting a cyber-physical system against a potential attacker of the cyber-physical system. The system includes at least one processor configured to: collect historical information about the cyber-physical system, and train, based on the historical information, a machine-learned model to predict future conditions of at least a portion of the cyber-physical system. Responsive to detecting an input signal to the cyber-physical system, the system is configured to output an alert to the cyber-physical system indicative of a potential attacker, and respond to the input signal by simulating, based on the future conditions predicted by the machine-learned model, functionality and communications of the at least a portion of the cyber-physical system.

Abstract: Chat-based systems and methods for data loss prevention are described. In one embodiment, a method includes receiving an enable command from a chat service by a data loss prevention service, scanning data from a data source with the data loss prevention service in response to the enable command to detect private information in the data, generating an alert for the private information by the data loss prevention service, and sending the alert to the chat service to cause the chat service to broadcast a chat alert to a group of users.

Abstract: An initiator emulator is implemented on a control plane of a switch fabric connected to target ports of a storage array having storage configured with logical partitions. After an initiator port of a server logs into the switch fabric and is blocked from discovering the target ports, the initiator emulator, acting as proxy for the initiator port, discovers information that indicates logical partition masking enforced at the target ports for the initiator port. The initiator emulator determines allowed (initiator (I), target (T)) (I, T) port combinations that should be allowed access via the switch fabric based on the information from the discovery. The initiator emulator configures the switch fabric with one or more zones based on the allowed (I, T) port combinations. The initiator emulator then sends to the initiator port an indication of a zone change to the switch fabric.

Abstract: Various embodiments disclosed herein are related to a non-transitory computer readable storage medium. In some embodiments, the medium includes instructions stored thereon that, when executed by a processor, cause the processor to detect, on an edge network, a state change of a cluster including one or more edge processing units, identify a plurality of first configuration override rules from a first source and a plurality of second configuration rules from a second source, merge at least one first configuration override rule with at least one second configuration override rule to generate a plurality of third configuration override rules, update a configuration of the one or more edge processing units using the plurality of third configuration override rules, and collect data from the one or more edge processing units in accordance with the configuration update.

Abstract: One or more embodiments analyze log records of applications to determine whether a composite rule pertaining to events associated with the log records occurring within a specified time window are satisfied. Satisfaction of the composite rule may facilitate real-time diagnosis and detection of patterns in logs which indicate problems, threats, systemic issues, or performance issues relating to the applications. The composite rule may specify events associated with log records from multiple different applications that occur within a same specified time window and are associated with a same tenant and entity. Satisfaction of the composite rule may be analyzed by a state machine that tracks satisfaction of the individual rules within the composite rule in a sequence of stages. A notification, alert, or alarm may be generated when the composite rule is satisfied.

Abstract: Dynamic code generation and coordination techniques are provided for display of dynamic markup documents including script code. A code generation process is not only guided by deferral of code preparation stages and sub-stages, but also informed by various information levels possessed concerning the code itself, either through interpretation or observation of execution, to not only generate modified code, but also to generate alternative code for alternative situations (e.g., generating different loop bodies that can thereafter be readily swapped in or out depending on a given function call by the browser application). A multi-core architecture further improves user experience by asymmetrically ensuring web site presentation and functionality is prioritized for the user experience.

Abstract: Method(s) and a domain name server (DNS) for detecting and blocking DNS query raised by a computing device are described. In an example implementation, the DNS may implement a method that includes monitoring DNS queries received from a computing device at the DNS. The DNS identifies if a fully qualified domain name (FQDN) associated with the DNS query is not present in a cache of the DNS and DNS responses received by the computing device in response to the DNS queries whose FQDN is not present in the cache. An exfiltration, an infiltration or a tunneling event is detected based on a summation of size of the DNS queries, DNS responses or both. Accordingly, further DNS queries from the computing device may be blocked.

Abstract: In some implementations, a method includes receiving files provided for analysis by users, generating, from the received files, a batch including multiple files, and scanning each of the files in the batch using each of multiple different antivirus software programs to generate an antivirus output for each of the files. The scanning includes, for each of multiple computing units, generating a replica of the batch for the computing unit, and scanning, by the computing unit, each file in the replica of the batch using an antivirus software program assigned to the computing unit to generate a respective program-specific antivirus output for the antivirus software program for each file of the batch of files. The method includes generating, for each file in the batch, the antivirus output for the file from the program-specific antivirus outputs for the file, and outputting the generated antivirus outputs for presentation to the users.

Abstract: A source code analysis tool is augmented to support rule-based analysis of code to attempt to identify certain lexical information indicative of hard-coded secret (e.g., password) support in the code. The tool takes the source code as input, parses the content with a lexical analyzer based on language grammar, and processes the resulting data through preferably a pair of rule-based engines. Preferably, one engine is configured to identify variables explicitly intended to be used as a hard-coded secret, and the other engine is configured to identify data strings that could potentially support such a secret. The outputs of these rules engines are consolidated and evaluated to identify a likelihood that the code under examination includes support for a hard-coded secret. The result is then provided to the developer for further action to address any potential security vulnerability identified by the analysis.

Abstract: A computer-implemented method for detecting and protecting against malicious use of legitimate computing-system tools may include (i) identifying a computing-system tool that can perform benign actions and malicious actions on a computing system, (ii) creating a set of recorded actions by recording actions performed by the computing-system tool on the computing system over a predetermined period of time, (iii) analyzing the set of recorded actions via a machine learning method that, for each action in the set of recorded actions, determines whether the action is anomalous compared to other actions in the set, (iv) classifying an action in the set of recorded actions as malicious based at least in part on determining that the action is anomalous, and (v) initiating, in response to classifying the action as malicious, a security action related to the action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method of detecting bots, preferably in an operating environment supported by a content delivery network (CDN) that comprises a shared infrastructure of distributed edge servers from which CDN customer content is delivered to requesting end users (clients). The method begins as clients interact with the edge servers. As such interactions occur, transaction data is collected. The transaction data is mined against a set of “primitive” or “compound” features sets to generate a database of information. In particular, preferably the database comprises one or more data structures, wherein a given data structure associates a feature value with its relative percentage occurrence across the collected transaction data. Thereafter, and upon receipt of a new transaction request, primitive or compound feature set data derived from the new transaction request are compared against the database. Based on the comparison, an end user client associated with the new transaction request is then characterized, e.g.

Abstract: A disclosed apparatus includes a connection detector to detect a communication as including a request to connect to a device at a data link layer of an Open Systems Interconnection model; a threat monitor to determine whether the communication is a threat; and a threat manager to, when the threat monitor determines the communication is a threat, at least one of generate a notification to prompt a user about the threat or block the communication.

Abstract: A vehicular electronic device hacking test apparatus includes a transmitter, a receiver, and a processor configured to classify a communication-connection procedure into a plurality of states based on a preset communication protocol, to generate a mutated packet appropriate for the plurality of states, and to transmit a vehicular electronic device through the transmitter, and to determine whether the vehicular electronic device is vulnerable to hacking based on whether a reception packet corresponding to the mutated packet is received through the receiver.

Abstract: Systems and methods are provided for detecting the presence of a key logger program that is executing on a processing device of an information handling system by inputting simulated keystrokes to an information handling system with known key stroke characteristic/s (e.g., quantity of keystrokes as a function of time, keystroke data size as a function of time, and/or keystroke values as a function of time), and monitoring to detect resulting system activity characteristics that match the known key stroke characteristic/s of the simulated key strokes.

Abstract: A method for executing a penetration testing campaign comprises performing a determination of conditional compromisability for one or more network nodes, including examining each given network node of the one or more network nodes to determine whether it can be compromised from a network node that is already determined to be compromisable and that can communicate with the given network node to the extent required for exploiting a vulnerability applicable to the given network node. Subsequently, for a selected target network node determined to be conditionally compromisable, a potential attacking node is selected from the already-determined-to-be-compromisable nodes and a check is made whether the selected potential attacking network node can communicate with the selected target network node to the extent required, thus leading to a determination that the selected target network node is not only conditionally compromisable but also actually compromisable by an attacker.

Abstract: Disclosed herein are methods, systems, and processes to detect anomalous computing assets based on open ports. Security data associated with computing assets executing in a computing environment is received from an agent executing on the computing assets. Open port information associated with the computing assets is extracted from the security data. The open port information and a list of computing assets with the open port information is used to generate a type similarity model and an open port model. The type similarity model clusters the computing assets and the open port model determines whether a port associated with a computing asset with the open port information is likely to be open or should be open in the computing environment, permitting detection of anomalous computing assets in the computing environment.

Abstract: Identifying and mitigating harm from malicious network connections by a container. In some embodiments, a method may include receiving, from a shim, notifications of all network connections that a container has sought to establish through the shim. The method may also include monitoring all actual network connections established by the container. The method may further include comparing the notifications to the actual network connections to determine whether any actual network connection established by the container bypassed the shim. The method may also include, in response to determining that any actual network connection established by the container bypassed the shim, identifying the network connection established by the container that bypassed the shim as a malicious network connection, and performing a security action to mitigate harm from the malicious network connection.

Abstract: A technology solution for remediating a cyberattack risk in a computing resource asset in a network system.

Abstract: Systems and methods for assessing user activity using dynamic windowed forecasting on historical usage. The system includes a server including an electronic processor. The electronic processor is configured to receive, from a network server hosting at least one application for a plurality of users, a data stream including a plurality of historical activity indicators for the plurality of users, the plurality of historical activity indicators including a plurality of unique user identifiers and a plurality of timestamps. The electronic processor is configured to group the plurality of historical activity indicators into a plurality of historical windowed data points based on the plurality of timestamps. The electronic processor is configured to determine a forecasted quantity of users for a forecast time window based on the data points and the plurality of unique user identifiers. The electronic processor is configured to transmit the forecasted quantity of users to a user device.

Abstract: Network firewalls operate based on rules that define how a firewall should handle traffic passing through the firewall. At their most basic, firewall rules may indicate that certain network traffic should be denied from passing through a network firewall or indicate that certain network traffic should be allowed to pass through the network firewall. Manners of handling network traffic beyond simply allowing or denying the network traffic may also be defined by the rules. For instance, a rule may indicate that certain network traffic should be routed to a specific system. Thus, if an administrator of a network firewall determines that certain network traffic should be handled in a certain way by a network firewall, the administrator need only implement a firewall rule defining how that network traffic should be handled in the network firewall.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for real-time generation and deployment of specific user information security vulnerability levels based on vulnerability assessments for the user. The invention utilizes a two-component system to detect security vulnerabilities for a user, generate a coherent vulnerability level for the user in real-time, and provides user specific mitigation actions depending on each user vulnerability assessment. The first component of the system is an information threat assessment engine, which identifies and/or receives external and internal data regarding users to determine information security threats. The second component is an analytics engine, which is configured to generate vulnerability levels and specific mitigation actions for the user based on threat patterning.

Abstract: A method for protecting memory pages of a computing device using a hypervisor includes detecting, by a hypervisor, a token associated with the trusted program, in response to receiving a hypercall from a trusted program. The token associated with the trusted program is checked against a saved token of the hypervisor to determine trustworthiness of the trusted program. The hypervisor creates a memory page containing a safe hypercall address of the hypervisor. Addresses of the memory page are transmitted from the hypervisor to the trusted program. The hypervisor allows execution of the hypercall by the trusted program accessing the safe hypercall address found at the addresses of the memory page.

Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving, at a security analysis device, a set of feature vectors extracted from one or more flows of traffic to domains for a given user in a network during a period of time. The security analysis device analyzes the feature vectors included in the set of feature vectors with a set of operators to generate a set of per-flow vectors for the given user. Based on the set of per-flow vectors for the user, the security analysis device generates a single behavioral vector representative of the given user. The security analysis device classifies a computing device associated with the given user based on the single behavioral vector and at least one of known information or other behavioral vectors for other users.

Abstract: Aspects of the disclosure relate to identifying potentially malicious messages and generating instream alerts based on real-time message monitoring. A computing platform may monitor a plurality of messages received by a messaging server associated with an operator. Subsequently, the computing platform may detect that a message of the plurality of messages is potentially malicious. In response to detecting that the message of the plurality of messages is potentially malicious, the computing platform may execute one or more protection actions. In executing the one or more protection actions, the computing platform may generate an alert message comprising information indicating that the message of the plurality of messages is potentially malicious. Then, the computing platform may send the alert message to the messaging server, which may cause the messaging server to deliver the alert message to a computing device associated with an intended recipient of the message.

Abstract: A classification apparatus that classifies sequential data, in which input communication destinations in a plurality of communications are recorded in order of occurrence of the communications, into a class that has a similar feature. There is a numerical vector calculation unit-configured to calculate numerical vectors that represent characteristics of communication destinations for each of the communication destinations, on the basis of sequential data in which the communication destinations in a plurality of communications are recorded in order of occurrence of the communications, and a classification unit-configured to classify the sequential data into a class that has a similar feature, on the basis of order relation of the communication destinations of the numerical vectors.

Abstract: Described embodiments provide systems and methods for traffic inspection via embedded browsers. An application inspector module of an embedded browser executable on a client may intercept network traffic for an application. The network traffic may include packets exchanged between the application and the server via a channel. The application inspector module may identify a computing resource usage on the client in providing a user with access to the application via the embedded browser. The application inspector module may generate analytics data based on the intercepted network traffic and the computing resource usage. The application inspector module may maintain a user behavior profile based on the analytics data. The application inspector module may determine that a portion of the network traffic directed to the remote server contains sensitive information. Responsive to the determination, the application inspector module may block or remove the portion of the network traffic.

Abstract: Methods and systems for detecting fraudulent data points in a database of a computerized system include receiving, from a user device, a request for detecting one or more fraudulent data points in a database storing data points representing electronic transactions. The system constructs a feature vector fore each data point and k random vectors. After constructions, the system performs a combination of Locality Sensitive Hashing algorithm and Local Outlier Factor (LOF) algorithm on the constructed feature vectors and the constructed k random vectors to compute outlier scores for each data point. The system detects a fraudulent data point based on the outlier scores that indicate consistent degrees.

Abstract: A method assigns a particular rule for a previous client to a new client for use in executing a security feature on a computer system used by the new client. One or more processors match a new client profile for the new client to a previous client profile for the previous client. The new client profile is based on types of one or more client assets of the new client and an intrusion detection alert history of the new client. The processor(s) assign the particular rule for the previous client to the new client based on the new client profile matching the previous client profile. The processor(s) receive information indicating that a violation of the particular rule has occurred, and execute a security feature of the computer system used by the new client in order to resolve the violation of the particular rule.

Abstract: A method comprising: monitoring events collected from a plurality of network nodes; detecting a first suspicious event among the monitored events by a detection mechanism; monitoring the behaviour of the first suspicious event and any related events; in case the monitored first suspicious event and/or a related event is detected to perform an activity triggering an IOC (indicator of compromise, generating a new IOC; monitoring new events when the activity ends; comparing the behaviour of the new events with the behaviour of the generated IOC; in case a matching behaviour is found, merging the new event with the first suspicious event and/or related events related to the generated IOC; and generating a security related decision on the basis of the IOC.

Abstract: A method of securing a software routine implemented in a software instance executing in an execution environment, the method comprising: initializing a code block of the software instance with a reference to the software routine by storing the reference such that the stored reference is inaccessible to code outside of the code block; and returning a reference to the code block, the reference to the code block used by the software instance outside of the code block to invoke the software routine; wherein the code block is configured to: (a) invoke the software routine using the stored reference, and, (b) after a predetermined number of invocations of the software routine by the code block, modify the stored reference so as to prevent further invocation of the software routine by the code block.

Abstract: Aspects of the disclosure relate to monitoring source code repository data in real-time to protect sensitive information and provide entity-specific alerts. A computing platform may receive configuration information defining one or more criteria for identifying sensitive data of an enterprise organization. The computing platform may monitor external code repository server infrastructure based on the configuration information. In response to detecting that first source code received by the external code repository server infrastructure contains first sensitive information associated with the enterprise organization, the computing platform may generate a notification comprising information indicating that the first sensitive information associated with the enterprise organization has been detected at the external code repository server infrastructure. Subsequently, the computing platform may send the notification to an enterprise administrator user computing device associated with the enterprise organization.

Abstract: One aspect relates to initiating, by a device, a connection with an application server associated with one or more application services. A gateway derives an uplink network token and/or a downlink network token. The tokens are provisioned to the device and/or an application server over the user-plane. The tokens are included with uplink and/or downlink packets, respectively. Another aspect relates to receiving a data packet at a gateway. The gateway determines a requirement for a network token from the packet. The gateway derives the network token based on a device subscription profile maintained by a network. The network token may be sent with the packet to a destination address associated with the packet. A packet including a network token may be received at a gateway. The gateway may verify the network token and send the data packet to an application server or a device if the verifying is successful.

Abstract: A method is disclosed. For example, the method executed by a processor of a multi-function device (MFD) includes accessing a third party application stored in a memory of the MFD, determining that the third party application has been updated, retrieving an update to the third party application from a server that stores updates for third party applications, and executing the third party application with the update on the MFD.

Abstract: Techniques and architectures for creating scratch organizations in a multitenant environment. A scratch organization defined by metadata corresponding to a subject organization is generated. The metadata defines at least a set of privileges for the subject organization to be replicated in the scratch organization. Test data is loaded from a test source that is not the subject organization. Changes to the subject organization are not applied to the scratch organization after creation of the scratch organization and changes to the scratch organization are not applied to the subject organization. One or more test operations are performed on the scratch organization using the loaded test data. The scratch organization is destroyed after the one or more test operations have been performed.

Abstract: An email validation system receives an email validation request from a requestor to validate an email, the email validation request indicating at least a sender domain indicating a domain of the sender of the email. The email validation system determines whether the sender domain is in a whitelist of known domains, wherein a known domain is a domain that is linked to an organization whose provenance is known, such that it can be linked to an identifiable entity in the real world. The email validation system generates, in response to determining that the sender domain is not in the list of known domains, a message indicating that the email is not valid. The email validation system generates, in response to determining that the sender domain is in the list of known domains, the message indicating that the email is valid, and transmits the message to the requestor.

Abstract: A surgical instrument detection system is provided that can determine the kinds of surgical instruments without special processing, such as application of an optically readable symbol, to the surgical instruments. A surgical instrument detection system 100 includes: an image input section 31 to input an image taken by a camera 1; an object extraction section 32 to clip an object image of a small steel article from the input image; a determination section 33 to input the object image to a learned classification model 331 and determine a kind of the small steel article based on features included in the object image; and an output image generation section 34 to generate an image representing the result of determination by the determination section and output such image to a monitor 2.

Abstract: In one example in accordance with the present disclosure, a method may include separating a list of keywords into a set of word tokens and a set of wildcard tokens. The method may also include removing each wildcard token in the set of wildcard tokens that is inferred by at least one word token in the set of word tokens and removing each wildcard token in the set of wildcard tokens that is inferred by at least one other wildcard token in the set of wildcard tokens. The method may also include executing a search query comprising a new list of keywords that includes each wildcard token not removed from the set of wildcard tokens.

Abstract: A method and system are disclosed. A first service engine among a plurality of service engines detects a traffic violation of a web application policy for an instantiation of a virtual service on the first service engine. The service engines maintain corresponding instances of a shared state of policy violations for the web application policy. In response to detecting the traffic violation, a first instance of the shared state on the first service engine is updated. The first service engine broadcasts the updated first instance of the shared state. Remaining service engines, which have instantiations of the virtual service, update their instances of the shared state in response to receiving the updated first instance. The instances of the shared state are aggregated to obtain an aggregated shared state. It is detected whether the aggregated shared state triggers an application policy rule for the web application policy.

Abstract: A technique for performing authentication to a hybrid-cloud service includes selectively applying varying authentication requirements based on whether a client device can be confirmed to be connected to a private intranet. The technique includes operating a set of local agents on one or more computing machines on the intranet. When a client device requests access to the hybrid-cloud service, the client device attempts to contact one or more of the local agents. If the client device succeeds in contacting a local agent, then the client device is confirmed to be connected to the private intranet and receives relatively trusting treatment during authentication. However, if the client device fails to contact at least one local agent, the client device is not confirmed to be connected to the private intranet and receives relatively less trusting treatment.

Abstract: The techniques discussed herein include storing a fast-path and a slow-path table in a memory associated with a programmable switch, such as a cache of the programmable switch. An offload controller may control the contents of the fast-path and/or slow-path table and may thereby control behavior of the programmable switch. The programmable may route a received packet to a gateway if the packet generates a hit in the slow-path table. If the received packet generates a hit in the fast-path table, the packet may be forwarded directly to a virtual private cloud (VPC), virtual switch thereof, and/or to a virtual machine (VM).

Abstract: A logical graph is generated using at least a portion of log data received from a set of agents executing on one or more nodes in one or more data centers. The logical graph is generated at least in part by clustering a first set of nodes using a first clustering criteria. The logical graph is augmented at least in part by performing a reclustering operation using a second clustering criteria.

Abstract: Systems, methods, and computer-readable media for localizing faults in a network policy are disclosed. In some examples, a system or method can obtain TCAM rules across a network and use the TCAM rules to perform an equivalency check between the logical model and the hardware model of the network policy. One or more risk models are annotated with output from the equivalency check and the risk models are used to identify a set of policy objects of the network policy that are likely responsible for the faults.

Abstract: Methods, systems, and devices for protecting against abnormal computer behavior are described. The method may include monitoring a computer process related to an application running on a computing device of one or more computing devices, analyzing a database including a set of digital fingerprints, where a digital fingerprint of the set of digital fingerprints relates to the application, the digital fingerprint including an indication of a set of computer processes related to the application that are classified as normal computer processes for the application, determining that the computer process related to the application is an abnormal computer process based on analyzing, and performing a security action on the computing device to protect the computing device against the abnormal computer process based on the determining.

Abstract: Systems, methods, and storage media for determining the probability of cyber risk-related loss within one or more computing systems composed of computing elements are disclosed. Exemplary implementations may: assess vulnerability by determining an exposure window for a computing element based on the number of discrete times within a given time frame where the computing element is in a vulnerable state; determine a frequency of contact of the computing element with threat actors; normalize the exposure window and the frequency of contact; calculate a threat event frequency by dividing the normalized exposure window by the normalized frequency of contact; and repeat the steps for multiple elements. When combined with liability data that describes the loss magnitude implications of these events, organizations can prioritize the elements based on loss exposure and take action to prevent loss exposure.

Abstract: Systems, apparatuses and methods may provide for technology that detects a runtime call to a communication library, wherein the runtime call identifies a memory buffer, determines that a class of service (CLOS) attribute is associated with the memory buffer, and issues a driver instruction to modify the CLOS attribute in response to the runtime call.

Abstract: Embodiments include technologies for creating a manifest for a conferencing event in a network, adding a name tag identifying the conferencing event to the manifest, receiving an interest packet including one or more parameters indicating a named flow being produced at a source node, adding content metadata of the named flow to the manifest, and sending the manifest to the source node. Further embodiments include adding, to the manifest, session-level metadata associated with a user of the source node. Embodiments include receiving a second interest packet with one or more second parameters identifying a user of a client node, where the second interest packet indicates a request to authorize the user of the client node to subscribe to the conferencing event. In further embodiments, session-level metadata associated with the user is added to the manifest if the user is authorized to subscribe to the conferencing event.

Abstract: For each of a number of naming deviation types, the number of deviations within a domain name of a domain is determined. Each naming deviation type is a different type of deviation from domain name naming rules. For each naming deviation type for which the number of deviations is non-zero, first benign and malicious probabilities that benign and malicious domains, respectively, have the naming deviation type are estimated. Second benign and malicious probabilities that any given domain is respectively benign and malicious are estimated. Probabilities that the domain is benign and malicious are estimated based on the number of deviations for each naming deviation type and based on the estimated first and second benign and malicious probabilities. Whether the domain is benign or malicious is determined based on the estimated probabilities that the domain is benign and malicious.

Abstract: Computer systems and methods for: (1) analyzing electronic correspondence associated with a data subject (e.g., the emails within one or more email in-boxes associated with the data subject); (2) based on the analysis, identifying at least one entity that that the data subject does not actively do business with (e.g., as evidenced by the fact that the data subject no longer opens emails from the entity, and/or has set up a rule to automatically delete emails received from the entity); and (3) in response to identifying the entity as an entity that the data subject no longer does business with, at least substantially automatically populating and/or submitting a data subject access request to the entity (e.g., to delete all personal information being processed by the entity).

Abstract: The present disclosure relates to a one-chip system for a control device of a vehicle with at least one bus, at least one control unit connected to the at least one bus for controlling a peripheral device assigned to the at least one control unit and several processors connected to the at least one bus.

Abstract: A method of determining that a subject electronic device 1021 . . . N is counterfeit. The method involves delivering the web page component to a subject device 1021 . . . N in response to a request. The web page component is adapted to retrieve actual values of a plurality of attributes from the subject device 1021 . . . N. Reference values of the plurality of attributes are retrieved from a device property store 110 and the method determined that the subject device 1021 . . . N is counterfeit when at least one of the actual values of the plurality of attributes is different to the reference value of that attribute.