Abstract: A computing system for securely managing access to resources of a computing device receives an input at a secure login of a user interface. The computing system compares the input to a plurality of stored security measures and activates one of an operating system or a configuration of a false desktop system. A user interface of the false desktop system shares characteristics with a user interface of an operating system and restricts access to specified files, data stores, applications, networking functions, and/or ports associated with the computing system. When configured, the false desktop system or the operating system is enabled based on the location of the computing system. When configured, the false desktop system deletes files, data stores, and applications of the operating system.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Analytics processing circuitry can include a data scavenger and a data analyzer coupled to receive the data from the data scavenger. The data scavenger collects data from at least one element of interest of a plurality of elements of interest of an IC. The data analyzer identifies patterns in the data from the data scavenger over a time frame or for a snapshot of time based on a predefined metric. The analytics processing circuitry can further include a moderator and a risk predictor. The risk predictor generates a risk assessment regarding whether the data collected by the data scavenger is indicative of normal behavior or abnormal behavior based at least on the output of the data analyzer and a behavioral model for the IC, which can be device and application specific. A threat response can be performed based on the risk assessment.

Abstract: Systems and methods are provided for monitoring information-security coverage to identify a vulnerability or risk in the information-security coverage. An information-security system can include computing systems, databases, a security server, etc. that can communicate data via a network. The server can be used to obtain data indicating a process for managing or monitoring information-security in the system and data indicating activity on the network, computing systems, server, or databases. The server then determines a metric based on the obtained data and the metric can indicate a risk or vulnerability in information-security coverage in the system. The server can then aggregate the data and transmit the aggregated data to a computing device. The computing device can generate an interface for outputting data for monitoring information-security coverage or identifying a vulnerability or risk in information-security coverage, which can improve the security of the information-security system.

Abstract: A multimode system for receiving data in a retail environment includes: a secure input module for receiving high security input and low security input from a customer, the high security input to be communicated by the secure input module in cipher text, and the low security input to be communicated by the secure input module in plaintext. The multimode system is adapted to operate in a high security mode and a low security mode. The multimode system is adapted to enter the low security mode upon detection by the multimode system of a security breach condition. In the high security mode, the secure input module accepts low security input and high security input. In the low security mode, the secure input module accepts the low security input and does not accept the high security input.

Abstract: Mechanisms for identifying a pattern of computing resource activity of interest, in activity data characterizing activities of computer system elements, are provided. A temporal graph of the activity data is generated and a filter is applied to the temporal graph to generate one or more first vector representations, each characterizing nodes and edges within a moving window defined by the filter. The filter is applied to a pattern graph representing a pattern of entities and events indicative of the pattern of interest, to generate a second vector representation. The second vector representation is compared to the one or more first vector representations to identify one or more nearby vectors, and one or more corresponding subgraph instances are output to an intelligence console computing system as inexact matches of the temporal graph.

Abstract: Methods, systems, and apparatus for a threat detection system. The threat detection system includes a threat forensics platform. The threat forensics platform includes a memory. The memory is configured to store a baseline model of controller area network (CAN) data. The threat forensics platform includes a processor coupled to the memory. The processor is configured to obtain CAN data including multiple messages. The processor is configured to compare the CAN data including the multiple messages with the baseline model. The processor is configured to determine a threat score for the CAN data based on the comparison and determine that there is a threat within the CAN data based on the threat score. The processor is configured to provide an indication that there is the threat to a driver of a vehicle or to a service provider.

Abstract: The main objective of Certificate Transparency (CT) is to detect mis-issued certificates or rouge certificate authorities. It has been observed that phishing sites have been increasingly acquiring certificates to look more legitimate and reach more victims, thus providing an opportunity to predict phishing domains early. The present disclosure provides systems and methods for early detection of phishing and benign domain traces in CT logs. The provided system may predict phishing domains early even before content is available via time-, issuer-, and certificate-based characteristics that are used to identify sets of CT-based inexpensive and novel features. The CT-features are augmented with other features including passive DNS (pDNS) and domain-based lexical features.

Abstract: In an embodiment, process for providing a secure remote workspace includes accessing, via a first client application, a remote desktop application. The process includes activating, within the remote desktop, a second client application to provide access to a task. The process includes obtaining user input in connection with executing the task, and transmitting user input information associated with the execution of the task to a server.

Abstract: A method for reprogramming data of a software function executed by an execution core and a security core, the data being present in two physically separate non-volatile memories, each managed by one of the execution or security cores, including the following steps: upon receiving a reprogramming request, a second value is stored in a first Boolean, determining whether the first Boolean is equal to the second value and if a second Boolean is equal to a first value, and if affirmative; an execution core is made to emit at a reinitialization request via a bidirectional communication channel towards a security core and a request to initialize a portion of the first non-volatile memory towards the set of functions for managing the non-volatile memory by an execution core; a second value is stored in the second Boolean; it is determined whether a predetermined reprogramming event has taken place, and if affirmative, the first value is stored in the first Boolean, while keeping the second value in the second Boolean

Abstract: A data storage device providing secure data storage for a software application executed by an operating system in a computer system including a file system operation interceptor that detects requests for file system operations in respect of data for the application; a file system operation analyzer that is responsive to the interceptor and that analyses an intercepted file system operation request to identify attributes associated with the file system operation; a comparator that compares the attributes with a predefined security policy definition; a cryptographic unit that encrypts and/or decrypts data using one or more cryptographic functions; wherein the cryptographic unit is operable in response to the comparator to perform an encryption or decryption operation on the data and effect the performance of the requested file system operation by the operating system.

Abstract: An orchestration system is described that is configured to receive a request to monitor compliance of an enterprise infrastructure and generate an infrastructure change that is associated with the compliance of the enterprise infrastructure, based at least in part on a set of predetermined criteria. In doing so, the orchestration system may further generate one or more infrastructure change events based at least in part on instances of the infrastructure change within the enterprise infrastructure. The orchestration system may further generate a verification report for the enterprise infrastructure, based at least in part on the one or more infrastructure change events, and transmit the verification report to a registered user associated with the request.

Abstract: An integrated-circuit device comprises a bus system connected to a processor, a plurality of peripherals, each connected to the bus system, hardware filter logic; and a peripheral interconnect system, separate from the bus system and connected to the peripherals. For each peripheral, the hardware filter logic stores a respective value determining whether the peripheral is in a secure state. The peripheral interconnect system provides a set of one or more channels for signalling events between peripherals. At least one channel is a secure channel or is configurable to be a secure channel. The peripheral interconnect system is configured to allow an event signal from a peripheral in the secure state to be sent over a secure channel and to prevent an event signal from a peripheral that is not in the secure state from being sent over the secure channel.

Abstract: A method for searching for abnormal sessions, the method may include (a) obtaining session metadata for each of session of a group of sessions; wherein a session metadata of a session is indicative of at least one session feature that represents activities of the session; (b) forming multiple chunks, whereas each chunk comprises session metadata regarding a portion of the group of sessions; (c) for each chunk, generating chunk-based clusters by applying an iterative clustering process on data points that represent session metadata of the chunk; (d) generating group-based clusters, based on the chunk-based clusters; (e) determining, based at least on the group-based clusters, user profiles and abnormal sessions.

Abstract: Described herein are systems, methods, and non-transitory computer readable media for automating the transfer/syncing of datasets or other artifacts from one security domain (e.g., a low security side environment) to another security domain (e.g., a high security side environment) in a seamless manner that complies with requirements of a data transfer mechanism used to transfer data between the two security domains while ensuring data integrity and consistency between the two security domains.

Abstract: This disclosure provides systems, methods, and apparatus, including computer programs encoded on computer-readable media, for a user equipment (UE) to select a data connection based on which applications are active in a foreground process of an application processor. The UE may activate a dedicated data subscription (DDS) based on a list of active applications. In some aspects, the UE may programmatically initiate a DDS switch based on which applications are active. The UE may determine which data connection to activate as the DDS based on the application configuration information and which applications are active. Application configuration information may indicate preferences regarding different data connections to use for each application. The application configuration information may indicate a preferred radio access technology (RAT), a preferred communication network, a preferred subscription, or any combination thereof.

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: Methods allow a predicting and detecting potential anomalies at a service infrastructure. A strings table having entries that define character strings and corresponding anomaly probabilities is accessed. A log entry related to an event occurring in the service infrastructure is generated in a database. The log entry includes a character string designating a name of a file or an IP address and a domain name hosted by the service infrastructure. A search is made for the character string in the strings table. The domain name is marked as suspect if the character string is found in the strings table and if an anomaly probability for the character string exceeds a predetermined threshold. The anomaly probabilities may be calculated using a Bayesian filter that accounts for a number of domains hosted by the service infrastructure on which the character string has recently appeared.

Abstract: A computer-implemented method, computer program product and computing system for: obtaining first system-defined platform information concerning a first security-relevant subsystem within a computing platform; obtaining at least a second system-defined platform information concerning at least a second security-relevant subsystem within the computing platform; combining the first system-defined platform information and the at least a second system-defined platform information to form system-defined consolidated platform information; and generating a security profile based, at least in part, upon the system-defined consolidated platform information.

Abstract: A computer-implemented method for revoking access permissions to computing resources, the method including retrieving certification rules for a computing resource; receiving information related to a user associated with an access permission for the computing resource; comparing the information with the certification rules to determine compliance with the certification rules; and responsive to determining that compliance with the certification rules fails, revoking the access permission.

Abstract: A transceiver for sending and receiving data from a controller area network (CAN) bus is disclosed. The transceiver includes a microcontroller port, a transmitter and a receiver. The transceiver is configured to receive a data frame from a microcontroller via the microcontroller port and to determine if the microcontroller is authorized to send the data frame or part of it based on a message identifier in the data frame and the outcome of the arbitration process. If the microcontroller is unauthorized to send the data, the transceiver is configured to invalidate the data frame and disconnect the microcontroller from the CAN bus for a predetermined period.

Abstract: Computer-implemented method of detecting potential cybersecurity threats from collected data pertaining to a monitored network, the collected data comprising network data and/or endpoint data. The method comprises structuring the collected data as at least one data matrix, each row of the data matrix being a datapoint and each column corresponding to a feature. The method also comprises identifying one or more datapoints as anomalous, thereby detecting a potential cybersecurity threat. The method also comprises extracting causal information about the anomalous datapoint based on an angular relationship between a second-pass coordinate vector of the anomalous datapoint and a second-pass coordinate vector of one or more features. The second-pass coordinate vectors are determined by applying a second-pass singular value decomposition (SVD) to a residuals matrix.

Abstract: An integrated circuit device has a processor, a software-trace message handling system, a software-trace message sink peripheral, and a hardware interconnect system. The interconnect system is capable of directing software-trace messages from the processor to the software-trace message handling system, and of directing software-trace messages from the processor to the software-trace message sink peripheral. The software-trace message sink peripheral can present an interconnect delay to the processor, when receiving a software-trace message from the processor, that is equal to or substantially equal to an interconnect delay that the software-trace message handling system would have presented to the processor if the software-trace message handling system were to have received the software-trace message.

Abstract: Systems and methods for creating and handling workspace indicators of compromise (IOC) based upon configuration drift are described. In some embodiments, a memory storage device may have program instructions stored thereon that, upon execution by one or more processors of an Information Handling System (IHS) of a workspace orchestration service, cause the IHS to: receive configuration information from a client IHS at a workspace orchestration service, where the configuration information represents a change in a configuration of a workspace executed by the client IHS, and where the workspace is instantiated based upon a workspace definition provided by the workspace orchestration service; determine, by the workspace orchestration service, that the configuration information matches an IOC; and transmit, from the workspace orchestration service to the client IHS, an instruction to perform an action responsive to the IOC.

Abstract: Techniques are described for an IT and security operations application to automatically generate aggregate (or “bulk,” “group,” or “composite”) notable events by identifying notable events sharing common characteristics and aggregating the related notable events into a single aggregate notable event entity that can be displayed and operated upon. The IT and security operations application identifies related notable events based on notable events generated by a common correlation search, notable events having common event attributes, based on user-specified relatedness criteria, or other such criteria. Once identified, in some embodiments, the IT and security operations application displays, in notable event lists and other interfaces, a singular aggregate notable event to users representing each of the identified related notable events.

Abstract: A computer system is provided. The computer system includes a memory and at least one processor coupled to the memory. The processor is configured to identify a message to a plug and play (PnP) manager of an operating system, the message comprising an identifier of a device to be configured by the PnP manager, determine whether the device is targeted for device identifier translation at least in part by determining whether the device satisfies one or more target device criteria, and replace the identifier of the device with a reference identifier different from the identifier of the device in response to a determination that the device is targeted for device identifier translation, the reference identifier being usable by the PnP manager to install or configure the device.

Abstract: A first cloud extension agent that facilitates internet-based management of a first set of local computing resources of a network is provided by a remote network management platform. A first connection is established to the first cloud extension agent. A second cloud extension agent that facilitates internet-based management of a second set of local computing resources of a network is provided by the remote network management platform. A second connection is established to the second cloud extension agent. A first set of instructions is provided to the first cloud extension via the first connection and a second set of instructions is provided to the second cloud extension via the second connection.

Abstract: Techniques for selectively remediating vulnerabilities for assets of a computing system is disclosed. The vulnerability management system identifies “active” vulnerabilities associated with “active” computing assets that have been determined to be currently running, or to have been recently run, on the system using system call data. By limiting remediation to vulnerabilities associated with software packages of active computing assets, remediation/mediation efforts can be focused on vulnerabilities that may be currently exploited for the system. The list of active vulnerabilities identified for a system may be updated in real time based on continued monitoring of runtime operations of the system. Additional context metadata may be associated with the active vulnerabilities to allow for further prioritization of vulnerability management activities.

Abstract: Natural language processing is enhanced by linguistically extracting intelligence about a user. A history of user queries is analyzed by a natural language classifier to determine various user intents, and these intents are combined to form a user intent profile. The profile includes elements of sentiment, emotion and tone. The profile can be used in various ways including restricting access to documents in a collection, or refining a cognitive analysis of a query. For access restriction, a determination is made that the user intent is inconsistent with a document, and the user is denied access to the document. This determination involves a user intent score which is compared to a score of the document. For cognitive analysis, searching of reference documents is filtered by excluding documents based on the user intent. The searching includes a comparison of meta-data tags of the documents to the user intent.

Abstract: A device may receive, from a network device in near-real time, a packet of data associated with network traffic of a network, wherein the packet includes privacy-related data and network-related data. The device may read the privacy-related data from the packet. The device may generate anonymous data based on the privacy-related data, wherein the anonymous data obscures the privacy-related data. The device may generate a mapping between the anonymous data and the privacy-related data. The device may combine the anonymous data and the network-related data to generate a masked packet. The device may provide the masked packet to a server device. The device may receive, from the server device, data identifying a recommendation that is generated by processing the masked packet with an artificial intelligence model. The device may perform one or more actions based on the recommendation.

Abstract: Systems and methods are disclosed for utilizing sender-recipient pair data to establish sender-level trust in future communication. One method comprises receiving raw communication data over a network and testing the received raw communication data against trained machine learning data to predict whether the raw communication data is associated with expected communication data. The raw communication data is sorted for expected communication data, which is further analyzed for sender-recipient pair data and assigned an expected communication pair data score. Senders associated with an expected communication pair data score that meets or exceeds a threshold are labeled and stored in a database as trusted. As a result of the sender-recipient pair analysis, recipients at-risk for being scammed can be identified, senders misidentified as spammers can be properly classified, and machine learning techniques utilized for analyzing raw communication data can be fine-tuned.

Abstract: There are disclosed a method and computing device for detecting malicious domain names in network traffic. The method comprises: receiving the network traffic from a data network, extracting a plurality of data packets from the network traffic, analyzing the plurality of data packets in order to extract at least one domain name from the plurality of data packets; generating, for a given one of the at least one domain names, a given numerical value representative of a suspiciousness of the given one of the at least one domain name, the given numeric value being based on a given set of features of domain name suspiciousness corresponding to one of the given set of analysis methods; classifying the at least one domain name as malicious domain names, in response to an analysis being indicative the given domain name being a malicious domain name.

Abstract: Disclosed herein is a system for predicting, given a pattern of triggered alerts, a next alert in order to identify malicious activity that is about to occur on resource(s) being monitored by a security operations center. A resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. Accordingly, the next alert is speculatively triggered in advance and a security analyst can be notified of a pattern of activity that is likely to be malicious. The security analyst can then investigate the pattern of triggered alerts and the speculatively triggered alert to determine whether steps to mitigate the malicious activity before it occurs should be taken.

Abstract: Embodiments of the present disclosure relate to a data analysis system that may automatically generate memory-efficient clustered data structures, automatically analyze those clustered data structures, automatically tag and group those clustered data structures, and provide results of the automated analysis and grouping in an optimized way to an analyst. The automated analysis of the clustered data structures (also referred to herein as data clusters) may include an automated application of various criteria, rules, indicators, or scenarios so as to generate scores, reports, alerts, or conclusions that the analyst may quickly and efficiently use to evaluate the groups of data clusters.

Abstract: An inspection control unit (210) checks a communication status of a communication network (101, 102) to which one or more nodes are connected and determines, based on the communication status, whether inspection of the communication network is possible. When it is determined that inspection of the communication network is possible, the inspection control unit outputs a basic signal, which is a pulse signal for inspecting the communication network, to the communication network. An inspecting unit (220) accepts an inspection signal, which is a basic signal with a waveform changed by flowing through the communication network, and determines, based on the waveform of the inspection signal, whether a new node connected to the communication network is present.

Abstract: Systems and methods for inspection of traffic between UE and the core network to mitigate DDoS attacks on mobile networks are provided. According to one embodiment, the method involves parsing SCTP packets and monitoring header anomalies to block anomalous packet floods. According to another embodiment, a memory table maintains requesting S1AP-IDs which have sent certain monitored commands and then blocking those which are sending these messages at abnormally high rates. According to yet another embodiment, a packet classifier parses the GTP-U protocol, unwraps the encapsulated IP packet and then monitors layer 3, 4 and 7 rate-based attacks such as UDP, ICMP, SYN, HTTP GET floods and drops them to protect the targeted Internet server as well as mobile infrastructure (e.g., the MME, the SGW, the PGW, and the PDN) downstream from the DDoS mitigation system.

Abstract: A container isolation method for a netlink resource includes receiving, by a kernel executed by a processor, a trigger instruction from an application program. The method also includes creating, by the kernel according to the trigger instruction, a container corresponding to the application program, creating a netlink namespace for the container, and sending a notification to the application program indicating that the netlink namespace is created. The method further includes receiving, by the kernel, a netlink message from the container, wherein the netlink message comprises entries generated when the container runs. The method additionally includes storing, by the kernel, the entries based on an identifier of the netlink namespace for the container, to send an entry required by the container to user space of the container.

Abstract: Disclosed are systems and methods for detecting multiple malicious processes. The described techniques identify a first process and a second process launched on a computing device. The techniques receive from the first process a first execution stack indicating at least one first control point used to monitor at least one thread associated with the first process, and receive from the second process a second execution stack indicating at least one second control point used to monitor at least one thread associated with the second process. The techniques determine that both the first process and the second process are malicious using a machine learning classifier on the at least one first control point and the at least one second control point. In response, the techniques generate an indication that an execution of the first process and the second process is malicious.

Abstract: Disclosed herein are techniques for detecting phishing websites. In one embodiment, a method is disclosed comprising receiving, at a server, a request for a webpage from a client device; generating, by the server, and inserting an encoded tracking value (ETV) into the webpage; inserting, by the server, dynamic tracking code (DTC) into the webpage, the inserting of the DTC further comprising obfuscating the DTC; and returning, by the server, the webpage including the ETV and DTC to the client device, the DTC configured to execute upon receipt at the client device and validate the ETV upon executing.

Abstract: A computer system identifies malicious Uniform Resource Locator (URL) data items from a plurality of unscreened data items that have not been previously identified as associated with malicious URLs. The system can execute a number of pre-filters to identify a subset of URLs in the plurality of data items that are likely to be malicious. A scoring processor can score the subset of URLs based on a plurality of input vectors using a suitable machine learning model. Optionally, the system can execute one or more post-filters on the score data to identify data items of interest. Such data items can be fed back into the system to improve machine learning or can be used to provide a notification that a particular resource within a local network is infected with malicious software.

Abstract: Examples of the present disclosure describe systems and methods for identifying anomalous network behavior. In aspects, a network event may be observed network sensors. One or more characteristics may be extracted from the network event and used to construct an evidence vector. The evidence vector may be compared to a mapping of previously-identified events and/or event characteristics. The mapping may be represented as one or more clusters of expected behaviors and anomalous behaviors. The mapping may be modeled using analytic models for direction detection and magnitude detection. One or more centroids may be identified for each of the clusters. A “best fit” may be determined and scored for each of the analytic models. The scores may be fused into single binocular score and used to determine whether the evidence vector is likely to represent an anomaly.

Abstract: Packets may be received by a packet security gateway. Responsive to a determination that an overload condition has occurred in one or more networks associated with the packet security gateway, a first group of packet filtering rules may be applied to at least some of the packets. Applying the first group of packet filtering rules may include allowing at least a first portion of the packets to continue toward their respective destinations. Responsive to a determination that the overload condition has been mitigated, a second group of packet filtering rules may be applied to at least some of the packets. Applying the second group of packet filtering rules may include allowing at least a second portion of the packets to continue toward their respective destinations.

Abstract: A method and apparatus that provide a malicious domain emulator in a distributed cloud computing network are described. A malicious node emulator is executed as a third-party code in a compute server of the cloud computing platform to enable emulation of behavior of a malicious node. The malicious node emulator receives requests from one or multiple network devices addressed to the malicious domain and automatically emulates the behavior of the malicious domain to respond to these requests. The malicious node emulator logs information related to the requests and the network devices transmitting the requests.

Abstract: Disclosed are a network traffic analysis method and a device based on multi-source network traffic data. The method includes: deploying a pre-training classifier pool in a network stream data source; receiving multi-source network stream data at a current moment for each data source, classifying the multi-source network stream data through an online classifier, performing feature processing and transformation on data collected by each network stream data source at each preset time interval, and transmitting processed traffic data features and a feature transformation matrix to a traffic drift detection module. The traffic drift detection module contains historical concept data to detect a concept drift according to the traffic data features, the feature transformation matrix and the historical concept data; if the concept drift is detected, the online classifier deployed by multiple sources is reset. This method is used for continuous real-time and accurate analysis of the multi-source network traffic data.

Abstract: A framework for security information and event management (SIEM), the framework includes a first data store; a data router; one or more parsing mechanisms; one or more correlation machines; and one or more workflow engines, wherein said framework performs SIEM on behalf of multiple subscribers to said framework.

Abstract: Aspects of the disclosure relate to dynamic and automated spear phishing management. A computing platform may identify users to receive a simulated spear phishing message. In some instances, the computing platform may receive a very attacked persons (VAP) list and may identify the users to receive the simulated spear phishing message based on the VAP list. Based on historical message data associated with a first user, the computing platform may identify message features associated with the first user. Using a predetermined template and for a first user account linked to the first user, the computing platform may generate a first spear phishing message based on the message features. The computing platform may then send, to the first user account, the first spear phishing message.

Abstract: The present invention provides a method of monitoring a computer network, the method comprising: providing a plurality of sensors, wherein said sensors form a meshed network of sensors which monitor cyber-event(s); detecting, by the plurality of sensors, cyber-event(s); linking cyber-event(s) to subsequent cyber-event(s) into branches to form/extend a cyber-event tree; comparing said cyber-event tree to a baseline cyber-event tree; determining if there is any differences in said cyber-event tree to said baseline cyber-event tree to identify a cyber-event tree or a branch thereof as anomalous and thereby identify potential anomalous event(s) and/or a cyber-attack.

Abstract: The present disclosure provides for systems and methods for generating an image of a web resource to detect a modification of the web resource. An exemplary method includes selecting one or more objects of the web resource based on one or more object attributes; identifying a plurality of tokens for each selected object based on contents of the selected object; calculating a hash signature for each selected object of the web resource using the identified plurality of tokens; identifying potentially malicious calls within the identified plurality of tokens; generating an image of the web resource based on the plurality of hash signatures and based on the identified potentially malicious calls, wherein the image of the web resource comprises a vector representation of the contents of the web resource; and detecting whether the web resource is modified based on the image of the web resource.

Abstract: Systems for the detection of and/or protection from suspicious or malicious activities in a network, for example, an Internet of Things environment, are provided.

Abstract: The present disclosure relates to securing workloads of a network by identifying compromised elements in communication with the network and preventing their access to network resources. In one aspect, a method includes monitoring network traffic at network elements of a network; detecting a compromised element in communication with one or more of the network elements, the compromised element being associated with at least one network threat; and based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element.