Abstract: An apparatus comprises a processing device configured to receive, at a user interface of a trust platform configured to manage cloud assets operating in clouds of multiple cloud service providers, a request by a user to access a given cloud asset on which one or more workloads of a given entity run. The processing device is also configured to generate, on the given cloud asset utilizing application programming interfaces of the trust platform, a temporary user account responsive to determining that the requesting user is registered with the trust platform as an authorized user for the given entity and the given asset. The processing device is further configured to provide access credentials for the temporary user account to the requesting user, to monitor use of the temporary user account, and to remove the temporary user account from the given cloud asset based at least in part on the monitored use.

Abstract: A method for processing log data in a server system is disclosed. The method includes: extracting level information associated with the log data, wherein the level information comprises at least one log level indicative of severity of a log event; filtering the log data based at least in part on the level information to generate filtered log data; and correcting, using a processor, the level information in response to determining that the level information of the filtered log data does not match the log event.

Abstract: Described are examples for curating threat intelligence data including receiving threat intelligence data comprising a list of entities, one or more associations between entities, a reputation score for each entity, and/or a confidence value corresponding to the one or more associations. An updated reputation score for at least one of a first type of entities can be determined based at least in part on the confidence value and/or on determining a reputation score of at least one of a second type of entities to which the at least one of the first type of entities is associated in the one or more associations. The reputation score of the at least one of the first type of entities can be updated, in the threat intelligence data, to the updated reputation score.

Abstract: Discussed is a memory having an application area that stores at least one application; a flash bootloader (FBL) area that includes codes for updating the application area; and a BUM module that is activated after a defect is detected in the FBL area, deletes the FBL area, writes binary code information of an FBL image into the FBL area, determines whether the binary code written into the FBL area matches binary code information of the FBL image, and is deactivated when the two binary code information match. The FBL image and the BUM module may be provided in the application area.

Abstract: According to examples, an apparatus may include a processor and a computer readable medium on which is stored machine readable instructions that may cause the processor to receive a request for a webpage from a web browser. The processor may send webpage code of the webpage to the web browser and the webpage may load a secure webpage for a sensitive data field that is separate from the webpage. A secure server may provide the secure webpage, which may correspond to an identifier that points to the secure server. By receiving the sensitive data into the sensitive data field of the secure webpage, the sensitive data may be protected from a script loaded in the webpage. In addition, the processor may receive the sensitive data from the secure server.

Abstract: A method performed by a cybersecurity system includes monitoring multiple network functions (NFs) of a service-based architecture (SBA) of a 5G network. The NFs are communicatively interconnected over an HTTP/2 interface. The cybersecurity system detects potentially malicious network traffic communicated over the HTTP/2 interface, identifies a NFs or associated services that are susceptible to a cyberattack based on the potentially malicious network traffic and deploys resources to secure the NFs or associated services. In one example, the resources are prioritized for a most frequently used (MFU) or most recently used (MRU) NF or associated service.

Abstract: A computer implemented method is described for management of development and deployment of a service based architecture. A graph data structure is generated for the development and deployment of the service based architecture. The graph data structure includes multiple layers which include a core layer and a catalog layer. The graph data structure relates an initial tenant and one or more additional tenants or neighboring tenants in the core layer. The management device assigns a catalog data structure to the catalog layer of the graph data structure. The catalog data structure includes addresses for the initial tenant and the one or more additional tenants for respective hosted locations within the service based architecture. A service offering is described as one or more item nodes in the graph data structure. The graph data structure associates the item node to the catalog data structure of the catalog layer and the initial tenant in the core layer.

Abstract: A method and system for detecting anomalous network activity in a cloud-based compute environment. The method comprises receiving configuration data and network activity observations for a set of virtual entities in the cloud-based compute environment; creating a profile for each virtual entity in the set of virtual entities, when the virtual entity does not already have an associated profile; dynamically updating the virtual entity of a profile with the respective network activity observations of the virtual entity; and determining whether anomalies have been detected.

Abstract: Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a cyber-attacker. A user utilizes a desktop computer, a laptop computer, a smartphone, a tablet, or other electronic device, to interact with a banking website or application, a retailer website or application, or other computerized service. Input-unit interactions are monitored, logged, and analyzed. Based on several types of analysis of the input-unit interactions, a score is generated to reflect fraud-relatedness or attack-relatedness of the input-unit interactions. Based on the score, the system estimates or determines whether the user is an attacker, and initiates attach-mitigation operations or fraud-mitigation operations.

Abstract: Techniques for detecting network intrusions are disclosed. An example intrusion detection system includes a storage device to store audit data generated by a network traffic analyzer in accordance with an audit policy that determines an auditing level. The system also includes a processor to receive a case defined by a case definition, wherein the case definition comprises a plurality of symptoms and each symptom is defined by a separate symptom definition. The processor performs queries of the audit data in accordance with each of the symptoms to generate captured symptom data. The symptoms are scored based on the captured symptom data to generate symptom scores, and the symptom scores are summed to generate a case score. If the case score exceeds an alert threshold specified by the case definition, the processor issues an alert.

Abstract: Embodiments provide for maliciousness scores to be determined for IP addresses and/or network domains. For example, a request to evaluate malicious activity with respect to an IP address/network domain may be received. Multiple, and in some cases disparate, third-party systems may provide malicious activity information associated with the IP address and/or network domain. A feature set may be extracted from the malicious activity information and statistical values may be calculated from the extracted data and added to the feature set. The features set may be provided to a machine learning model as input and a maliciousness score/classification may be returned. A remedial action may be performed in accordance with the output of the machine learning model.

Abstract: A threat information evaluation apparatus that evaluates threat information includes an allocation unit that allocates threat information in an input threat information list to a security operator or an evaluation unit, and an evaluation unit that evaluates the threat information allocated to the evaluation unit. The allocation unit calculates an estimation accuracy on the basis of evaluation performed by the evaluation unit and evaluation determined by the security operator, and allocates the threat information on the basis of the estimation accuracy.

Abstract: An application downloaded from the network onto a target (production) machine can be validated in a sandbox environment. An execution report can be generated during the validation. When the validated application is executed on the target machine, operations performed by the application are limited based on the execution report.

Abstract: A method, computer program product, and a system where a processor(s) determines that a destination has been retained as a link in an application. The processor(s) monitors connections of the application to the destination retained as the link, where connecting is providing a locator of the destination to a server(s) to obtain an address for the destination. The processor(s) determines an average time period measured from providing the locator to the server(s) to obtaining the address. The processor(s) retains the returned address for each connection within a given time period. The processor(s) determines that the application has initiated a new connection to the destination and the new connection is incomplete after a time period calculated relative to the average time period has lapsed. The processor(s) provides selectable options in a user interface of the application that are the retained address(es).

Abstract: A local area social networking server limits social networking activity to people likely to be in close physical proximity to one another and likely to be engaged in similar activities, even people previously unknown to each other, by only permitting social networking between computing devices that are connected to one another through a common local area network. The server identifies recipient devices for a message that (i) are coupled to the same local area network as the sending device, (ii) are associated with demographic characteristics that match those specified for the message as intended recipients, and (iii) are indicated by receptivity data to be receptive to the message and the sender.

Abstract: Embodiments are provided for integrating feedback into alert managing processes having defined alert policies. These policies define conditions that, when satisfied by certain detected activities, triggers an alert to be sent to a client. A determination is made that a current detected activity does satisfy the condition(s). Subsequent to determining that the set of conditions is satisfied and prior to actually generating the alert, the current detected activity is determined to share a relationship with previously received feedback that caused the alert policy to be modified. After being modified, the alert policy specified whether the alert is to be sent to the client, modified and then sent, suspended, or disabled. The alert is then either generated or refrained from being generated based on the alert policy.

Abstract: Techniques are described for enabling analysts and other users of an IT operations platform to identify certain data objects managed by the platform (for example, events, files, notes, actions results, etc.) as “evidence” when such data objects are believed to be of particular significance to an investigation or other matter. For example, an event generated based on data ingested from an anti-virus service and representing a security-related incident might include artifacts indicating an asset identifier, a hash value of a suspected malicious file, a file path on the infected endpoint, and so forth. An analyst can use various interfaces and interface elements of an IT operations platform to indicate which of such events and/or artifacts, if any, represent evidence in the context of the investigation that the analyst is conducting. In response, the IT operations platform can perform various automated actions.

Abstract: Techniques to facilitate network security analysis and attack response are disclosed herein. In at least one implementation, a passive analysis system receives a copy of network traffic, performs deep analysis on the copy of network traffic, and generates security data points based on the deep analysis. The passive analysis system then provides the security data points to an active inline security device, wherein the active inline security device compares incoming network traffic to the security data points to detect security events.

Abstract: A computer system includes an operating system, a memory coupled to the operating system, and a processor (e.g., an anti-debug processor) coupled to the operating system. The operating system receives, from a debug process, a request to create an essential debug object for attachment to a target process. The anti-debug processor scans a kernel memory of the operating system for the essential debug object and verifies a presence of the essential debug object in the kernel memory, and scans the kernel memory to identify a process that has stored in the kernel memory the essential debug object. The anti-debug processor then halts the debug process, without using an internal interface or function of the operating system, thereby preventing the debug process from attaching to the target process.

Abstract: Web server security is assessed. Some embodiments analyze data exchanged with a web server to determine a risk associated with accessing the web server. For example, one or more of a type of web application accessed via the web server, a type of interpreted language used to implement the web server, and/or a type and/or version of an http server operable on the web server are examined. Based on the analysis, the risk associated with accessing the web server is determined. Some embodiments then block access to the web server based on the analysis. Alternatively, in some embodiments, a user may be alerted to the risk, and then allowed to proceed upon accepting the risks. Some embodiments share the determined risk assessment with other client devices via a web server risk data store.

Abstract: The implementations described herein provide a tool for identifying security issues and applying security policies to the service(s) and/or microservices. Rather than a user (such as an administrator) reactively diagnosing security incidents, the systems and methods described herein may provide a tool by which the user can proactively monitor the use of the services and microservices for security issues and control the user of such microservices and services via policies. The systems and methods allow API granular policy control to determine which APIs may be granted or denies access based on a variety of criteria, such as but not limited to the source of the request, the specific API being called, temporal conditions, geography and so forth. The user can identify security concerns or issues on a per API basis.

Abstract: The invention makes it possible to reuse a verification script without manually modifying the internal parameters of the verification script. A verification automation apparatus 1 adapts a verification script to a system that is to be verified. The verification automation apparatus 1 includes: a verification script acquisition unit 101 that acquires a verification script that includes an execution script for verification work and execution enabling requirements for executing the execution script; a verification configuration search unit 104 that searches the system to be verified, for configurations for which the execution script is executable, using environment information regarding the system to be verified, and the execution enabling requirements; and an execution script materializing unit 105 that materializes the execution script based on the configuration that has been found through the search, so as to be executable in the system to be verified.

Abstract: Aspects of the present disclosure relate to threat detection of executable files. A plurality of static data points may be extracted from an executable file without decrypting or unpacking the executable file. The executable file may then be analyzed without decrypting or unpacking the executable file. Analysis of the executable file may comprise applying a classifier to the plurality of extracted static data points. The classifier may be trained from data comprising known malicious executable files, known benign executable files and known unwanted executable files. Based upon analysis of the executable file, a determination can be made as to whether the executable file is harmful.

Abstract: The present application relates to ensuring data consistency between a modular device and an external system. Techniques are described for ensuring data consistency between devices at a control device using configuration signatures. A control device can receive and store a baseline configuration signature for a first modular device. Upon initialization of the first modular device, the control device can receive a current configuration signature from the first modular device. The control device can compare the current configuration signature with the baseline configuration signature and, if a mismatch is found, generate a notification indicating that data subsequently received from the first modular device is of uncertain integrity.

Abstract: Embodiments of the disclosure provide a method and system for task orchestration. A method may include: providing, by a task master control unit, an execution instruction of a task related to a module in an application container to a node agent service unit in an auxiliary application container bound to the application container, the auxiliary application container sharing a file system with the application container; and executing, by the node agent service unit, a command for completing the task, in response to acquiring the execution instruction of the task.

Abstract: A network-accessible service such as a web site may authenticate users through a login process. In order to detect possibly fraudulent login events, the service may implement a framework based on recorded login events. For example, attributes of multiple recorded login events may be analyzed to create a framework that can be applied to attributes of newly received login requests to predict whether the newly received login requests are fraudulent. The framework may comprise criteria, algorithms, rules, models, and/or techniques, and may be constructed using various means such as pattern recognition, machine learning, and/or cluster analysis.

Abstract: Disclosed is a method and system for verifying a regex group. The method comprises verifying of a regex group by creating a flow id through a processor for the regex group when source reaches the sink. The flow id is used for tracking the flow of the regex group. The processor checks in case the flow id is a previously tested flow id. When the flow id is not the previously tested flow id, the processor passes one or more run tasks through a processor forming a queue. The processor tests for one or more vulnerabilities to be associated with the regex group based on the passing, wherein the testing is used to qualify the regex group as a valid regex group.

Abstract: Computer-implemented threat detection method and systems are provided. The method comprises discovering threat data associated with a first entity, translating the threat data to one or more threat models, translating the one or more threat models, using a threat model parameter generator, to at least a parameter threat model and translating the parameter threat model to one or more identification queries. The one or more identification queries may be executed and the generated results may be translated to result data in a first format. The one or more result data models may be published from the result data in one or more formats or to one or more locations.

Abstract: A computer-implemented method to determine which port in a container is a service port. The method includes identifying, a first container, wherein the first container comprises a plurality of ports. The method further includes, training a neural network, wherein the neural network is configured to identify at least one service port from the plurality of ports. The method further includes, monitoring, by a network monitor, a set of data sent to the first container comprising a first parameter. The method includes, identifying a first service port of the plurality of ports. The method further includes, marking the first service port.

Abstract: There is disclosed in one example a computer-implemented anti-ransomware method, including: selecting a file for inspection; assigning the file to a type class according to a file type identifier; receiving an expected byte correlation for the type class; computing, according to a byte distribution of the file, a byte correlation for the file; comparing, via statistical analysis, the byte correlation to the expected byte correlation; and determining that the file has been compromised, including determining that the file has a byte correlation that deviates from the expected byte correlation by more than a threshold, taking a ransomware remediation action for the file.

Abstract: Methods, systems, and apparatus for resource locator remarketing are presented. In one aspect, a method includes receiving visitation data from a publisher, the visitation data specifying a device identifier and a resource locator specifying a resource that was provided to a user device; identifying a content feed that includes regular expressions, each regular expression specifying matching character strings and a set of content items that are eligible to be provided to user devices corresponding to visitation data including a resource locator matching one of the regular expressions; identifying, a first matching regular expression that matches the resource locator specified by the visitation data; selecting a content item from the content items that correspond to the first matching regular expression; and providing data that causes presentation of the selected content item to the user device.

Abstract: A bus control device is enabled for placement between an input port to which a suspect device would be connected and the bus. In this manner, all message received from the suspect device, such an infotainment system, must pass through the bus control device. A separate intrusion detection device is coupled to the bus. The bus control device is arranged to output a notification message to the intrusion detection device, the notification message comprising information about the received message. The intrusion detection device is arranged to determine the validity of the received message responsive to the received notification message.

Abstract: The present disclosure relates to methods and apparatus that collect data regarding malware threats, that organizes this collected malware threat data, and that provides this data to computers or people such that damage associated with these software threats can be quantified and reduced. The present disclosure is also directed to preventing the spread of malware before that malware can damage computers or steal computer data. Methods consistent with the present disclosure may optimize tests performed at different levels of a multi-level threat detection and prevention system. As such, methods consistent with the present disclosure may collect data from various sources that may include endpoint computing devices, firewalls/gateways, or isolated (e.g. “sandbox”) computers. Once this information is collected, it may then be organized, displayed, and analyzed in ways that were not previously possible.

Abstract: In one embodiment, a system is configured to identify, based on predetermined criteria, a first set of users of an online system who belong to a population segment. The system may monitor activities performed by the first set of users on the online system over a predetermined period of time and store the monitored activities as time-series data. A feature set associated with the first set of users may be generated by transforming the time-series data into a frequency domain. The system may train a machine-learning model using the feature set and other feature sets to determine whether activities associated with a given set of users exhibit diurnal behavior pattern. Using the trained machine-learning model, the system may determine whether activities performed by a second set of users on the online system exhibit diurnal behavior pattern.

Abstract: A method for analyzing relationships between clusters of devices includes selecting a first device from a first cluster of devices and selecting a second device from a second cluster of devices. Information related to a first communication link associated with the first device and information related to a second communication link associated with the second device is obtained. A similarity metric is computed based on the obtained information. The similarity metric represents a similarity between the first communication link and the second communication link associated with the second device. A relationship between the first and second clusters is determined using the computed similarity metric. When a cyberattack is detected on the devices in the first cluster or the second cluster, protection of all devices in the first cluster and the second cluster is modified based on the determined relationship in order to defend the respective clusters from the cyberattack.

Abstract: Described systems and methods enable a swift and efficient detection of fraudulent Internet domains, i.e., domains used to host or distribute fraudulent electronic documents such as fraudulent webpages and electronic messages. Some embodiments use a reverse IP analysis to select a set of fraud candidates from among a set of domains hosted at the same IP address as a known fraudulent domain. The candidate set is further filtered according to domain registration data. Online content hosted at each filtered candidate domain is further analyzed to identify truly fraudulent domains. A security module may then prevent users from accessing a content of such domains.

Abstract: A device includes a processor and a memory. The processor effectuates operations including monitoring enterprise network traffic associated with one or more user equipment (UE). The processor further effectuates operations including comparing the enterprise network traffic to a UE profile associated with each of the one or more UE. The processor further effectuates operations including determining whether the comparison indicates that a predetermined threshold has been exceeded. The processor further effectuates operations including in response to the indication that the predetermined threshold has been exceeded, generating an alert, wherein exceeding the predetermined threshold is indicative of a denial of service attack on an enterprise network or an attempt to remove enterprise data via the one or more UE.

Abstract: To address technical problems facing managing multiple sources of information from multiple vehicles, vehicular computing power may be exploited to process such information before sharing with others, which may help reduce network traffic overhead. A technical solution to improve this information processing over vehicular networks by using a hybrid Named Function Network (NFN) and Information Centric Network (ICN), such as in a hybrid NFN/ICN. An NFN may be used to orchestrate computations in a highly dynamic environment after decomposing the computations into a number of small functions. A function may include a digitally signed binary supplied by a car vendor or other trusted authority and executed within a controlled environment, such as a virtual machine, container, Java runtime-environment, or other controlled environment.

Abstract: The present disclosure relates to information prompt methods and apparatus. One example method includes determining a first communication object from a target communication object set, obtaining first interaction information corresponding to the first communication object, receiving input information by using an information input interface of the first communication object, determining a matching degree between the input information and the first communication object based on the input information and the first interaction information, and performing prompt if the matching degree is less than a first threshold.

Abstract: A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.

Abstract: Implementations of this specification include identifying a plurality of transactions to be executed in the blockchain, wherein the transactions are arranged in an execution order, wherein the transactions include one or more smart contract calls to smart contracts each having a whitelist identifying one or more accounts that are authorized to execute the smart contract, and wherein the execution order includes a smart contract call to a smart contract that does not have a whitelist arranged after the plurality of transactions; identifying groups of transactions within the plurality of transactions; instructing nodes of the blockchain network to execute each of the groups of transactions in parallel; determining that the nodes of the blockchain network have completed executing all of the groups of transactions; and in response, instructing the nodes of the blockchain network to execute the smart contract call that does not include a whitelist.

Abstract: A program management system includes: a terminal device having a terminal processing unit capable of executing processing to create a computer program, and a terminal communication unit capable of transmitting the computer program created by the terminal processing unit to an outside; and an external device having an external device storage unit storing therein the computer program transmitted from the terminal device, and an external device processing unit capable of executing processing to give approval to the computer program stored in the external device storage unit. The external device storage unit stores therein appropriateness of approval of the computer program as first status information together with the computer program. The external device processing unit is capable of executing processing to manage the computer program based on the first status information.

Abstract: A system accesses information regarding a topology of an arrangement of resources, where one of the resources is a multi-tiered resource having a plurality of layers. Based on the information regarding the topology of the arrangement of resources, the system selects one or more layers of the multi-tiered resource for deployment of a deception server that has a reduced security mechanism to act as a decoy to attract attackers of the system. The system deploys the deception server at the selected one or more layers of the multi-tiered resource.

Abstract: A system and method for identifying and circumventing a security scanner includes monitoring incoming traffic to a web application, identifying a portion of the incoming traffic as security scanner traffic by comparing the incoming traffic to a security scanner traffic profile, and circumventing the security scanner by providing dummy content or signaling the web application to provide dummy content. The security scanner traffic profile is created by receiving web application traffic generated by a plurality of security scanners; identifying web application traffic features common to at least a portion of the plurality of security scanners by modelling using artificial intelligence, machine learning, and the like; and generating the security scanner traffic profile based on the identified web application traffic features.

Abstract: Methods, systems, and computer program products comprising computer readable instructions for generating efficiency metrics for knowledge workers. Data for symbol contributions of a knowledge worker is used for calculating Knowledge Discovery Efficiency (KEDE), which is a ratio between the symbol contributions of the knowledge worker for a time period indicated by a time aggregation type and a predetermined constant representing an estimated maximum amount of symbol contributions that can be contributed for the time period indicated by the time aggregation type. Templates and fraudulent values of the contributions are excluded from the calculation.

Abstract: Systems and methods for management of data files using a plurality of interconnected operations associated with a plurality of roles are provided. A method involves receiving, from a user terminal, a request to access a portion of the plurality of interconnected operations corresponding to one of the plurality of roles, obtaining a human representation of the portion, and transmitting the human representation to the user terminal for display thereon. The human representation (i.e., an Episodic Social Network representation) is a spatial arrangement one or more affinity groups blocks interconnected via one or more conditional situation blocks, where each of the affinity groups represents a non-exclusive data file classification associated with a set of temporal and non-temporal characteristics and where each of the conditional situation blocks defines a set of conditions for transferring the data file from one of the affinity groups to another of the affinity groups.

Abstract: Systems and methods are described for managing services of a computing device over a mobile network where requests for managed or unmanaged services are translated to corresponding IP addresses sent to the computing device and corresponding requests sent to the translated IP addresses are either permitted, rated, quality controlled or secured if the computing device has a valid data plan or is otherwise permissioned for using the mobile network, are denied if filtered and if the computing device does not have a valid data plan or is not otherwise permissioned and the request corresponds to the first address, and are permitted, rated, quality controlled or not secured even if the computing device does not have a valid data plan or is not otherwise permissioned if the request corresponds to the second address.

Abstract: A method for reassigning exit internet protocol (IP) addresses in a virtual private network (VPN), the method including selecting a first exit IP address for communicating data associated with a user device having an established VPN connection, receiving a notification that indicates occurrence of a network event associated with the first exit IP address, and communicating, during the established VPN connection, data associated with the user device using a second exit IP address, different from the first exit IP address. Various other aspects are contemplated.

Abstract: A technique for determining the safety of the content of beacon transmissions. A user device extracts beacon identification information from a beacon transmission. The user device queries the beacon registry to obtain the targeted content. The user device provides the targeted content and beacon identification information to a validation service. The validation service evaluates the targeted content and the beacon identification information for safety. The validation service determines a score based on that evaluation and sends the score to the user device. The user device alerts the user or performs background actions such as suppression of transmission of beacon contextual data to other apps on user device based on the score.

Abstract: Systems, methods, and apparatuses enable one or more security microservices to optimize a security configuration of a networked environment by applying security policies to resource groups passively to determine whether network sets, resource groups, or security policies should be modified, prior to active enforcement. When security policies are applied passively, security actions that are performed in response to a violation of security policy do not impact network traffic. The one or more security microservices evaluate the results of the passive application of security policies to determine whether there is at least one recommended modification to network sets, resource groups, or security policies. When there is at least one recommended modification, the modification is applied.