Abstract: A method for performing user experience (UX) functions on an air-gapped endpoint is provided. The method includes monitoring a plurality of virtual machines to detect at least one user request to be executed within a security zone; intercepting the user request and analyzing a level of permission required to complete the user request; determining an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and executing the user request in the appropriate security zone.

Abstract: A method for verifying that default passwords have been changed without causing a security lockout, is provided, including enabling user identifiers associated with a plurality of devices, prior to an initial security test, identifying, a default password for a user identifier of each device, attempting a login to each device using the default password for the user identifier of each device, wherein: in response to determining that the login is successful, raising an alert against the user identifier as a security concern and maintaining an enabled state of the user identifier, in response to determining that the login is unsuccessful, disabling the user identifier so that the user identifier is in a non-enabled state, until a security lockout interval elapses, and retrying the login only for each user identifier in an enabled state during one or more subsequent security tests initiated after a predetermined alert interval.

Abstract: Aspects described herein relate to various methods, systems and apparatuses that may improve methods of determining network performance. One or more aspects relate to performing one or more network tests based on a controller device and one or more measurement devices. The controller device may be configured to determine one or more network tests and initiate performance of the one or more network tests. The one or more measurement devices may be configured to perform the one or more network tests. One or more additional aspects may relate to determining one or more rankings of wireless networks. A ranking may be determined based on measurement data that is associated with aspects of network performance, based on results of one or more surveys, based on one or more user types, and/or based on weights that adjust the importance of factors including the measurement data and the results of a survey.

Abstract: Techniques and apparatus for providing peer-based management of user accounts are described. In one embodiment, for example, an apparatus may include at least one memory and logic coupled to the at least one memory. The logic may be configured to receive a request from at least one first user account to unlock a second user account locked responsive to a fraud event, determine a safe authentication value for the fraud event, and unlock the second user account responsive to the at least one first user account being a safe authentication account and the safe authentication value being over a safe authentication threshold value. Other embodiments are described.

Abstract: Embodiments of the present disclosure are directed to a number of systems, apparatuses, and methods for scoring, rating, the cyber-security of a network, and the configuration, control, and remediation, thereof. Accordingly, in some embodiments, a network security evaluation method is provided which may comprise operating an investigatory container (IC) with access to a first network (FN), and retrieving first data by the IC from a source external to the FN. The first data can correspond to at least one of an inventory of security devices provided on the FN, plug-in module information for each security device provided on the FN, each plug-in module configured to allow the IC to communicate with a respective security device of the FN, and login information associated with each security device of the FN.

Abstract: Embodiments seek to protect privacy of potentially sensitive client resources in web transactions using crowd-disambiguation. Crowd-disambiguation machines can aggregate information about resources from multiple clients as resource fingerprints, and can use the fingerprints to provide crowd-sourced services in a privacy-protected manner. For example, embodiments can communicate a resource fingerprint as a fully ambiguated resource instance (FARI) and a partially disambiguated resource instance (PDRI). When one (or few) clients communicates the resource fingerprint, the identity of the resource remains obfuscated from the crowd-disambiguation machine. As more clients communicate fingerprints for the same resource (e.g., identified by the matching FARIs), respective, differently generated PDRIs of those fingerprints enable the crowd-disambiguation machine to resolve further portions of the resource, ultimately permitting the resource to be revealed and considered non-private (e.g.

Abstract: A system may include a data delivery pipeline communicatively coupled to one or more microservices that receive a dataset transmitted through the data delivery pipeline. The system may also include a first microservice that receives a first dataset corresponding to operation technology (OT) data or information technology (IT) data and determines a second dataset based on the first dataset. The system may also include a second microservice that receives the second dataset from the first microservice via the data delivery pipeline, determines an action to perform in an industrial automation component of an industrial automation system based on an analysis of the second dataset, and transmits the action to the industrial automation component via the data delivery pipeline.

Abstract: To easily recognize a situation where confidential information has leaked from an information system. A risk management support server 400 that is connected, via a communication network, to an information system 100 managing confidential information includes a fictitious code request receiving unit configured to receive, from the information system 100, a request to acquire a fictitious code to be set in a part of items in the confidential information as well as a type of the item, a fictitious code generation unit configured to generate the fictitious code corresponding to a data format of the received type of the item, and a fictitious code providing unit configured to transmit the generated fictitious code to the information system 100.

Abstract: The present disclosure provides a method for securely updating firmware components, which is used in connection with an electronic device including a universal serial bus human interface device interface. The method includes: downloading a deformed patch executable file by the electronic device, wherein the deformed patch executable file is deformed from a patch executable file including a plurality of binary files, and each of the binary files is configured with an address reference label; and executing the deformed patch executable file and verifying whether a digital signature of the deformed patch executable file is authorized or not. If the digital signature of the deformed patch executable file is authorized, providing an update tool for updating the corresponding firmware component. If the digital signature of the deformed patch executable file is not authorized, prompting that the digital signature is unauthorized.

Abstract: There is a need for solutions that perform predictive natural language processing with improved efficiency and/or accuracy. This need can be addressed by, for example, by detecting an anomaly condition in the service provider system based on affected user activity data items associated with the service provider system; determining affected user profiles, wherein each affected user profile is predicted to experience the anomaly condition; determining, for each group of affected user profiles, affected user intentions based user activity data items associated with the group of affected user profiles; generating a support communication for each affected user profile in the group of affected user profiles based on the affected user intentions for the group; and causing a transmission of each support communication to each affected user profile in the group of affected user profiles.

Abstract: A computer storage array detects and counters denial of service (DoS) attacks. The computer storage array provides one or more remote initiators with access to one or more storage devices connected to the computer storage array. According to an example embodiment, the computer storage array includes: a computer processor configured to run an operating system for managing networking protocols; a networking device configured to monitor and route network traffic, at a packet level to, and from the storage devices; a baseboard management controller (BMC) configured to detect a DoS attack based on monitoring of statistics of the network traffic by the networking device; a PCIe switch connecting the BMC with each of the storage devices via a PCIe bus; and a computer motherboard to which the computer processor, networking device, BMC and PCIe switch are installed.

Abstract: Embodiments of the systems described herein can implement one or more visitor tearing processes. Visitor tearing can include, among other things, one or more processes by which multiple visitors that may appear to be the same visitor may be separated into different visitor profiles due to the leveraging of one or more unique persistent identifiers.

Abstract: A distributed data storage layer supports biometric identification systems. The biometric identity system includes hardware and software improvements for capturing, retrieving, and verifying identity based on securely stored biometric data in the distributed data storage layer. As a result, the biometric identity system provides increased individual security and reliable identification.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

Abstract: A method including detecting, in response to a design file uploaded by a development device, validity of an actual constraint file included in the design file and corresponding to an FPGA of the FPGA cloud host; synthesis processing the design file in response to detecting that the actual constraint file is valid; and writing a burner file obtained from the synthesis processing into the FPGA. The validity of the actual constraint file is detected to prevent a malicious attack of a user to FPGA hardware.

Abstract: The disclosure is directed towards systems and methods for improving security in a computer network. The system can include a planner and a plurality of controllers. The controllers can be deployed within each zone of the production network. Each controller can be configured to assume the role of an attacker or a target for malicious network traffic. Simulations of malicious behavior can be performed by the controllers within the production network, and can therefore account for the complexities of the production network, such as stateful connections through switches, routers, and other intermediary devices. In some implementations, the planner can analyze data received from the controllers to provide a holistic analysis of the overall security posture of the production network.

Abstract: The present disclosure generally relates to web page analysis, and more particularly to detecting malicious behavior using an accomplice model. In certain embodiments, the accomplice model may determine that a URI is associated with malicious behavior based upon the URI being associated with an attribute determined to be related to malicious behavior. Examples of an attribute include a host system, a domain, or an element of a document used to render the web page. Examples of an element of a document used to render the web page may include an active/dynamic element (e.g., a function, a script, etc.) or an inactive/static element (e.g., a string, a number, a frame, a tracking username, a social networking username, etc.).

Abstract: An electromagnetic (EM) sensor includes a front end module generating an EM signal using electromagnetic waves transmitted from an external source, a sensor memory storing a portion of a plurality of machine learning models used to recognize the EM signal, and a microcontroller unit for recognizing the external electronic device emitting the electromagnetic waves by inputting feature values extracted from the EM signal to the machine learning models. If the machine learning models stored in the sensor memory are not able to recognize the external device, the feature values may be transmitted to a main processor, and the main processor may compare the feature values to another set of machine learning models.

Abstract: According to an embodiment, an information processing device includes a prior verifying unit, and an execution control unit. The prior verifying unit is configured to verify integrity of software registered in a whitelist at a timing which does not depend on an execution start of software and generate an execution permission list in which software which is successfully verified is registered as execution-permitted software. The execution control unit is configured to permit execution of the software if the software is registered in the execution permission list as the execution-permitted software when the execution start of the software is detected.

Abstract: An email misrepresentation handling process is executed for an email in a case of a mismatch between first sender information detected by a first detection from a body text or a subject of the email, and second sender information detected by a second detection from a header of the email.

Abstract: The life cycle of one or more containers related to one or more containerized applications is managed by determining that a predefined retention time for a first container of a plurality of containers has elapsed; in response to the determining, suspending new session traffic to the first container; and waiting for a predefined session dilution time before terminating the first container and/or changing a role of the first container. In some embodiments, the session dilution time allows existing sessions to complete before the first container is disconnected from a service platform.

Abstract: An intrusion prevention system includes a machine learning model for inspecting network traffic. The intrusion prevention system receives and scans the network traffic for data that match an anchor pattern. A data stream that follows the data that match the anchor pattern is extracted from the network traffic. Model features of the machine learning model are identified in the data stream. The intrusion prevention system classifies the network traffic based at least on model coefficients of the machine learning model that are identified in the data stream. The intrusion prevention system apples a network policy on the network traffic (e.g., block the network traffic) when the network traffic is classified as malicious.

Abstract: A method for executing a trusted execution environment (TEE) based application in a cloud computing system. The method includes executing a proxied attestation procedure with a client to enable the client to attest that an enclave management layer (EML) application provided by the cloud computing system runs on a TEE-enabled platform. The method also includes receiving, by the cloud computing system from the client, application code corresponding to the TEE-based application and receiving, by the EML application from the client, application parameters corresponding to the TEE-based application. In addition, the method includes writing, by the EML, application to a secure storage layer, the application parameters corresponding to the TEE-based application and creating, by the cloud computing system, an enclave configured to execute the TEE-based application.

Abstract: A computer implemented method to identify a computer security threat based on communication of a network connected device via a computer network including receiving a plurality of blocks of network traffic from the device, each block including a sequence of network traffic data items being identifiable by a position in the sequence of the block; identifying a subset of positions occurring in every block for which a degree of variability of values of data items in each position of the subset meets a predetermined threshold; and generating executable code for performing a plurality of processing operations based on the identified subset of positions, the executable code consuming a determinate quantity of computing resources when executed for the received network traffic.

Abstract: A system for securing electronic devices includes a processor, a storage medium communicatively coupled to the processor, and a monitoring application comprising computer-executable instructions on the medium. The instructions are readable by the processor. The monitoring application is configured to receive an indication that a client has been affected by malware, cause the client to boot from a trusted operating system image, cause a launch of a secured security application on the client from a trusted application image, and analyze a malware status of the client through the secured security application.

Abstract: The disclosed embodiments generally relate to detecting malware through detection of micro-architectural changes (morphing events) when executing a code at a hardware level (e.g., CPU). An exemplary embodiment relates to a computer system having: a memory circuitry comprising an executable code; a central processing unit (CPU) in communication with the memory circuitry and configured to execute the code; a performance monitoring unit (PMU) associated with the CPU, the PMU configured to detect and count one or more morphing events associated with execution of the code and to determine if the counted number of morphine events exceed a threshold value; and a co-processor configured to initiate a memory scan of the memory circuitry to identify a malware in the code.

Abstract: Techniques for selective sinkholing of malware domains by a security device via DNS poisoning are provided. In some embodiments, selective sinkholing of malware domains by a security device via DNS poisoning includes intercepting a DNS query for a network domain from a local DNS server at the security device, in which the network domain was determined to be a bad network domain and the bad network domain was determined to be associated with malware (e.g., a malware domain); and generating a DNS query response to the DNS query to send to the local DNS server, in which the DNS query response includes a designated sinkholed IP address for the bad network domain to facilitate identification of an infected host by the security device.

Abstract: A method for IP traceback is provided comprising receiving a traceback request including the identity of a traceback-deployed autonomous system closest to the destination node in a network routing path, recursively querying a traceback server associated with the traceback-deployed autonomous system to receive the identity of a preceding traceback-deployed autonomous system in the network routing path, and determining the network routing path based on the received identities of traceback-deployed autonomous systems. Additionally, authentication for traceback request is achieved using token delivery, wherein token is fragmented and marking of a packet is performed when a field on the packet matches at least one token fragment.

Abstract: In an aspect, the present application may describe a method. The method may include: receiving, from a remote computing device, a first indication of consent for an authenticated entity to share data with a first third party server, the first indication of consent associated with a first sharing permission defining a first sharing scope; in response to receiving the first indication of consent: configuring a server to share data for the authenticated entity with the first third party server based on the sharing permission; identifying a first safety score, the first safety score associated with the first third party server; and updating a risk score for the authenticated entity based on the first safety score and the first sharing permission; and sending the updated risk score for the authenticated entity to the remote computing device for display thereon.

Abstract: Computer-implemented methods and systems are provided for the detection of software presence remotely through the web browser by detecting the presence of webinjects in a web browser that visits a detection webpage. The methods can include delivering a detection webpage to a web browser, in which the detection webpage has detection code configured to detect a presence of the webinject in the detection webpage; and inspecting, by the detection code, rendering of content of the detection webpage in the browser to detect webinject content in the detection webpage by the webinject, the webinject content including one or more Hypertext Markup Language (HTML) components. The method can further include, if webinject content is detected, generating a fingerprint for each of the one or more HTML components; transmitting the one or more fingerprints to an external server; and classifying, by the external server, the webinject based on the one or more fingerprints.

Abstract: The present disclosure describes methods, systems, and computer program products for providing additional stack trace information for time-based sampling (TBS) in asynchronous execution environments. One computer-implemented method includes determining whether time-based sampling is activated to capture a time-based sampling data during execution of a JavaScript function; in response to determining that the time-based sampling is activated to capture the time-based sampling data, determining whether a callback stack trace is active; in response to determining that the callback stack trace is active, loading the callback stack trace; retrieving a current stack trace of the JavaScript function; and saving the loaded callback stack trace and the current stack trace of the JavaScript function as the time-based sampling data.

Abstract: The invention is related to security systems and methods for proactively informing a user about an artifact associated with a clickable object on a user interface with which the user is interacting, where such information is provided to the user prior to selection of the clickable object. The information includes a safety assessment of the clickable object, details about the underlying artifact, such as the contents of an archive file, and general information helpful in assisting the user with making a decision as to whether to select the clickable object.

Abstract: Methods, non-transitory computer readable media, and network traffic manager apparatus that assists with managing network connections includes obtaining a destination internet protocol (IP) address and a domain name from a received request sent by a client. A determination is made about when the obtained domain name identifies a trusted service and the obtained destination IP address is included in a current host IP address list. The obtained destination IP address is replaced with a new IP address from the current host IP address list when the obtained domain name is determined to be present and the obtained destination IP address is determined to be absent from the current host IP address list. The received request is managed based on one or more network policies, wherein one of the one or more network policies includes providing the client access to the service identified by the obtained domain name hosted at the replaced new IP address.

Abstract: Methods, systems, apparatuses, and computer program products are provided for connecting sensor devices to cloud servers by a gateway device. The gateway device includes a plurality of sensor adaptors, a sensor data processor, and a network communication interface. The sensor adaptors are configured to receive sensor data in communication signals from sensor devices. Each sensor adaptor is configured to extract sensor data encapsulated according to a respective sensor communication protocol. The sensor data processor is configured to process the extracted sensor data for transmission to a cloud service, such as by extracting unneeded messages data, or inserting additional data such as a time stamp. The network communication interface is configured to transmit the processed sensor data to the cloud service over a network according to a network communication protocol. Sensor data of different types may be transmitted according to corresponding types of network communication protocols.

Abstract: Disclosed are various approaches for authenticating a user through a voice assistant device and creating an association between the device and a user account. The request is associated with a network or federated service. A user account can be implicitly authenticated based on proximity of a client device to the voice assistant device. An association between the user account and the voice assistant device can then be created.

Abstract: A method securely scans a second web page linked to a first web page being displayed by a browser. The method identifies a target link to a second web page from one or more links contained within a first web page. Prior to receiving a user selection of the target link, the method prefetches content from the second web page and loads the prefetched content from the second web page into a safe cache before receiving the user selection of the target link. The method scans the prefetched content from the second web page for a security threat, within the safe cache, wherein the safe cache is configured to prevent the prefetched content from altering a memory location or storage location external to the safe cache. In response to identifying a security threat within the prefetched content, the method displays a warning to the user.

Abstract: A device, computer program product and method for detecting a deviation of a security state of a computing device from a desired security state, wherein the computing device is emulated by a virtual machine, where the includes the creation of a virtual copy of the virtual machine, the creation occurring during runtime of the virtual machine with operation of the computing device continuing unimpaired, the automatic start of operation of the virtual copy, automatic performance of a security check on the virtual copy with operation of the computing device continuing unimpaired, automatic generation of a result of the security check which describes a security state of the virtual copy, and includes creation of a threat indication for the computing device if the result indicates a deviation of the security state of the virtual copy from the desired security state of the computing device.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for cybersecurity vulnerability management. One of the methods includes receiving a vulnerability report indicating a cybersecurity vulnerability by a blockchain network. The blockchain network provides access to the vulnerability report to an administration server. A vulnerability verification report indicating a verification of the cybersecurity vulnerability from the administration server is received by the blockchain network. The blockchain network stores information of the cybersecurity vulnerability into a vulnerability record that is stored on the blockchain network. The blockchain network provides access to the vulnerability record to a service provider, and receives a notification indicating a resolution to the cybersecurity vulnerability from the service provider.

Abstract: A management apparatus includes a memory and a processor coupled to the memory. The processor is configured to execute a grouping process that includes a collection process which collect information from each of a plurality of devices based on a history of communication processes executed with another device of the plurality of devices and store the information in the memory, execute a creation process which create a group by correctively combining one or more pairs of communication source and communication destination devices in which communication processes of a same type were executed at a same time interval based on the information collected in the collection process and output display information for displaying information of the devices included in the group created by the grouping process.

Abstract: The invention introduces a method for configuring impedance of memory interfaces, performed by a processing unit, including: setting a first impedance value associated with an on-die termination (ODT) for a receiver of a controller to a first default value; setting a second impedance value associated with a driver variable resistance for a transmitter of a memory device to a second default value; performing tests for test combinations each comprises a third impedance value associated with a driver variable resistance for a transmitter of the controller and a fourth impedance value associated with an ODT for a receiver of the memory device; and storing a test result for each in a predefined location of a static random access memory (SRAM), thereby enabling a calibration host to obtain the test result for each from the SRAM.

Abstract: Arrangements for detecting, evaluating and controlling intelligence threat data feeds are provided. In some examples, a plurality of threat intelligence data feeds may be received. The threat intelligence data feeds may be received and evaluated to identify one or more feeds that are considered to provide valuable information to the entity implementing the evaluation. For instance, the evaluation may identify one or more feeds or providers that provides accurate data, timely data, and the like. In some examples, based on the evaluation, one or more data feeds may be removed (e.g., data might not be received), one or more alerts may be generated or dismissed, alerts generated for potential threats may be prioritized (e.g., alerts generated based on data from more accurate feeds are prioritized over alerts generated based on data from less accurate feeds).

Abstract: A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.

Abstract: A method for automatically generating and processing a number of protocol files of different types of an automation system of a technical plant includes identifying a number of relevant protocol files of different types from the generated protocol files based on at least one protocol parameter, transforming the identified relevant protocol files of different types into relevant standardized protocol files of the same type by using an agent-based software, analyzing and/or processing data sets of the relevant standardized protocol files of the same type, and outputting and/or saving the data sets of the relevant standardized protocol files.

Abstract: A system for managing information security attack and defense planning includes a hacker end, an observer end, and a manager end. The hacker end conducts a real-word hacking exercise to hack a targeted website through a monitoring and control server. The observer end monitors the hacker end. The manager end provides an analysis platform communicatively connected to the monitoring and control server. The hacker end and the observer end generate a first independent report and a second independent report respectively according to logged information during the real-world hacking exercise and respectively transmit the first independent report and the second independent report to the analysis platform through the targeted institution for analysis, allowing the manager end to generate a summary report including flaws and vulnerabilities in information security and transmit the summary report to the targeted institution for the targeted institution to objectively and effectively assess the summary report.

Abstract: The disclosed embodiments provide a method and system for processing network data. During operation, the system obtains, at a remote capture agent, configuration information for the remote capture agent from a configuration server over a network. Next, the system uses the configuration information to configure the generation of event data from network data obtained from network packets at the remote capture agent. The system then uses the configuration information to configure transformation of the event data or the network data into transformed event data at the remote capture agent.

Abstract: In an example method, a computer system retrieves a plurality of data items. Each data item indicates a respective network route on the network. The computer system determines a route automaton based on the plurality of data items. The route automaton includes a representation of the network routes. The computer system determines one or more routing policies on the network based on the route automaton. The method can be used to detect one or more routing policies on a network.

Abstract: Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.

Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.

Abstract: Methods, systems, and computer readable media for providing resilient computer services using systems diversity include a head device for receiving requests from clients and for replicating the requests. Variates each receive a request replicated from the head device, process the request, and generate a response to the request. At least some of the variates are different in configuration from the other. The response processing server receives the responses from the variates, selects one of the responses, and delivers the response to the client via the head device. Configuration or systems diversity and adaptation to threats and failures over time may be achieved using adaptive algorithms.