Abstract: A technique and method for detection and display of the cybersecurity risk context of a cloud environment initiates an inspection of cybersecurity objects within a cloud environment utilizing an inspection environment and stores information pertaining to discovered cybersecurity objects within the inspected cloud environment in a storage environment. The technique and method further generate a cybersecurity risk context for the inspected cloud environment based on the observations made concerning the cybersecurity objects contained within it. The technique and method further configure a web browser running on a client device to automatically display the generated cybersecurity risk context to a user, either through a web page overlay or through a toolbar plugin which has been installed in the web browser and configured to enable inspections of a cloud environment, once the user has navigated to a web page containing cybersecurity object identifiers.

Abstract: A log management device includes a log collection unit configured to receive a log generated by a security sensor, a storage unit configured to store the log, a statistical analysis unit configured to obtain a statistical calculation result by performing statistical analysis on a plurality of the logs, a control unit configured to determine which of the log and the statistical calculation result is to be sent according to a predetermined condition, and a transmission unit configured to transmit at least one of the log or the statistical calculation result according to the predetermined condition.

Abstract: The invention relates to a system and method that relates to creation of a digital fingerprint library for storing information of a document containing protected information. The system mainly includes a fragment generator, a fingerprint value generator, and the digital fingerprint library. The fragment generator generates fragments of the document using a sliding window method. Fragment length is determined heuristically, can be hardcoded in the program or be a parameter in GUI. The fingerprint value generator generates a fingerprint value, e.g., its hash, for each fragment. The fingerprint value represents the information related to respective fragments. The digital fingerprint library then stores the fingerprint value. Fingerprint values of individual fragments serve as key values to provide a mechanism for comparing fragments of unknown files to the digital fingerprint library.

Abstract: A microprocessor includes a cache memory, a store queue, and a load/store unit. Each entry of the store queue holds store data associated with a store instruction. The load/store unit, during execution of a load instruction, makes a determination that an entry of the store queue holds store data that includes some but not all bytes of load data requested by the load instruction, cancels execution of the load instruction in response to the determination, and writes to an entry of a structure from which the load instruction is subsequently issuable for re-execution an identifier of a store instruction that is older in program order than the load instruction and an indication that the load instruction is not eligible to re-execute until the identified older store instruction updates the cache memory with store data.

Abstract: An encryption terminal includes a terminal communication unit that receives an encryption algorithm for creating ciphertext from plaintext, the encryption algorithm being encrypted using a first one-time key in a one-time pad method, a terminal storage unit that stores a key table containing a second one-time key corresponding to the first one-time key, and a decryption unit that decrypts the encrypted encryption algorithm by using the second one-time key.

Abstract: A method of communication between nodes in a telecommunications network. Each node maintains a copy of a shared digital ledger, is identified by a respective identification code and implements a software application configured to manage the transmission of data packets and maintain the shared digital ledger. The method includes: memorizing a list of identification codes, each code identifying a respective node included in a subset of nodes of the network, identifying a receiver node to transmit the data packet, generating a data packet to be delivered to a recipient node, transmitting to the first node of the minimum sequence of nodes the data packet, issuing a request to the network nodes to record the data packet transmission in the distributed ledger, and when a data packet is received, the method requires that each receiver node, other than the recipient node of the data packet, repeats at least some steps.

Abstract: In an example of a method described herein, historical events occurring over a network are detected, and at least one of the historical events is associated with an observed value of a categorical variable. A numerical aggregate value representing the observed value is updated by applying an exponential smoothing function to (i) a prior numerical aggregate value representing prior historical events associated with the observed value and (ii) a count of the historical events associated with the observed value. An event occurring over the network is detected and is associated with the observed value. Features are extracted from the event, where the features include an encoded feature based on the numerical aggregate value to represent the observed value. A predictive model is applied to the features to determine a score representing likelihood of an outcome. Based on the score, access to a resource of the network is controlled.

Abstract: A system for processing data within a Trusted Execution Environment (TEE) of a processor is provided. The system may include: a trust manager unit for verifying identity of a partner and issuing a communication key to the partner upon said verification of identity; at least one interface for receiving encrypted data from the partner encrypted using the communication key; a secure database within the TEE for storing the encrypted data with a storage key and for preventing unauthorized access of the encrypted data within the TEE; and a recommendation engine for decrypting and analyzing the encrypted data to generate recommendations based on the decrypted data.

Abstract: Methods and systems for managing threats to data processing systems are disclosed. To manage the threats, multiple threat management models may be utilized. The threat management models may include centralized models that rely on operable connectivity to particular systems, and distributed models that do not rely on operable connectivity to the particular systems. The data processing systems may flexibly switch between use of these models to respond to changes in operably connectivity of a distributed system.

Abstract: The disclosure provides computing platforms, systems, methods, and storage media for delivering contextual feedback to a user of a potential cybersecurity attack, such as a phishing attack. In an aspect, the disclosure provides: configuring, via a processor, a plurality of rules, each rule associated with an indicator of suspicious activity and a feedback snippet corresponding to the indicator; receiving, at the processor, a report of a potentially malicious electronic communication; triggering, at the processor, a rule of the plurality of rules based on the associated indicator and the report of the electronic communication; generating, at the processor, feedback comprising the feedback snippet associated with each triggered rule; automatically providing the feedback to the user.

Abstract: A processor-implemented method generates adversarial example objects. One or more processors represent an adversarial input generation process as a graph. The processor(s) explore the graph, such that a sequence of edges on the graph are explored. The processor(s) create, based on the exploring, an adversarial example object, and utilize the created adversarial example object to harden an existing process model against vulnerabilities.

Abstract: A non-transitory computer-readable recording medium has stored therein a program that causes a computer to execute a process. The process includes acquiring a check program for checking data processing on data from a server in a blockchain network, executing the check program, giving a first signature of the server to a check result generated by executing the data processing during the execution of the check program, and publishing the check result with the first signature in the blockchain network.

Abstract: Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Abstract: Some embodiments determine optimal trigger events for executing a malware-detecting artificial intelligence (AI) module by tracking a performance of the respective module over a lifetime of each software sample of a training corpus. Computational costs associated with the respective AI module may be substantially reduced by executing the respective module only sporadically, in response to detecting an occurrence of one of the identified trigger events. In some embodiments, a malware detector employs multiple AI modules, each having its own specific triggers. The choice of triggers may be updated at any time, without affecting other aspects of the malware detector.

Abstract: Data recovery from a cyber-attack is expedited based on data storage management integration with cyber threat deception. A cyber threat detection and deception system analyzes a “deposit” placed by an attacker at a deception trap, identifies distinguishing attributes of the deposit, and determines which subset of real data assets may be at risk, preferably based on subnet/VLAN proximity to the attacker's deposit. By focusing immediate attention on the subset of at-risk assets, a data storage management system shortens the amount of time needed to identify safe copies and components and to prepare them for recovery. Storage operations involving the at-risk assets are suspended and users are not shown at-risk assets and cannot invoke recovery or copy operations for them. Without the focus on at-risk assets provided by the cyber threat detection and deception system, the data storage management system would take much longer to navigate its backup data stores.

Abstract: The disclosed embodiments include a method performed by a computer system. The method includes causing display of one or more graphical controls enabling a user to define attributes of a threat rule, the attributes including a type of computer network entity and an anomaly pattern associated with the type of computer network entity. The method further includes generating the threat rule based on interaction by a user with the one or more graphical controls, wherein the threat rule identifies a security threat to the computer network that satisfies the attributes of the threat rule based on one or more detected anomalies on the computer network.

Abstract: A database management system, comprising: a storage adapted for storing: a plurality of data objects organized according to a data model, and a plurality of stream operator wrappers each wrapping a stream operator and having at least one port for receiving, via a network, instructions for: scheduling activation of the wrapped stream operator, connecting the wrapped stream operator with another stream operator wrapped by another of the plurality of stream operator wrappers, and/or deploying the wrapped stream operator; a processing circuitry for executing the plurality of stream operator wrappers.

Abstract: The disclosure herein describes executing unknown processes while preventing sandbox-evading malware therein from performing malicious behavior. A process execution event associated with an executable is detected, wherein the executable is to be executed in a production environment. The executable is determined to be an unknown executable (e.g., an executable that has not been analyzed for malware) using signature data in the process execution event. A function call hook interface of a sandbox simulator is activated, and a process of the executable is executed in the production environment. Any function calls from the executing process are intercepted by the activated function call hook interface, and sandbox-style responses to the intercepted function call are generated using sandbox response data of the sandbox simulator. The generated sandbox responses are provided to the executing process, whereby malware included in the executable behaves as if the executing process is executing in a sandbox environment.

Abstract: A disinfecting tracking network for creating healthier environments. The system and methods for tracking and utilizing this information to build and maintain healthier environments with a laboratory approach to data inputs. This system is a cloud based system with IOT interface and APIs to enable broad reaching inputs for analysis. This system creates a safer ecosystem and cross statistic sharing of performance parameters.

Abstract: A data management system may include a monitoring device comprising a sensor, a memory storing executable instructions, and a processor. The sensor may generate sensor data and transmits the sensor data to a third-party system. The processor may receive the sensor data from the third-party system and associate the sensor data with a user account. The user account may include additional sensor data from other monitoring devices and such that the sensor data together with the additional sensor data comprises aggregated sensor data. The processor may determine a risk value of the aggregated sensor data is greater than a risk threshold and flag the user account in response to determining the risk value of the sensor data is greater than the risk threshold. The processor may also transmit a signal indicative of the flagged user account to an application of a user device.

Abstract: Security vulnerability analysis may be performed using policy inference. Application code may have operations that are labeled according to the respective functions that they perform. Some operations may be labeled according to a knowledge database of known operations while others may be inferred through similarity to known operations. The knowledge database may be associated with libraries of programmatic interfaces. Once components of the application code are labeled, a vulnerability database may be that identifies potential vulnerabilities based on data sources, data sinks and threat mitigation operations. Using the labeled operations, one or more potential vulnerabilities may be identified based on labeled data sources and data sinks. The application may then be evaluated for potential security threats based on the identified potential vulnerabilities.

Abstract: A system and method for detecting cyberattacks involves monitoring and analyzing incoming email received over the internet using enterprise telemetry; extracting observations from an enterprise telemetry data feeds and transmitting to a summarization module for summarizing a potential indicator of compromise pertaining to the email monitored and analyzed by the network telemetry; storing the observation summarization data in a graph database; querying over the internet an external cybersecurity threat intelligence provider, upon identification of a true-positive network threat, for enriching information and artifacts contained within the true-positive network threat, receiving over the internet enriching information and artifacts from the external cybersecurity threat intelligence provider, and storing the received enriching information and artifacts in the graph database; and identifying a new indicator of compromise using data stored in the graph database.

Abstract: A device configuration method for a vehicle in a fleet of vehicles comprises, at a computing device communicatively coupled to electronic devices provided in the vehicle, obtaining at least one template configuration file assigned to the computing device based on a user selection, the at least one template configuration file specific to the fleet of vehicles and comprising first configuration data indicative of a manner in which the computing device is to interface with the electronic devices, and second configuration data indicative of a desired setting for at least one configuration parameter of one or more electronic devices, automatically self-configuring for operation based on the first configuration data, and transmitting, at least in part, the second configuration data to the one or more electronic devices to cause the one or more electronic devices to adjust the at least one configuration parameter to the desired setting.

Abstract: Techniques for providing identity protection are disclosed. A system, process, and/or computer program product for providing identity protection includes monitoring a plurality of sites, extracting predetermined user information for a user from the plurality of monitored sites to generate a profile of the user, analyzing, using a model, the profile of the user to detect whether one or more security vulnerabilities exist for social engineering attacks for one or more enterprise resources associated with the user, and performing an action in response to the one or more detected security vulnerabilities based on a policy.

Abstract: Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed. An example apparatus includes at least one memory, instructions in the apparatus, at least one processor to execute the instructions to, in response to identifying malicious data: a) in response to determining that the at least one processor is controlled by the first operating system type, block a download from being executed, and b) in response to determining a switch from the first operating system type to the second operating system type, remove, from the at least one memory, an object downloaded in the download.

Abstract: A device inputs a first source code, which is source code of the software to be monitored; builds the first source code to generate a first binary; generates a first CFG based on the first binary; embeds a tamper detection feature and tamper detection feature calling functions in a first source code based on the first CFG to generate a second source code, builds a second source code to generate a second binary; generates a second CFG based on the second binary; creates an allowed list based on the second binary and the second CFG, and outputs the second binary and the allowed list. Here, in creating the allowed list, the monitoring range for the tamper detection feature calling functions is determined based on the second CFG, and a list of hash values of the monitoring range for the tamper detection feature calling functions is created as an allowed list.

Abstract: A system for automated sensitive information discovery, monitoring, and remediation using an agent associated to a data source and including: a module detecting the occurrence of events indicative of access to data; an module identifying the events classified as potentially threatening; a module extracting data associated to each potentially threatening event; and a module performing data analysis of the extracted data and determining a sensitivity score for the data to file associated to the potentially threatening event. The system also comprises a central platform in data communication with the agent and including: a module analyzing data received from the agent and identifying a potential security risk relative to one of a user or group of users associated to the data source, the data source, a specific file or a specific data type stored on the data source; and a control module triggering remediation actions upon detection of a security risk.

Abstract: Methods, apparatus, and processor-readable storage media for detection of anomalous behavior on online platforms using machine learning techniques are provided herein. An example method includes obtaining a set of machine learning models configured to detect anomalous behavior associated with users interacting with an online platform and performing an incremental machine learning process on one or more of the machine learning models in the set. The incremental machine learning process may include obtaining data related to interactions of users with the online platform, updating at least one of the machine learning models in the set based on the obtained data, comparing the machine learning models, and selecting one of the machine learning models from the set to be used by the online platform based on the comparison. The method may further include determining, utilizing the selected machine learning model, that a given user is exhibiting anomalous behavior on the online platform.

Abstract: Live and legitimate user traffic is used with in depth knowledge of the business logic for an API specification to perform security testing on a set of APIs. The present system intercepts and analyzes application program interface (API) traffic, identifies user session data, and identifies traffic suitable to duplicate. The identified traffic is duplicated and modified by addition of malicious code. The modified code is then sent to its intended API destination, where it is processed as normal. The resulting response and other traffic as well as the API system and optionally other systems, such as datastore systems, are analyzed to determine if the malicious code resulted in a valid attack. Results from the modified code attack attempts are reported to a user.

Abstract: A method for prevention of malware infection of a user device. A first request for a first web page is received from the user device. Transmitting, to a website associated with the requested first web page and in response to the first request a second request for the first web page. In response to the second request, receiving a first set of data associated with the first web page. Generating, based on a first set of data in the first domain format, a first set of graphical images representing respective portions of the first set of data in a second domain format. Transmitting, to the user device, the first set of graphical images with correlation data configured to enable a user to interact with the graphical images on the user device in a manner that is substantially the same as though the user device had received the first web page in the first domain format and the first web page had been rendered from the first domain format by a program operating on the user device.

Abstract: Disclosed is a hybridoma cell strain that secretes anti-dinitolmide monoclonal antibodies applicable to the field of food safety immunoassay methods. The hybridoma cell strain DAS3H10 that secretes anti-dinitolmide monoclonal antibodies has been deposited in Comprehensive Microbiology Center of China Microbial Culture Collection Management Committee (CGMCC), addressed in No. 1 Hospital No. 3 Institute of Microbiology of the Chinese Academy of Sciences, North Chenxi Road, Beijing Chaoyang District in Beijing. It is classified as a monoclonal cell strain. The deposit date is Nov. 28, 2019, and the deposit number is MCCC No. 19165. The monoclonal antibody secreted by the hybridoma cell strain DAS3H10 has a good affinity and high sensitivity to dinitolmide. Because of IC50 to dinitolmide up to 9.01 ng/mL, the monoclonal antibody could be used to prepare dinitolmide immunoassay kits and colloidal gold test strips, and can further provide a powerful means for detecting dinitolmide in animal-derived foods.

Abstract: According to some embodiments of the disclosure, a method includes receiving an electronic communication directed to a data resource, determining, by a machine learning (ML) web application firewall (WAF), an attack probability of the electronic communication based on a plurality of features, wherein subsets of the plurality of features are arranged in a plurality of feature groups, adjusting the attack probability based on respective feature weights of the plurality of feature groups.

Abstract: One example method includes integrating user space applications with kernel space events including primitives. The events are intercepted in kernel space and processed in user space. The events can be stored in a session cache that allows a holistic view of behavior to be determined with regard to resources of the computing system. The events in the session cache can be correlated to user or process behavior by provided a time-based view of the events.

Abstract: Disclosed herein are systems and method for restoring files from a backup, the method including: retrieving a time indicator from a time server associated with a backup server; synchronizing time between the backup server and a computing device performing a backup, based on the time indicator; performing the backup of files from the computing device to the backup server, wherein a malicious process modifies at least one file being backed up at an incident time during the backup and performs an attempt to change a time of the computing device such that a modification timestamp of the at least one file precedes the incident time; blocking the attempt to change the time of the computing device; subsequent to completing the backup, detecting the malicious process infecting the computing device; and performing a restoration of the backup on the computing device.

Abstract: There may be situations in which it is desirable to dynamically implement a rule on the firewall in response to detecting a particular pattern of user activity. However, the software code required for tracking user activity, identifying patterns of user activity, and deciding what action to take may be relatively complex. Deploying such software code on a firewall increases the complexity of the firewall. For example, the firewall can no longer be “stateless”. In some embodiments, the destination server works in combination with the firewall. The destination server monitors traffic to determine particular patterns of user activity. In response to a particular pattern of user activity being detected, an appropriate rule is established and the firewall is sent a command to implement the rule.

Abstract: Provided is a resource monitoring apparatus including a log generation unit for extracting a method requested from a hardware abstraction layer and generating a log; a log classification unit for classifying the generated log according to a type of an interface connected to the method; and a log determination unit for identifying a malicious activity from the classified log based on pattern information of the log set differently depending on the type of the interface.

Abstract: A method and a computing device for identifying malicious web resource are provided. The method comprises: obtaining a given link of a plurality of links, the given link referring to an initial malicious web resource; retrieving, from a database, simulated user parameters indicative of a simulated user environment and at least one user behavior vector including values indicative of simulated user actions with the initial malicious web resource; based on the simulated user parameters and the simulated user actions, determining at least one redirect chain, a given one of the at least one redirect chain including web resources defining a transition sequence from the initial malicious web resource to a respective target malicious web resource; generating, based on the at least one redirect chain, a redirect graph; and analyzing the redirect graph to determine a plurality of user redirect rules for further use in identifying in-use malicious web resources.

Abstract: Disclosed is a cloud-based security system implemented in a reverse proxy that provides bidirectional traffic inspection to protect against privacy and security concerns related to the GenAI services. The security system intercepts requests directed to the GenAI service protected by the reverse proxy implementation of the network security system. The security system includes a GenAI request classifier trained to classify prompts submitted to the GenAI application as one of benign, prompt injection attack, or uploaded files. The security system further includes a GenAI response classifier trained to classify responses from the GenAI application as one of normal, leaked system prompt, leaked user uploaded files, or leaked training data.

Abstract: Disclosed is a training data generation system for generating training data used to train machine learning models to inspect GenAI traffic to identify security and privacy concerns related to GenAI use. The training data generation system is seeded with initial prompts. The initial prompts include benign prompts, prompt injection attacks, and uploaded files. Each initial prompt is submitted to multiple GenAI applications to obtain responses. The corresponding prompts and responses are stored in a training data repository. Variations of the initial prompts are generated using, for example, one of the GenAI applications. Each variation is submitted to each of the GenAI applications as well, and the corresponding prompts and responses are stored. Another machine learning model, regex patterns, a combination, or the like may be used to label the prompts and responses in the training data repository to generate a large training data set quickly and efficiently.

Abstract: Provided are a terminal and method for storing and parsing log data. The method includes collecting log data on the basis of a file path of the log data, storing metadata including the file path and log data paired with the metadata in a database (DB), classifying the log data on the basis of the metadata, acquiring type information of a parser related to the log data, and parsing the log data through the parser having the type information.

Abstract: A method for deep packet inspection (DPI) in a software defined network (SDN). The method includes configuring a plurality of network nodes operable in the SDN with at least one probe instruction; receiving from a network node a first packet of a flow, the first packet matches the at least one probe instruction and includes a first sequence number; receiving from a network node a second packet of the flow, the second packet matches the at least one probe instruction and includes a second sequence number, the second packet is a response of the first packet; computing a mask value respective of at least the first and second sequence numbers indicating which bytes to be mirrored from subsequent packets belonging to the same flow; generating at least one mirror instruction based on at least the mask value; and configuring the plurality of network nodes with at least one mirror instruction.

Abstract: A method and apparatus for testing a malware detection machine learning model. The method trains a malware detection model using a first dataset containing malware samples from a particular time period. The trained model is then tested using a second dataset that is a time shifted version of the first dataset.

Abstract: A method for symbolic analysis of a software program is described. The method comprises constructing a control flow graph (CFG), for a software program procedure, the CFG comprising nodes representing basic blocks reachable within the software program procedure, the basic blocks represented as respective functions from a first machine state on entry to a said basic block to a second machine state on exit from that basic block. The method further describes simplifying the CFG to a single node representing the software program procedure as a function from an input machine state on entry to the software program procedure to an output machine state on exit from the software program procedure, comparing said function to a rule set identifying vulnerabilities based on effects on the machine state; and determining a vulnerability within the software program procedure based on the comparing.

Abstract: A method for securely starting up a container instance in one or more execution environments for one or more components of a technical installation, such an execution environment being designed to execute the container instance includes the following method steps: a) providing a configurable check function that is performed before and/or while starting up the container instance, b) logging each step for preparing at least one execution limitation required for starting up and/or executing the container instance, c) checking each logged step using at least one permissibility criterion configured in the check function, and d) completing the startup and if necessary the execution of the container instance if the at least one permissibility criterion is satisfied, or e) initiating an alerting measure or a measure that counteracts the startup if at least one of the possible permissibility criteria is not satisfied.

Abstract: A method for deep packet inspection (DPI) in a software defined network (SDN). The method includes configuring a plurality of network nodes operable in the SDN with at least one probe instruction; receiving from a network node a first packet of a flow, the first packet matches the at least one probe instruction and includes a first sequence number; receiving from a network node a second packet of the flow, the second packet matches the at least one probe instruction and includes a second sequence number, the second packet is a response of the first packet; computing a mask value respective of at least the first and second sequence numbers indicating which bytes to be mirrored from subsequent packets belonging to the same flow; generating at least one mirror instruction based on at least the mask value; and configuring the plurality of network nodes with at least one mirror instruction.

Abstract: A request to add a new block to a blockchain is received. Data associated with the new block is scanned to identify malware and/or an anomaly. In response to identifying the malware and/or the anomaly in the data associated with the new block, an action is taken. The action includes: rejecting the request to add the new block to the blockchain, or removing the malware/anomaly from the new block and adding the new block to the blockchain. In a second embodiment, a malware event is identified that identifies malware/an anomaly in a block in a blockchain. In response to the malware event, an action is taken. The action includes: consolidating the blockchain, bypassing the block in the blockchain, consolidating the blockchain and bypassing the block in the blockchain, and deleting an encryption key that was used to encrypt the associated data that comprises the malware and/or the anomaly.

Abstract: In a distributed system, a first computer system may require computationally verifiable assurances of the authenticity and integrity of computations (e.g., performed as part of the execution of a program) performed by a second computer system. Methods described herein may be utilized to enforce and/or ensure the correct execution of a program. The first computer system may delegate execution of a program to a second computer system and a protocol may be employed to constrain the second computer system to perform a correct execution of the program. The protocol may include mitigation and correction routines that mitigate and/or correct the incorrect execution of a program. In various systems and methods described herein, the protocol may utilize a blockchain network such as a Bitcoin-based blockchain network.

Abstract: A system and method for detecting potential lateral movement in a cloud computing environment includes detecting a private encryption key and a certificate, each of which further include a hash value of a respective public key, wherein the certificate is stored on a first resource deployed in the cloud computing environment; generating in a security graph: a private key node, a certificate node, and a resource node connected to the certificate node, wherein the security graph is a representation of the cloud computing environment; generating a connection in the security graph between the private key node and the certificate node, in response to determining a match between the hash values of the public key of the private key and the public key of the certificate; and determining that the first resource node is potentially compromised, in response to receiving an indication that an element of the public key is compromised.

Abstract: A system and computer-implemented method to detect particular Domain Name System (DNS) misuse, wherein the method includes obtaining monitored network data. The monitored network data includes respective instances of request traffic. The request traffic is associated with DNS requests that request resolution of a name that belongs to at least one identified domain. Each DNS request is sent from a source address of one or more stub resolver; the source address of the stub resolver may be spoofed. Each instance of request traffic includes the source address, the name for which DNS resolution is requested to be resolved, and the at least one identified domain associated with a corresponding DNS request. The method further includes tracking over time, using a probabilistic algorithm, an approximation of a first cardinality of names belonging to a selected domain of the at least one identified domain included in the instances of request traffic.