Abstract: A node in a blockchain network may agree, on an authority accept a compliance module from the authority, accept the compliance module. The node may also receive an operation, verify a compliance of the operation based on the compliance module, add the verified operation to a ledger on the blockchain network.

Abstract: Disclosed herein are techniques for analyzing control-flow integrity based on functional line-of-code behavior and relation models. Techniques include receiving data based on runtime operations of a controller; constructing a line-of-code behavior and relation model representing execution of functions on the controller based on the received data; constructing, based on the line-of-code behavioral and relation model, a dynamic control flow integrity model configured for the controller to enforce in real-time; and deploying the dynamic control flow integrity model to the controller.

Abstract: Provided are embodiments that include a system configured to generate executable code with protection barrier instructions. The system includes a storage medium, the storage medium being coupled to a processor. The processor is configured to analyze code, mark one or more potentially unsafe instructions in the code, and identify one or more unsafe instructions from the marked one or more potentially unsafe instructions in the code. The processor is also configured to insert a protection barrier instruction into the code based at least in part on identifying the one or more unsafe instructions, and translate the code, responsive to inserting the protection barrier instruction. Also provided are embodiments for a computer-implemented method and a computer program product for generating executable code with protection barrier instructions.

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

Abstract: Methods and systems are provided that may be implemented in an automated manner to distribute and integrate information regarding threat indicators as they occur in real time. The provided methods and systems may be implemented to combine threat indicator characteristic information in real time with application behavior patterns, information handling system types, and/or application types; and to automatically apply the resulting intelligence together to improve malicious attack defense at the application and information handling system level at scale.

Abstract: A walled garden system includes a firewall controlling access between a first network and a second network at least by allowing connection requests originating from a user device on the first network to a destination IP address on the second network in response to determining that the destination IP address matches a cleared IP address on a cleared IP addresses list. A controller receives a domain name service (DNS) reply from a DNS server on the second network, and determines whether a domain name specified within the DNS reply matches a cleared domain name on a cleared domain names list. In response to determining that the domain name specified within the DNS reply matches the cleared domain name on the cleared domain names list, the controller adds a resolved IP address specified in the DNS reply to the cleared IP addresses list as a new cleared IP address.

Abstract: Systems, methods, and non-transitory computer-readable storage media are disclosed for detecting vulnerabilities in real-time during execution of a process or an application. In one example, a device may have one or more memories storing computer-readable instructions and one or more processors configured to execute the computer-readable instructions to obtain real-time process information associated with a process executing in an endpoint. The device can then determine package information for a package associated with the process based on the process information. The device can then identify at least one vulnerability associated with the package information using a database of vulnerabilities stored on a backend component of the network. The backend component may have a database of vulnerabilities for packages.

Abstract: A computer-implemented method for generating a first set of longest common sequences from a plurality of known malicious webpages, the first set of longest common sequences representing input data from which a human generates a set of regular expressions for detecting phishing webpages. There is included obtaining HTML source strings from the plurality of known malicious webpages and transforming the HTML source strings to reduce the number of at least one of stop words and repeated tags, thereby obtaining a set of transformed source strings. There is further included performing string alignment on the set of transformed source strings, thereby obtaining at least a scoring matrix. There is additionally included obtaining a second set of longest common sequences responsive to the performing the string alignment. There is further included filtering the second set of longest common sequences, thereby obtaining the first set of longest common sequences.

Abstract: A system and method for self-adjusting cybersecurity analysis and score generation, wherein a reconnaissance engine gathers data about a client's computer network from the client, from devices and systems on the client's network, and from the Internet regarding various aspects of cybersecurity. Each of these aspects is evaluated independently, weighted, and cross-referenced to generate a cybersecurity score by aggregating individual vulnerability and risk factors together to provide a comprehensive characterization of cybersecurity risk using a transparent and traceable methodology. The scoring system itself can be used as a state machine with the cybersecurity score acting as a feedback mechanism, in which a cybersecurity score can be set at a level appropriate for a given organization, and data from clients or groups of clients with more extensive reporting can be used to supplement data for clients or groups of clients with less extensive reporting to enhance cybersecurity analysis and scoring.

Abstract: A method of configuring network devices. The method may include, with a network orchestrator, measuring at least one characteristic of a quality of a link between a network device and the network orchestrator during a first measurement window, categorizing the link into a connection type based on the at least one characteristic, and tuning a configuration of the network device based at least in part on the connection type identified by the network orchestrator.

Abstract: A computing device including a memory and a processor is provided. The memory stores processor executable instructions for an entity engine. The processor is coupled to the memory. The processor executes the entity engine to cause the computing device to model entities, which hold or classify data. The processor executes the entity engine to cause the computing device to store in the memory a list identifying each of the entities and the entities themselves in correspondence with the list. The processor executes the entity engine to cause the computing device to provide, in response to a selection input from an external system, access to the entities based on the list. The access includes providing the list to the external system, receiving the selection input identifying a first entity of the entities, and exporting the first entity from the memory to the external system.

Abstract: A communication system utilizing unified gateways bridges communication gaps between data transmitters having differing transmission, security, data format, overhead restrictions and performance metrics by dynamically determining optimal data paths for the data being routed. The unified gateways can also dynamically alter data packages to upgrade/downgrade security standards, alter transmission networks, translate data to match recipient requirements and split/combine data to optimize data throughput using disparate systems.

Abstract: The present disclosure relates to a system, a method, and a non-transitory computer readable storage medium for deep packet inspection scanning at an application layer of a computer. A method of the presently claimed invention may scan pieces of data received out of order without reassembly at an application layer from a first input state generating one or more output states for each piece of data. The method may then identify that the first input state includes one or more characters that are associated with malicious content. The method may then identify that the data set may include malicious content when the first input state combined with one or more output states matches a known piece of malicious content.

Abstract: Methods and systems for providing browser extension are disclosed. In some embodiments, the browser extension system includes a communication device in communication with a computing device and a networked system. The browser extension system also includes a processor configured to perform operations comprising: maintaining data associated with the computing device; detecting, through a browser extension application running on the computing device, a field in a web page associated with the networked system and provided by a web browser application running on the computing device; and in response to detecting the field: (i) automatically populating the field, through the browser extension application, with a secure token mapped to the data, (ii) detecting, through the browser extension application, a submission script associated with the web page, and (iii) automatically executing the submission script to submit the secure token through the browser extension application to the networked system.

Abstract: A system, method, and apparatus for identifying and removing malicious applications are disclosed. An example apparatus includes an executable application configured to collect data regarding processes operating on a client device during a time period. The executable application is also configured to purposefully access, during the time period, an application server using a web browser on the client device in an attempt to trigger a malicious application potentially located on the client device. The executable application is configured to transmit, after the time period, the collected data to an analysis server to determine whether the malicious application is located on the client device.

Abstract: Disclosed are database systems, computing devices, methods, and computer program products for identifying recurring sequences of user interactions with an application. In some implementations, a server of a database system provides a user interface of the application for display at a computing device. The database system stores data objects identifying a first plurality of user interactions with the application. The server receives information representing a second plurality of user interactions with the application. The server updates the database system to further identify the second user interactions. The server identifies a recurring sequence of user interactions from the first and second user interactions as resulting in a first target state of the application. The server updates the database system to associate the recurring sequence of user interactions with the first target state of the application.

Abstract: A network management system is configured to detect one or more malicious activities at one or more devices connected to a network. The network management system is configured to determine a malware root of the one or more malicious activities and generate a network-wide indicating a hierarchical relationship between the malicious activities spawned by the malware root and the malware root. The malicious activities spawned by the malware root represented in the network-wide malware include the one or more malicious activities and include a plurality of malicious activities spawned across a plurality of devices connected to the network.

Abstract: A system obtains security data of interconnected networks. The visibility of the security data is asymmetric for each interconnected network relative to the other. The security data is continuously stored and used in real-time or near real-time to identify services of the interconnected networks that require safeguards against a potential cyberattack. The interworking system determines a security parameter that relates the security data to the potential cyberattack and communicates the security parameter to the interconnected networks. The interconnected networks can safeguard against the potential cyberattack based on the security parameter.

Abstract: A network anomaly data detection method includes the following steps: receiving access request data transmitted by a client; searching historical access request data corresponding to a user session identifier in the access request data; acquiring a header character string of the access request data; performing word segmentation processing on the header character string according to a preset step length so as to obtain a word segmentation set; obtaining a word segmentation weight matrix according to the historical access request data and the word segmentation set; inputting the word segmentation weight matrix into an anomaly data detection model so as to obtain a data anomaly probability; and judging whether anomaly data exists in the header character string according to the data anomaly probability.

Abstract: Techniques are described for detecting and attributing automatic unauthorized redirects originating from executable code contained within an advertisement hosted within a web page or application displayed on an end user's mobile or desktop computing devices.

Abstract: A computer-implemented method according to an aspect includes training a cognitive network, utilizing metadata associated with historic data threats, inputting metadata associated with a current data threat into the trained cognitive network, identifying, by the trained cognitive network, one or more stored instances of data determined to be vulnerable to the current data threat, and adjusting one or more security aspects of the one or more stored instances of data determined to be vulnerable to the current data threat.

Abstract: A method for providing an automatically enhanced model of one or more networks, the method may include (a) determining missing next hop points; (b) finding multiple linkable pairs of relevant network elements interfaces, wherein a relevant network element interface is associated with one of the missing next hop points; and virtually linking relevant first network element interfaces of the multiple linkable pairs and the relevant second network element interfaces of the multiple linkable pairs to provide the automatic enhanced model of the one or more network. The virtually linking may include virtually adding one or more artificial network elements between the relevant first network element interfaces of the multiple linkable pairs and the relevant second network elements interfaces of the multiple linkable pairs.

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity, the monitoring observing at least one electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity of the entity, the security related activity being based upon the observable derived from the electronic data source, the security related activity being of analytic utility; converting the security related activity to entity behavior catalog data, the entity behavior catalog providing an inventory of entity behaviors; and, accessing an entity behavior catalog based upon the entity behavior catalog data; and performing a security operation via a security system, the security operation using the entity behavior catalog data stored within the entity behavior catalog based upon the security related activity.

Abstract: Data retrieval from connected devices for a data-driven anomaly detection system while complying with performance and/or availability requirements of services that rely on operation of the connected devices. Determining the amount of data, type of data, and retrieval frequency for detecting performance anomalies for each connected device that is relied upon by services so as to maintain required performance and/or availability to the service. The required parameters being the subject of an SLA for the service or the connected devices, such as IoT devices.

Abstract: Systems and methods are described herein for automatically identifying spam in social media comments based on comparison of the context or topic of the popular or trending post with the context or topic of each comment associated with the post. Content of a social media post is processed to identify a topic of the social media post. A plurality of comments associated with the social media post are accessed and the topic of each comment is compared to the topic of the social media post and, if the topics do not match, the comment is identified as spam. A notification is generated for display to an administrator of the social media platform on which the social media post resides identifying the comment as spam.

Abstract: Aspects of the disclosure relate to identifying potentially malicious messages and generating instream alerts based on real-time message monitoring. A computing platform may monitor a plurality of messages received by a messaging server associated with an operator. Subsequently, the computing platform may detect that a message of the plurality of messages is potentially malicious. In response to detecting that the message of the plurality of messages is potentially malicious, the computing platform may execute one or more protection actions. In executing the one or more protection actions, the computing platform may generate an alert message comprising information indicating that the message of the plurality of messages is potentially malicious. Then, the computing platform may send the alert message to the messaging server, which may cause the messaging server to deliver the alert message to a computing device associated with an intended recipient of the message.

Abstract: A method for changing a processor instruction randomly, covertly, and uniquely, so that the reverse process can restore it faithfully to its original form, making it virtually impossible for a malicious user to know how the bits are changed, preventing them from using a buffer overflow attack to write code with the same processor instruction changes into said processor's memory with the goal of taking control of the processor. When the changes are reversed prior to the instruction being executed, reverting the instruction back to its original value, malicious code placed in memory will be randomly altered so that when it is executed by the processor it produces chaotic, random behavior that will not allow control of the processor to be compromised, eventually producing a processing error that will cause the processor to either shut down the software process where the code exists to reload, or reset.

Abstract: A sensor monitoring system includes a plurality of image capture devices. Each image capture device includes one or more sensors to detect image data representing an environment about the image capture device, communications circuitry to receive sensor data from a sensor device and remote sensor data including at least one of a second image of the sensor or second position data regarding the sensor device, and processing circuitry to validate the sensor device based on the sensor data, determine first position data regarding the sensor device based on at least one of the first network connection or the remote sensor data, determine that the sensor device is in an image capture range based on the first position data, retrieve one or more images of the sensor device, and generate an alert based on the first position data.

Abstract: Systems and methods are provided for automatically analyzing emails that have been flagged as being potentially malicious (e.g., phishing attempts) to determine whether the permit or block the email. The systems and methods can use a scoring framework to determine whether the email is part of a phishing attempt. A set of rules are provided, and points are awarded to the email based on which of a set of rules are satisfied for the email. An email that exceeds a scoring threshold can be identified as a phishing attempt for potential evaluation, and can be routed to a security analyst for further analysis and process. After a predetermined period of time, the system can rerun analysis of emails which have not been identified as phishing attempts and determine if such emails now exceed the scoring threshold.

Abstract: A method for mitigating network abuse includes obtaining a first set of network traffic messages of network traffic currently received by a network service and determining, via a first model, whether network abuse is occurring based on the first set of network traffic messages. When the network abuse is occurring, the method includes obtaining a second set of current network traffic messages. The method also includes, for each network traffic message in the second set of network traffic messages, labeling, via a second model, the network traffic message as an abusing network traffic message or a non-abusing network traffic message. The method also includes generating, via a third model, at least one network traffic rule. Each network traffic rule, when implemented, reduces an effect of the abusing network traffic messages.

Abstract: A method for phishing detection using uniform resource locators is discussed. The method includes accessing data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a suspect Uniform Resource Locator (URL). The method includes assigning a rule score based on partial rule scores of each portion of the suspect URL, the rule score indicating a phishing potential based on URL rules. The method includes determining a uniqueness score of the suspect URL, the uniqueness score indicating a degree of uniqueness of the suspect URL from a plurality of known phishing URLs. The method also includes determining a URL phishing score based, at least in part, on the rules scores and the uniqueness score for the suspect URL.

Abstract: This method is a process that improves the execution time and maintains very precise clustering effectiveness utilizing a unique algorithm (identified as PPK means) that optimizes a process that is referred to as K-means clustering. The PPK means algorithm utilizes estimation values of signatures of new centroids for speed improvement and encoded data to provide a level of privacy protection. A system comprises a processor, operably coupled to memory, and that executes the computer-executable components, wherein the computer-executable components comprise: an encoding component that encodes a set of real-time valued vectors as bit vectors; and a clustering component that performs K-means clustering on the bit encoded vectors.

Abstract: Described is a system for producing indicators and warnings of adversarial activities. The system receives multiple networks of transactional data from different sources. Each node of a network of transactional data represents an entity, and each edge represents a relation between entities. A worldview graph is generated by merging the multiple networks of transactional data. Suspicious subgraph regions related to an adversarial activity are identified in the worldview graph through activity detection. The suspicious subgraph regions are used to generate and transmit an alert of the adversarial activity.

Abstract: A method of operating an Internet of Things device is described. In the method, an electrical power is supplied to electrical circuitry in the Internet of Things device. The Internet of Things device is communicatively coupled to a computer network using circuitry of a transceiver and a communications module of the Internet of Things device. A detecting circuit is operated to indirectly monitor a level of activity of the communications module. If the level of activity of the communications module is determined to exceed a threshold value, a volume of communications between the Internet of Things device and the computer network is curtailed.

Abstract: A system and method enabling an entity to prove its identity and provide authentic documents/data/information therein at any time required based upon data retrieved from an independent cryptographically verifiable source (ICVS) through a secured channel is disclosed. The system enables a virtual and secure browser on a user computing device allowing a user to login and retrieve authentic information pertaining to the user from the ICVS in a verifiable and untamperable manner. The retrieved information is bounded with origination information of the ICVS and the bounded information is provided to relying entities as authentic information for verification. Also, cryptographic value of the authentic information can be stored in an immutable storage such as blockchain, so that the cryptographic value is used by the relying-party to validate integrity of the authentic information.

Abstract: Disclosed herein is application specific integrated circuit (ASIC) redesign for security and analysis testing tool, which includes hardware description language code with on-chip security circuitry for detecting and mitigating hardware Trojan horses (HTHs) in an ASIC chip. The testing tool is used between a design stage of the ASIC chip and a synthesis phase of production of the ASIC chip to add test circuitry to the ASIC chip in order to facilitate testing and protecting of the ASIC chip from the HTHs long after production. The test circuitry facilitates search for HTHs, HTH triggering events, and changes made to the ASIC if the HTH has been activated.

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Abstract: A system analyzes periodically collected data associated with entities, for example, users, servers, or systems. The system determines anomalies associated with populations of entities. The system excludes anomalies from consideration to increase efficiency of execution. The system may rank the anomalies based on relevance scores. The system determines relevance scores based on various factors describing the sets of entities. The system may present information describing the anomalies based on the ranking. The system may use a machine learning based model for predicting likelihoods of outcomes associated with sets of entities. The system generates alerts for reporting the outcomes based on the predictions.

Abstract: A computer system for communicating with an industrial system includes: a data collection server for receiving equipment data from the industrial system and providing a data stream by pre-processing the equipment data according to a plurality of pre-determined rules; a first uni-directional interface for transmitting the data stream to one or more further computer systems; and a second uni-directional interface for receiving a data packet from the one or more further computer systems, the data packet including a control instruction that allows a modification of at least a particular rule of the plurality of the pre-determined rules. The first uni-directional interface includes a data diode. The second unidirectional interface receives the control instruction in a first part of the data packet. The first uni-directional interface receives the first part of the data packet in a size limitation that corresponds to amounts of data required to identify the modification.

Abstract: A request control device, when receiving a request issued from a client to a Web system, causes a sandbox in which an environment of the Web system is reproduced to inspect the request. The request control device transfers the request to the Web system if an inspection result of the request in the sandbox does not indicate detection of an attack. The request control device does not transfer the request to the Web system if the inspection result of the request indicates detection of an attack.

Abstract: A cryptography module for a computing device. The cryptography module is designed to check at least one memory area of a memory device which the computing device may access, as the result of which a result of the check is obtained, and to store the result at least temporarily.

Abstract: A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities. The graph is created based on an analysis of the event data, including time sequences of the event data.

Abstract: A multiplier is utilized to quantify a cybersecurity risk level of a portfolio of entities (e.g., companies) and enable actions to mitigate that quantified risk. In doing so, features or attributes of one or more companies in a portfolio are compared to features or attributes of one or more companies that experienced an adverse cybersecurity event (e.g. a data breach). Further, a degree of dependency, such as a matrix of a number of shared vendors and the proximity of those vendors to the companies, can be measured between (1) portfolio companies and one or more companies that experienced a cybersecurity event, and/or (2) the portfolio companies themselves to better quantify the risk. That is, to more meaningfully analyze a cybersecurity event that occurred at one or more companies and better predict the likelihood of an occurrence at portfolio companies, embodiments can determine an n-degree interdependency between companies.

Abstract: A system and method for detecting and blocking bots are presented. The method includes receiving unlabeled data regarding a visitor of a web source, grouping the received unlabeled data with similar characteristics into a group of data, detecting, based on the group of data, at least one anomaly, and determining, based on the at least one detected anomaly, several visitors to be blacklisted.

Abstract: A program execution device capable of protecting a program against unauthorized analysis and alteration is provided. The program execution device includes an execution unit, a first protection unit, and a second protection unit. The execution unit executes a first program and a second program, and is connected with an external device that is capable of controlling the execution. The first protection unit disconnects the execution unit from the external device while the execution unit is executing the first program. The second protection unit protects the first program while the execution unit is executing the second program.

Abstract: Systems, methods, and apparatuses for anomalous user behavior detection and risk-scoring individuals are described. User activity data associated with a first computing device of a first user is received from an agentless monitoring data source different from the first computing device. The user activity data includes a user identifier. An active directory (AD) identifier and employee-related information from a human resources database are determined based on the user identifier. Based on the employee-related information and/or AD identifier, a probability of an adverse event is determined. When the probability of the adverse event exceeds a predetermined threshold, a logging agent is activated on the first computing device and additional user activity data is received from the logging agent.

Abstract: A computer-implemented system and method for device discovery and recovery in a secure network comprises registering a plurality of devices, where the devices form the secure network at a location. Communication between the plurality of registered devices is enabled, and messages passed between the plurality of devices are collected. The method further comprises determining which one of the plurality of devices is a compromised device by using a consensus network that includes the plurality of devices of the secure network.

Abstract: A system and method for network cybersecurity analysis that uses user and entity behavioral analysis combined with network topology information to provide improved cybersecurity. The system and method involve gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network. Risks and vulnerabilities associated with user entities may be represented, in part or in whole, by the behavioral analyses and monitoring of those user entities.

Abstract: Protecting from automatic reconnection with Wi-Fi access points having bad reputations. In some embodiments, a method may include determining that the mobile device is within range of a Wi-Fi access point, determining that the mobile device is configured to automatically reconnect to the Wi-Fi access point, receiving a request to indicate whether the Wi-Fi access point has a bad reputation, accessing an access point reputation database to determine whether the Wi-Fi access point has a bad reputation, sending an indication that the Wi-Fi access point has a bad reputation, and, in response to the indication that the Wi-Fi access point has a bad reputation, protecting the mobile device from the Wi-Fi access point by performing a remedial action at the mobile device.

Abstract: Presented herein are systems and methods to determine whether a dynamic host configuration protocol (DHCP) server in DHCP snooping environment is a trusted device without requiring trusted port configuration. In one or more embodiments, a DHCP snooping-enable switch/router adds an indicator to a message intended for a DHCP server, thereby notifying the DHCP server that the DHCP switch/router is enabled for or capable of “detection of trusted DHCP server.” The DHCP server includes a unique trusted identifier in its reply that the DHCP switch/router uses to verify whether the DHCP server can be considered a trusted device.