Abstract: There are provided measures for trust related management of artificial intelligence or machine learning pipelines. Such measures exemplarily include, at a first network entity managing artificial intelligence or machine learning trustworthiness in a network, transmitting a first artificial intelligence or machine learning trustworthiness related message towards a second network entity managing artificial intelligence or machine learning trustworthiness in an artificial intelligence or machine learning pipeline in the network, and receiving a second artificial intelligence or machine learning trustworthiness related message from the second network entity, where the first artificial intelligence or machine learning trustworthiness related message includes at least one criterion related to an artificial intelligence or machine learning trustworthiness aspect.

Abstract: A method for protecting computing assets includes detecting a set of events in a networked computing environment using a set of event sensors distributed in the networked computing environment, determining a risk factor by applying the set of events to a detection model using an inference server in communication with the set of event sensors, and communicating the risk factor to an insurance server from the inference server.

Abstract: A method for tracing malicious endpoints in communication with a back end may include: providing a reverse proxy to intercept traffic exchanged between a client and the back end; providing a processing unit with an algorithm; intercepting, using the proxy, each TLS Client HELLO directed to the back end and generating a TLS Client HELLO hash using the algorithm; intercepting and processing, using the proxy, each HTTP request to extract a Client User Agent; processing the Client User Agent to generate an Agent hash; processing the HELLO hash and Agent hash by calculating a number of occurrences in which the HELLO hash is associated with the Agent hash to obtain a relative frequency value, to determine whether the HELLO hash is common to or anomalous for the Agent hash of the client; and performing one or more attack protection actions of a Man-in-the-Middle type if the HELLO hash is anomalous.

Abstract: Embodiments are described herein relating to systems and methods for blocking access to phishing-related content accessible via links that are presented via applications being executed on electronic devices based at least in part on implied intent on the part of users using the electronic devices. For example, anti-phishing software may be configured to detect selection of potential phishing-related links that are presented via the applications being executed on the electronic devices, to determine authenticity of the potential phishing-related links, and to take appropriate action based on the authenticity of the potential phishing-related links. For example, the anti-phishing software may be configured to analyze content associated with the potential phishing-related links (e.g., to estimate user intent) and/or to access potential phishing-related content at locations corresponding to the potential phishing-related links (e.g.

Abstract: Systems and methods for threat response in computer environments can include detecting, by one or more processors, a threat to the computer environment, and identifying a subset of assets of the plurality of assets associated with the threat. The one or more processors can determine from a predefined set of resolutions a plurality of resolutions executable to resolve the threat for the subset of assets. The one or more processors can execute, for each resolution of the plurality of resolutions, a trained model to simulate the resolution for the subset of assets. The one or more processors can select, based at least on results of execution of each resolution, a resolution among the plurality of resolutions to be implemented.

Abstract: The present disclosure provides a security assessment apparatus, a method, and a program capable of making an assessment of a security risk simply and appropriately. The security assessment apparatus according to the present disclosure is a security assessment apparatus of a facility to be controlled using a controller, including: an identification unit (15) configured to identify a compromised component which puts the facility into an unsafe situation based on data regarding a plurality of components provided in the facility and control program code of the controller, thereby generating a list of the compromised component; and a compromised behavior generating unit (16) configured to generate a compromised behavior of a selected component selected from the list of the compromised component.

Abstract: The present disclosure relates to methods and apparatus that collect data regarding malware threats, that organizes this collected malware threat data, and that provides this data to computers or people such that damage associated with these software threats can be quantified and reduced. The present disclosure is also directed to preventing the spread of malware before that malware can damage computers or steal computer data. Methods consistent with the present disclosure may optimize tests performed at different levels of a multi-level threat detection and prevention system. As such, methods consistent with the present disclosure may collect data from various sources that may include endpoint computing devices, firewalls/gateways, or isolated (e.g. “sandbox”) computers. Once this information is collected, it may then be organized, displayed, and analyzed in ways that were not previously possible.

Abstract: A system may provide blockchain-based storage node control for unified proof-of-storage interaction for off-chain data chunk storage. The system may include verification circuitry that may provide a challenge to a storage node to audit the storage status of a data chunk. The verification circuitry may obtain identities for the storage node and data chunk based on blockchain records. The verification circuitry may obtain a challenge answer from the storage node in response. The verification circuitry may analyze the challenge answer in view of a challenge key to confirm whether the storage node has possession of the data chunk. When the storage node has possession of the data chunk chain circuitry may add a verification record to the blockchain.

Abstract: Methods, systems, and devices are described for orchestrating server management in a modern IT network. The described techniques may be implemented to manage any number of networked severs, whether local, remote, or both. Server orchestration may leverage a central, cloud-based management system and/or one or more autonomous agents installed on servers with the network. The autonomous agents may each be registered with the supervisory server and may have awareness of one another.

Abstract: A dynamic cloud-based threat detection system is disclosed. The system comprises a network broker that receives communication sessions associated with communication device(s) via a network and selects and sends a predefined number of packets of each communication session to a detection based on packet selection rules. The communication device(s) comprises customer premises equipment (CPE) and/or a mobile communication device. The detection engine receives and inspects the predefined number of packets of each communication session and a governor that initiates blocking of particular communication traffic based on the inspection. The system also comprises a dynamic optimizer that monitors factor(s) and creates and sends updated packet rules to the network broker based on the monitoring. The network broker selects and sends a different predefined number of packets of each of a second plurality of communication sessions to the detection engine for inspection based on the updated packet selection rules.

Abstract: A 5G network includes an access network (AN), a 5G Core (5GC), one or more campus network components each configured to run 5GC software associated to a campus network, and one or more public network components each configured to run 5GC software associated to a public network. The 5GC comprises a central cloud having functionally separated instances, including: a public 5GC instance configured to host the public network realized as a network slice; a private 5GC instance configured to host one or more campus networks, wherein the one or more campus networks are realized as Network Slices; and a data layer instance configured to host Unified Data Repository (UDR) functionality. Unified Data Management (UDM) functions of both 5GC instances are connected to the data layer instance. A Network Slice Selection Function (NSSF) contains the information about network slices present in both 5GC instances.

Abstract: Network security is applied to identify malicious activity occurring on a network or at network nodes from a coordinated attack. For instance, a device, comprising a memory and a processor, can generate a first flag signal representative of a first flag applicable to first data and a second flag signal representative of a second flag applicable to second data in response to the first and second data being determined to be related and directed to a common destination node using identifiers associated with network equipment.

Abstract: Embodiments of the disclosure provide systems and methods for analyzing log files. Automated processing of log files can comprise reading a log file generated during execution of an application and comprising a plurality of log events and generating a plurality of templates based on the plurality of log events in the log file. Each template can map a log event to a candidate value for the log event. The plurality of log events can be aggregated into a plurality of groups based on the candidate value mapped to each log event in the plurality of templates and the plurality of groups of log events can be ranked. The log file can be partitioned based on the ranking of the plurality of groups of log events and one or more groups of log events can be provided to an analysis process based on the partitioning of the log file.

Abstract: Various embodiments of apparatuses and methods for distributed threat sensor analysis and correlation of a malware threat intelligence system are described. In some embodiments, the system comprises a plurality of threat sensors, deployed at different network addresses and physically located in different geographic regions in a provider network, which detect interactions from sources. In some embodiments, a distributed threat sensor analysis and correlation service obtains significance scores for different sources of the interactions with the plurality of threat sensors. The service determines which of the sources are malicious actors based on the significance scores. The service receives identifiers of known actors such as compute instances in the provider network, client devices in a client network, or deployed IoT devices in a remote network, and correlates the malicious actors with the known actors to identify which known actors might be infected by malware.

Abstract: Systems and methods may generally be used to automatically curate a blocklist of internet protocol (IP) addresses. An example method may include using risk factor scores for a particular IP address that was blocked by a traffic control component to determine whether to add the particular IP address to a blocklist. The example method may include, in response to a determination to add the particular IP address to the blocklist, generating an IP address entry in the blocklist for the particular IP address, the IP address entry optionally including a corresponding time-based expiration. The example method may include outputting the blocklist or the IP address entry, such as in response to a request from a firewall.

Abstract: Systems and methods for attributing user behavior from multiple technical telemetry sources are provided. An example method includes determining that the user has logged into the computing device, in response of the determination, collecting log data from a plurality of telemetry sources associated with the computing device, extracting, from the log data, activity data concerning activities of the computing device, analyzing the activity data to determine that the activity data are attributed to the user, generating, based on the activity data, behavior attributes of the user, associating the behavior attributes with a unique identifier of the computing device, and estimating security integrity of the computing device based on a comparison of the behavior attributes to reference behavior attributes. The reference behavior attributes include further behavior attributes determined using log data of at least one further computing device associated with the user.

Abstract: A computing device may include a memory storing a first dataset and a second dataset and a processor configured to provide an operating system. The computing device may also include a container defined by a programmed boundary within at least the memory and provided by the operating system. A resource executed within the container may access the first dataset without accessing the second dataset. However, the resource may access the second dataset in response to a generation of a certificate. The resource may originate from following a hyperlink in a communication.

Abstract: A threat management facility for an enterprise network integrates native threat management capabilities with threat data from a cloud service provider used by the enterprise. By properly authenticating to the cloud service and mapping data feeds from the cloud service to a native threat management environment, the threat management facility can extend threat detection and management capabilities beyond endpoint-centric techniques.

Abstract: A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services. In order to facilitate prompt notification of potential risks, the threat management facility may incrementally update data for use in threat assessments as the data becomes available from these different sources, and create suitable alerts or notifications whenever the currently accumulated data provides an indication of threat meeting a predetermined threshold.

Abstract: Aspects of the disclosure relate to preventing unauthorized screen capture activity. A computing platform may detect, via an infrared sensor associated with a computing device, an infrared signal from a second device attempting an unauthorized image capture of contents being displayed by a display device of the computing device. Subsequently, the computing platform may determine, via the computing platform, the contents being displayed by the display device. Then, the computing platform may retrieve a record of the contents being displayed by the display device. Then, the computing platform may determine a risk level associated with the infrared signal. Subsequently, the computing platform may perform, via the computing platform and based on the risk level, a remediation task to prevent the unauthorized image capture.

Abstract: Systems, methods, and computer-readable media for cybersecurity are disclosed. The systems and methods may involve receiving, by an application capable of JavaScript execution, code for execution; executing, before execution of the received code, an intercepting code, wherein the intercepting code is configured to intercept at least one application programming interface (API) invocation by the received code; intercepting, by the intercepting code, an API invocation by the received code; determining that the intercepted API invocation results in a manipulation of a backing store object; and modifying an execution of the intercepted API invocation, wherein the modified execution results in a nonpredictable environment state.

Abstract: A computing device including a memory and a processor is provided. The memory stores processor executable instructions for an entity engine. The processor is coupled to the memory. The processor executes the entity engine to cause the computing device to model entities, which hold or classify data. The processor executes the entity engine to cause the computing device to store in the memory a list identifying each of the entities and the entities themselves in correspondence with the list. The processor executes the entity engine to cause the computing device to provide, in response to a selection input from an external system, access to the entities based on the list. The access includes providing the list to the external system, receiving the selection input identifying a first entity of the entities, and exporting the first entity from the memory to the external system.

Abstract: A disclosed method installs an I/O trap protocol to provide an authentication callback function for handling I/O trap events. I/O trap events may include write operations accessing any of one or more identified I/O addresses. An I/O trap event may be registered with the authentication callback function for each of one or more identified I/O addresses. Original values of data may be stored in a memory resource. Any occurrences of an I/O trap event triggers the authentication callback function to perform I/O trap operations. The I/O trap operations may include determining whether the I/O trap event is associated with an approved driver and, if not, restoring data stored at the identified I/O address to an original value. Installing the I/O trap protocol may include installing the I/O trap protocol during a system management mode (SMM) phase of a UEFI boot sequence.

Abstract: A method for executing a function, secured by temporal desynchronization, includes when a first legitimate instruction is loaded, noting the opcode of this first legitimate instruction, then constructing a dummy instruction on the basis of this noted opcode, the dummy instruction thus constructed being identical to the first legitimate instruction except that its operands are different, then incorporating the dummy instruction thus constructed into a sequence of dummy instructions used to delay the time at which a second legitimate instruction is executed.

Abstract: Provided is a method of securing a software code of an application including at least one constant data. The method produces secure software code can then be executed on a processor. The method includes fragmenting current constant data into several valid data chunks of random length, encoding and storing the valid data chunks at random locations in the application software code, identifying all occurrences of the current constant data in the application software code and replacing each of them with a call to a Runtime application self-protection (RASP) agent for reading the current constant data, and inserting, at random locations of a control flow graph of the application software code, RASP check instructions which when executed at runtime. The RASP agent being configured for running in the application runtime environment and being capable of controlling application execution and detecting and preventing real-time attacks.

Abstract: An unauthorized communication detection device that detects unauthorized communication in a manufacturing system that manufactures products includes: an obtainer that obtains operation information of the manufacturing system; a storage that stores element information indicating one or more target elements among a plurality of elements related to manufacturing of the products; a specifier that specifies, for each of a plurality of communications performed in the manufacturing system, an element corresponding to the communication, based on the operation information; a calculator that calculates an abnormal degree of each of one or more communications, which satisfy that the element specified by the specifier is included in the one or more target elements indicated by the element information, among the plurality of communications; and a determiner that determines that, when an abnormal degree calculated by the calculator is larger than a threshold value, a communication corresponding to the abnormal degree is th

Abstract: Methods and systems for providing browser extension are disclosed. In some embodiments, the browser extension system includes a communication device in communication with a computing device and a networked system. The browser extension system also includes a processor configured to perform operations comprising: maintaining data associated with the computing device; detecting, through a browser extension application running on the computing device, a field in a web page associated with the networked system and provided by a web browser application running on the computing device; and in response to detecting the field: (i) automatically populating the field, through the browser extension application, with a secure token mapped to the data, (ii) detecting, through the browser extension application, a submission script associated with the web page, and (iii) automatically executing the submission script to submit the secure token through the browser extension application to the networked system.

Abstract: Methods and systems for detecting threats using threat signatures loaded in a computing device.

Abstract: A computer-implemented method for software detection is disclosed. The computer-implemented method includes scanning a list of file systems present on a computer system and described by a respective mount point for a signature from a set of predetermined signatures. The computer-implemented method further includes responsive to detecting the signature from the set of predetermined signatures, selecting a particular plugin from a predetermined list of plugins based, at least in part, on the detected signature. The computer-implemented method further includes querying, using the plug-in, an operating environment of the filesystem for data indicative of software running in the operating environment. The computer-implemented method further includes determining software running in the operating environment based, at least in part, on the data returned from querying the operating environment of the filesystem.

Abstract: Examples described herein relate to signing of files based on file security credentials. A signing request for a file is received from a file author device. The signing request may include a file identifier associated with the file and a first key identifier associated with a first key stored in a hardware security module (HSM). File security credentials associated with the file may be obtained from one or more file security databases using the file identifier. A file security value for the file may be determined based on the file security credentials. On determining that the file security value satisfies a predetermined first key criteria, the file may be signed using the first key.

Abstract: A method and apparatus for preventing access to an IoT device is provided herein. During operation an apparatus will inquire about current and/or past connections to an IoT device. A list of identities of current and/or past apparatuses that were connected to the IoT device will be provided, and a determination on whether or not to allow access to the IoT device will be based on the identities of current and/or past apparatuses that are accessing, or have accessed the IoT device.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack to one or more protected computer networks by determining keywords and/or patterns in HyperText Transfer Protocol (HTTP) responses. Stored HTTP responses are analyzed to extract one or more HTTP characteristics for each stored HTTP response. One or more patterns having one or more keywords in each stored HTTP response is determined utilizing the extracted one or more HTTP characteristics for each stored HTTP response. A hash value is determined for each determined pattern, which is preferably stored in a hash structure accompanied by its respective determined HTTP characteristics. Each hash value accompanied by its respective determined HTTP characteristics is stored as a mitigation filter candidate if the hash value contains a determined pattern consisting of at least a predetermined percentage of all determined patterns stored in the hash structure.

Abstract: Various techniques for detecting visual similarity between DNS fully qualified domain names (FQDNs) are disclosed. In some embodiments, a system, process, and/or computer program product for detecting visual similarity between DNS FQDNs includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; performing extended sequence alignment for each of the set of FQDNs to identify potential malware FQDNs for one or more target FQDNs based on a visual similarity for each domain in the DNS data stream; and classifying the set of domains as malware FQDNs or benign FQDNs based on results of the extended sequence alignment.

Abstract: Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.

Abstract: The technology disclosed relates to simulating spread of a malware in cloud applications. In particular, the technology disclosed relates to accessing sharing data for files shared between users via sync and share mechanisms of cloud applications, tracing connections between the users by traversing a directed graph constructed based on the sharing data, and simulating spread of a malware based on the traced connections to simulate user exposure to, infection by, and transmission of the malware. The connections are created as a result of syncing and sharing the files via the sync and share mechanisms. The malware is spread by syncing and sharing of infected ones of the files via the sync and share mechanisms.

Abstract: An electronic keyboard comprises a plurality of keys and a housing comprising a cavity. The cavity accommodates a circuit board, a pressing layer and at least one pressure sensor arranged therein. Each pressure sensor is provided between a lower portion of the cavity and the circuit board, the pressing layer is moveably connected to each of the keys and the circuit board is provided between the pressing layer and the lower portion. Each pressure sensor is connected to the circuit board, and a force-receiving surface of each pressure sensor aligns with a projection area of the corresponding one of the keys.

Abstract: A method includes obtaining audit records. Each of the audit records indicates a timestamp for a corresponding message, at least one event type code selected from a plurality of event type codes for a corresponding audit event of the corresponding message, and an identifier for a corresponding system entity associated with creation of the corresponding message. A number of audit records are aggregated over a period of time. An audit file is generated to include the number of audit records and integrity information. Storage of the audit file is facilitated by utilizing a name of the audit file.

Abstract: A method for detecting a cyberattack on a control system of a wind turbine includes providing a plurality of classification models of the control system. The method also includes receiving, via each of the plurality of classification models, a time series of operating data from one or more monitoring nodes of the wind turbine. The method further includes extracting, via the plurality of classification models, a plurality of features using the time series of operating data. Each of the plurality of features is a mathematical characterization of the time series of operating data. Moreover, the method includes generating an output from each of the plurality of classification models and determining, using a decision fusion module, a probability of the cyberattack occurring on the control system based on a combination of the outputs. Thus, the method includes implementing a control action when the probability exceeds a probability threshold.

Abstract: Techniques for performing anomaly detection are described. An exemplary method includes receiving a request to detect potential anomalies using an anomaly detection system having at least one anomaly scoring model; processing the received data using the anomaly detection system to score the data to determine when the data is potentially anomalous based on one or more thresholds; requesting feedback of at least one determined potential anomaly; receiving feedback on the least one determined potential anomaly; and adjusting at least one of one or more of thresholds used to determine potential anomalies and what is considered an anomaly without adjusting the at least one anomaly scoring model.

Abstract: Systems and methods for obfuscating keyboard keys against interception are provided. In an example, a protected application is dynamically virtualized in user space, wherein the virtualization comprises an isolated keyboard path. Keystrokes are injected to the isolated keyboard path, wherein the injected keystrokes are associated with a respective timestamp, and user input keystrokes are obfuscated with the injected keystrokes and the obfuscated keystrokes are passed to a low level hook. The obfuscated keystrokes passed to the low level hook are separated according to tags associated with the obfuscated keystrokes to obtain the user input keystrokes. The user input keystrokes are transmitted to a target window of the protected application.

Abstract: A method for providing vulnerability management to facilitate application development and deployment is disclosed. The method includes receiving a monitoring request that includes an identifier, the identifier corresponding to an application; onboarding the application by using the identifier; generating a scheduled task for the application based on an outcome of the onboarding, the scheduled task relating to source code vulnerability analytics; automatically initiating, via an application programming interface, the scheduled task based on a predetermined parameter; determining whether a set of source codes that corresponds to the application includes a vulnerability based on a result of the automatically initiated scheduled task; and generating a ticket when the vulnerability is included in the set of source codes.

Abstract: Disclosed herein are systems and method for detecting malware signatures in databases. In one exemplary aspect, a method may comprise identifying a plurality of entries of the database, wherein each entry represents a record stored on a computing device and selecting at least one suspicious entry in the plurality of entries. The method may comprise retrieving a record associated with the suspicious entry and applying a transformation to original contents of the record. The method may comprise scanning the transformed contents of the record for a malware signature. In response to detecting a portion of the transformed contents that matches the malware signature, the method may comprise executing a remediation action that removes a corresponding portion from the original contents of the record and updating the database by replacing the at least one suspicious entry with an entry of the record on which the remediation action was executed.

Abstract: Aspects of the subject disclosure may include, for example, receiving, at a device, a message over a communication network from a remote source, determining if the message includes executable code and initiating a virtual machine in an isolated portion of the memory of the device responsive to the determining the message include executable code. Aspects of the subject disclosure further include executing, by the virtual machine, the executable code within the isolated portion of the memory, monitoring, by an artificial intelligence module, activities of the executable code during the executing the executable code and determining if the executable code comprises malicious code responsive to the monitoring activities of the executable code. Aspects of the disclosure further include deleting the executable code from the device in response to a determination that the executable code comprises malicious code. Other embodiments are disclosed.

Abstract: Techniques for enabling the identification of anomalous events associated with an object storage service of a cloud provider network using a variational autoencoder model including a pre-trained embedding for selected features of events are described. A variational autoencoder, for example, encodes data into a latent space and reconstructs approximations of the data from an encoding in the latent space. In this context, for example, anomalous events of interest might represent unauthorized or abusive behavior associated with storage resources provided by an object storage service (or in association with other types of computing resources provided by other services of a cloud provider network). Legitimate (or benign) access patterns to an object storage service can be modeled by utilizing observed data plane events stored by an account activity monitoring service. Once trained, the model can be used to identify anomalous events.

Abstract: A method for protecting subscriber data includes intercepting network traffic associated with a call. The network traffic includes call parameters and call stream data. A first set of the call parameters is analyzed. A first probability value of the call being declared as unwanted is determined. The call stream data is analyzed to define a second set of call parameters. The first set of call parameters is reanalyzed based on the second set. A second probability value of the call being declared as unwanted is determined. A determination is made if the second probability value exceeds a second threshold value. The call is declared as unwanted, in response to determining that the second probability value exceeds the second threshold. The first and second sets of call parameters are transmitted to an application configured to protect data of a protected subscriber.

Abstract: In some implementations, a device may detect loading of a first web page associated with a domain, and may create an inline frame element that references a second web page associated with the domain. The second web page may require an authenticated user session to access particular content of the second web page. The device may insert the inline frame element into code for the first web page, and may transmit a request for the second web page based on inserting the inline frame element into the code for the first web page. The device may receive a response to the request for the second web page, and may determine whether there is an authenticated user session for the domain based on the response. The device may selectively perform an action based on determining whether there is an authenticated user session for the domain.

Abstract: An endpoint in an enterprise network is instrumented with sensors to detect security-related events occurring on the endpoint. Event data from these sensors is augmented with contextual information about, e.g., a source of each event in order to facilitate improved correlation, analysis, and visualization at a threat management facility for the enterprise network.

Abstract: A control system including a controller system and a support device is provided. The controller system controls a control target. The support device supports setting of the controller system. The support device includes a system-configuration input part, a threat analysis database, a threat-scenario creating part, a countermeasure database, a countermeasure creating part, and a security setting part. The countermeasure creating part creates a countermeasure scenario containing a countermeasure for each of protected assets of the controller system according to a threat scenario and countermeasures of the countermeasure database.

Abstract: Systems and methods for providing an automated quality assurance framework for infrastructure as code (“IaC”) implementations are provided. Pull requests with proposed change to existing IaC source code (“changed code”) are received from user devices, each associated with either a service enablement team member or an applications development team member. Team specific versions of the quality assurance framework are automatically triggered for the changed code which require successful passage through multiple modules in a successive manner before automatically being merged into the existing IaC source code.

Abstract: The technology disclosed works in real time, as base and subordinate HTTP URL requests are received, to attribute subordinate HTTP URL requests to base web pages. The main case uses the “referer” or “referrer” HTTP header field for attribution, directly and through a referer hierarchy to the base web page. A second case, which minimizes false generation of base web page log entries, involves small files, such as cascading style sheets (CSS) files, that often have a blank or no referer field. The technology disclosed applies equivalently to hypertext transfer protocol secure (HTTPS) data (e.g., HTTPS transactions, requests, and/or events).