Abstract: A method and apparatus for preventing access to an IoT device is provided herein. During operation an apparatus will inquire about current and/or past connections to an IoT device. A list of identities of current and/or past apparatuses that were connected to the IoT device will be provided, and a determination on whether or not to allow access to the IoT device will be based on the identities of current and/or past apparatuses that are accessing, or have accessed the IoT device.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack to one or more protected computer networks by determining keywords and/or patterns in HyperText Transfer Protocol (HTTP) responses. Stored HTTP responses are analyzed to extract one or more HTTP characteristics for each stored HTTP response. One or more patterns having one or more keywords in each stored HTTP response is determined utilizing the extracted one or more HTTP characteristics for each stored HTTP response. A hash value is determined for each determined pattern, which is preferably stored in a hash structure accompanied by its respective determined HTTP characteristics. Each hash value accompanied by its respective determined HTTP characteristics is stored as a mitigation filter candidate if the hash value contains a determined pattern consisting of at least a predetermined percentage of all determined patterns stored in the hash structure.

Abstract: Various techniques for detecting visual similarity between DNS fully qualified domain names (FQDNs) are disclosed. In some embodiments, a system, process, and/or computer program product for detecting visual similarity between DNS FQDNs includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; performing extended sequence alignment for each of the set of FQDNs to identify potential malware FQDNs for one or more target FQDNs based on a visual similarity for each domain in the DNS data stream; and classifying the set of domains as malware FQDNs or benign FQDNs based on results of the extended sequence alignment.

Abstract: Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.

Abstract: The technology disclosed relates to simulating spread of a malware in cloud applications. In particular, the technology disclosed relates to accessing sharing data for files shared between users via sync and share mechanisms of cloud applications, tracing connections between the users by traversing a directed graph constructed based on the sharing data, and simulating spread of a malware based on the traced connections to simulate user exposure to, infection by, and transmission of the malware. The connections are created as a result of syncing and sharing the files via the sync and share mechanisms. The malware is spread by syncing and sharing of infected ones of the files via the sync and share mechanisms.

Abstract: An electronic keyboard comprises a plurality of keys and a housing comprising a cavity. The cavity accommodates a circuit board, a pressing layer and at least one pressure sensor arranged therein. Each pressure sensor is provided between a lower portion of the cavity and the circuit board, the pressing layer is moveably connected to each of the keys and the circuit board is provided between the pressing layer and the lower portion. Each pressure sensor is connected to the circuit board, and a force-receiving surface of each pressure sensor aligns with a projection area of the corresponding one of the keys.

Abstract: A method includes obtaining audit records. Each of the audit records indicates a timestamp for a corresponding message, at least one event type code selected from a plurality of event type codes for a corresponding audit event of the corresponding message, and an identifier for a corresponding system entity associated with creation of the corresponding message. A number of audit records are aggregated over a period of time. An audit file is generated to include the number of audit records and integrity information. Storage of the audit file is facilitated by utilizing a name of the audit file.

Abstract: A method for detecting a cyberattack on a control system of a wind turbine includes providing a plurality of classification models of the control system. The method also includes receiving, via each of the plurality of classification models, a time series of operating data from one or more monitoring nodes of the wind turbine. The method further includes extracting, via the plurality of classification models, a plurality of features using the time series of operating data. Each of the plurality of features is a mathematical characterization of the time series of operating data. Moreover, the method includes generating an output from each of the plurality of classification models and determining, using a decision fusion module, a probability of the cyberattack occurring on the control system based on a combination of the outputs. Thus, the method includes implementing a control action when the probability exceeds a probability threshold.

Abstract: Techniques for performing anomaly detection are described. An exemplary method includes receiving a request to detect potential anomalies using an anomaly detection system having at least one anomaly scoring model; processing the received data using the anomaly detection system to score the data to determine when the data is potentially anomalous based on one or more thresholds; requesting feedback of at least one determined potential anomaly; receiving feedback on the least one determined potential anomaly; and adjusting at least one of one or more of thresholds used to determine potential anomalies and what is considered an anomaly without adjusting the at least one anomaly scoring model.

Abstract: Systems and methods for obfuscating keyboard keys against interception are provided. In an example, a protected application is dynamically virtualized in user space, wherein the virtualization comprises an isolated keyboard path. Keystrokes are injected to the isolated keyboard path, wherein the injected keystrokes are associated with a respective timestamp, and user input keystrokes are obfuscated with the injected keystrokes and the obfuscated keystrokes are passed to a low level hook. The obfuscated keystrokes passed to the low level hook are separated according to tags associated with the obfuscated keystrokes to obtain the user input keystrokes. The user input keystrokes are transmitted to a target window of the protected application.

Abstract: A method for providing vulnerability management to facilitate application development and deployment is disclosed. The method includes receiving a monitoring request that includes an identifier, the identifier corresponding to an application; onboarding the application by using the identifier; generating a scheduled task for the application based on an outcome of the onboarding, the scheduled task relating to source code vulnerability analytics; automatically initiating, via an application programming interface, the scheduled task based on a predetermined parameter; determining whether a set of source codes that corresponds to the application includes a vulnerability based on a result of the automatically initiated scheduled task; and generating a ticket when the vulnerability is included in the set of source codes.

Abstract: Disclosed herein are systems and method for detecting malware signatures in databases. In one exemplary aspect, a method may comprise identifying a plurality of entries of the database, wherein each entry represents a record stored on a computing device and selecting at least one suspicious entry in the plurality of entries. The method may comprise retrieving a record associated with the suspicious entry and applying a transformation to original contents of the record. The method may comprise scanning the transformed contents of the record for a malware signature. In response to detecting a portion of the transformed contents that matches the malware signature, the method may comprise executing a remediation action that removes a corresponding portion from the original contents of the record and updating the database by replacing the at least one suspicious entry with an entry of the record on which the remediation action was executed.

Abstract: Aspects of the subject disclosure may include, for example, receiving, at a device, a message over a communication network from a remote source, determining if the message includes executable code and initiating a virtual machine in an isolated portion of the memory of the device responsive to the determining the message include executable code. Aspects of the subject disclosure further include executing, by the virtual machine, the executable code within the isolated portion of the memory, monitoring, by an artificial intelligence module, activities of the executable code during the executing the executable code and determining if the executable code comprises malicious code responsive to the monitoring activities of the executable code. Aspects of the disclosure further include deleting the executable code from the device in response to a determination that the executable code comprises malicious code. Other embodiments are disclosed.

Abstract: Techniques for enabling the identification of anomalous events associated with an object storage service of a cloud provider network using a variational autoencoder model including a pre-trained embedding for selected features of events are described. A variational autoencoder, for example, encodes data into a latent space and reconstructs approximations of the data from an encoding in the latent space. In this context, for example, anomalous events of interest might represent unauthorized or abusive behavior associated with storage resources provided by an object storage service (or in association with other types of computing resources provided by other services of a cloud provider network). Legitimate (or benign) access patterns to an object storage service can be modeled by utilizing observed data plane events stored by an account activity monitoring service. Once trained, the model can be used to identify anomalous events.

Abstract: A method for protecting subscriber data includes intercepting network traffic associated with a call. The network traffic includes call parameters and call stream data. A first set of the call parameters is analyzed. A first probability value of the call being declared as unwanted is determined. The call stream data is analyzed to define a second set of call parameters. The first set of call parameters is reanalyzed based on the second set. A second probability value of the call being declared as unwanted is determined. A determination is made if the second probability value exceeds a second threshold value. The call is declared as unwanted, in response to determining that the second probability value exceeds the second threshold. The first and second sets of call parameters are transmitted to an application configured to protect data of a protected subscriber.

Abstract: In some implementations, a device may detect loading of a first web page associated with a domain, and may create an inline frame element that references a second web page associated with the domain. The second web page may require an authenticated user session to access particular content of the second web page. The device may insert the inline frame element into code for the first web page, and may transmit a request for the second web page based on inserting the inline frame element into the code for the first web page. The device may receive a response to the request for the second web page, and may determine whether there is an authenticated user session for the domain based on the response. The device may selectively perform an action based on determining whether there is an authenticated user session for the domain.

Abstract: An endpoint in an enterprise network is instrumented with sensors to detect security-related events occurring on the endpoint. Event data from these sensors is augmented with contextual information about, e.g., a source of each event in order to facilitate improved correlation, analysis, and visualization at a threat management facility for the enterprise network.

Abstract: A control system including a controller system and a support device is provided. The controller system controls a control target. The support device supports setting of the controller system. The support device includes a system-configuration input part, a threat analysis database, a threat-scenario creating part, a countermeasure database, a countermeasure creating part, and a security setting part. The countermeasure creating part creates a countermeasure scenario containing a countermeasure for each of protected assets of the controller system according to a threat scenario and countermeasures of the countermeasure database.

Abstract: Systems and methods for providing an automated quality assurance framework for infrastructure as code (“IaC”) implementations are provided. Pull requests with proposed change to existing IaC source code (“changed code”) are received from user devices, each associated with either a service enablement team member or an applications development team member. Team specific versions of the quality assurance framework are automatically triggered for the changed code which require successful passage through multiple modules in a successive manner before automatically being merged into the existing IaC source code.

Abstract: The technology disclosed works in real time, as base and subordinate HTTP URL requests are received, to attribute subordinate HTTP URL requests to base web pages. The main case uses the “referer” or “referrer” HTTP header field for attribution, directly and through a referer hierarchy to the base web page. A second case, which minimizes false generation of base web page log entries, involves small files, such as cascading style sheets (CSS) files, that often have a blank or no referer field. The technology disclosed applies equivalently to hypertext transfer protocol secure (HTTPS) data (e.g., HTTPS transactions, requests, and/or events).

Abstract: A system comprising a microcontroller located on a communication bus, a power consumption circuit configured to determine power consumption of the microcontroller, wherein a processor is programmed to determine if a clock associated with the microcontroller is paused and whether an average operational power has exceeded a power threshold, and in response to the average operational power exceeding the power threshold and in response to identifying an attacked message or attacked electronics control unit, in response to determining the microcontroller is under the suspected attack, output an alert associated with an event causing change in the bit patterns of messages on the communication bus.

Abstract: Systems, methods, and apparatus are provided for intelligent cybersecurity processing of a product update. A fetcher application may access an updated version of a software product, a prior version of the product, and a version control system for the product. A malicious software identification engine may process the data using batch or stream processing to identify suspect code and metadata anomalies in the updated version. The engine may decompile executable binary code to obtain source code for the updated version and the prior version. A machine learning engine may receive input from the malicious software identification engine and classify the input using an NER-based machine learning model. Based on output from the machine learning engine, a control dashboard may block installation of a malicious product update.

Abstract: A debugging management platform and an operating method for the same are provided. In the operating method, the debugging management platform operates a debugging agent service for establishing a debugging channel between a software development platform and a test platform. When receiving debugging packets are issued by the software development platform or the test platform, the debugging agent service analyzes the debugging packets and checks if the debugging packets meet an information security standard. The debugging packets are forwarded to the test platform or the software development platform if the debugging packets meet the information security standard. If the debugging packets do not meet the information security standard, the debugging packets are not forwarded, so as to ensure information security of the debugging packets that are forwarded between different environments.

Abstract: A method for phishing detection based on modeling of web page content is discussed. The method includes accessing suspect web page content of a suspect Uniform Resource Locator (URL). The method includes generating an exemplary model based on an exemplary configuration for an indicated domain associated with the suspect URL, where the exemplary model indicates structure and characteristics of an example web page of the indicated domain. The method includes generating a suspect web page model that indicates structure and characteristics of the suspect web page content. The method includes performing scoring functions for the potential phishing web page content based on the suspect web page model, where some of the scoring functions use the exemplary model to perform analysis to generate respective results. The method includes generating a web page content phishing score based on results from the scoring functions.

Abstract: In an embodiment, a threat score prediction model is generated for assigning a threat score to a software vulnerability. The threat score prediction model may factor one or more of (i) a degree to which the software vulnerability is described across a set of public media sources, (ii) a degree to which one or more exploits that have already been developed for the software vulnerability are described across one or more public exploit databases, (iii) information from one or more third party threat intelligence sources that characterizes one or more historic threat events associated with the software vulnerability, and/or (iv) information that characterizes at least one behavior of an enterprise network in association with the software vulnerability.

Abstract: A row hammer preventing circuitry including: a first table storing a count value representing a hit count and an address bit of multiple entries, each entry corresponding to access-requested target rows; a second table including safe bits and a safe bit counter; and a row hammer preventing logic to identify masking entries, on which a masking comparison is to be performed, among the entries on the basis of the safe bit counter, to determine a hit or miss on the basis of whether other bits except an MSB among address bits of an access-requested target row match other bits except an MSB among address bits of the masking entries, and to generate a control signal indicating an additional refresh on rows adjacent to rows corresponding to a masking entry whose hit count is greater than a threshold value.

Abstract: A system for risk analysis using port scanning for multi-factor authentication having a multi-dimensional time series data server configured to monitor and record a network's traffic data and to serve the traffic data to other modules and a directed computational graph module configured to scan open ports on connection destinations, analyze the scan results, and determine a verification score needed before granting access based at least in part on the analysis of the received responses. A plurality of verification methods build up a user's verification score to required level to gain access.

Abstract: The present disclosure discloses a complex network attack detection method based on cross-host abnormal behavior recognition, and the method includes the following steps: 1) firstly collecting kernel log data of a host to construct an intra-host association graph, then employing a graph convolution network (GCN) to extract features, and finally using an autoencoder to detect abnormal nodes in the intra-host association graph; 2) firstly constructing an inter-host interaction graph by using network flow log data, then training a prediction model based on a sequence of the inter-host interaction graph, and finally detecting abnormal edges in the inter-host interaction graph according to prediction differences; and 3) firstly constructing a cross-host exception association graph according to intra-host and inter-host exception detection results, then spreading exception scores by employing a PageRank algorithm, and finally confirming an attacked host based on the exception scores.

Abstract: The present invention relates to methods, systems, and apparatus for generating and/or using training data.

Abstract: Certificate usage data is generated which identifies which processes or applications use which specific certificates. A certificate-specific usage model is generated based upon the certificate usage data and is used to detect anomalous usage of a certificate, by an application or process that has not previously used the certificate to authenticate itself to the computing system.

Abstract: Systems, methods, and computer-readable media are provided for dynamic allocation of network security resources and measures to network traffic between end terminals on a network and a network destination, based in part on an independently sourced reputation score of the network destination. In one aspect, a method includes receiving, at a cloud network controller, a request from an end terminal for information on a network destination; determining, at the cloud network controller, a reputation score for the network destination; determining, at the cloud network controller, one or more security measures to be applied when accessing the network destination, based on the reputation score; and communicating, by the cloud network controller, the one or more security measures to the end terminal, wherein the end terminal communicates the one or more security measures to a third-party security service provider for applying to communications between the end terminal and the network destination.

Abstract: The present disclosure relates to systems and methods for detecting unauthorized system configuration changes. For example, metadata can be extracted from network traffic captured by one or more different network tools and/or network devices and provided to a metadata evaluator. As an example, the one or more different network tools and/or devices can include a switch port analyzer tool, a security information and event management tool, and/or a test access port device. The metadata evaluator can process the extracted metadata to detect a system configuration change in a system on a network that includes the network traffic. The metadata evaluator can determine whether the system configuration change is an authorized system configuration change. In some examples, the metadata evaluator can determine whether the system configuration change is an authorized system configuration change based on change management data from a change management system.

Abstract: A talking head digital identity immutable dual authentication method, comprising: publishing a talking head show, downloading talking head file, talking head show file, and signature files for each from a server into a playback device; downloading respective talking head hash and talking head show hashes from a blockchain into the playback device; using a talking head and talking head show public key to validate talking head and talking head show signatures; determining whether the talking head and talking head show signatures are correct, and if correct, a talking head hash and a talking head show hash are calculated and checked against respective hashes downloaded from the blockchain; if the calculated talking head hash and the calculated talking head show hash of the files from the server and the hashes of the talking head and talking head show from the blockchain match, respectively, then playback of the talking head show plays.

Abstract: A system described herein may provide a technique for compressing sets of files using a packet-based conversion algorithm. The algorithm may compress and decompress files using a packet-based approach, whereby packet-sized sections of file data are compressed and arranged in a specified order such that the sections may be retrieved, decompressed, and reassembled to restore the original files as needed. The packet-based approach may allow for the size of a file set to be dramatically reduced, while the resulting compressed data may not be easily accessed by unauthorized entities. Compression and decompression may utilize a pointer associated with each file in the set of files. The pointer may be generated based on data associated with a file, such as file name, size, and/or other attributes or metadata. The compressed packets may be arranged relative to the pointer within a compressed file such that the packets may be identified and decompressed.

Abstract: The technology described herein can identify phishing URLs using transformers. The technology tokenizes useful features from the subject URL. The useful features can include the text of the URL and other data associated with the URL, such as certificate data for the subject URL, a referrer URL, an IP address, etc. The technology may build a joint Byte Pair Encoding for the features. The token encoding may be processed through a transformer, resulting in a transformer output. The transformer output, which may be described as a token embedding, may be input to a classifier to determine whether the URL is a phishing URL. Additional or improved URL training data may be generated by permuting token order, by simulating a homoglyph attack, and by simulating an a compound word attack.

Abstract: A warning apparatus (2000) acquires first detected event information (10) representing, at a first abstraction level, an event set being a set of events having occurred in a target system. The warning apparatus (2000) generates second detected event information (20) from the first detected event information (10). The second detected event information (20) represents, at a second abstraction level, the event set represented by the first detected event information (10). The warning apparatus (2000) determines, from among a plurality of pieces of threat information (30) each representing a threat activity, the threat information (30) having a high degree of relevance to at least either of the first detected event information (10) and the second detected event information (20).

Abstract: Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting using stack artifact verification. In aspects, function hooks may be added to one or more functions. When a hooked function executes, artifacts relating to the hooked function may be left on the stack memory (“stack”). The location of the artifacts on the stack may be stored in a local storage area. Each time a hook in a hooked function is subsequently executed, protection may be executed to determine whether an artifact remains in the location stored in the local storage area. If the artifact is no longer in the same location, a stack pivot may be detected and one or more remedial actions may be automatically performed.

Abstract: A system and method for detecting a cybersecurity risk of an artificial intelligence (AI), is presented. The method includes: inspecting a computing environment for an AI model deployed therein; generating a representation of the AI model in a security database, the security database including a representation of the computing environment; inspecting the AI model for a cybersecurity risk; generating a representation of the cybersecurity risk in the security database, the representation of the cybersecurity risk connected to the representation of the AI model in response to detecting the cybersecurity risk; and initiating a mitigation action based on the cybersecurity risk.

Abstract: Within an organization, numerous different persons can access data. But a user account with database access may be compromised, leading to data theft and data destruction. Database queries used to access data may vary in length, content, and formatting. Features of these queries can be extracted to train a machine learning classifier. Queries for users can be mapped to a vector space and when a new sample query is received, it can be assessed using the classifier to determine its level of similarity with previous queries by that user and other users. By analyzing the results of this assessment on the new query, it can be determined if this new query represents a data access anomaly—e.g. a particularly unusual query for a user, given his or her past, that may indicate user credentials have been compromised. When a data access anomaly exists, a remedial action may be take.

Abstract: An automated creation of a phishing document uses personal data of a person stored in a database of persons and anonymous and categorisable personal properties stored in a hierarchical properties database. A relevance value is assigned to each personal property. At least one property of the person contained in the personal data has a correspondence in the properties database, that is a correspondence property. It is verified whether one of the correspondence properties is hierarchically subordinate to a phishing-document-specific default personal property. This subordinate correspondence property forms a creation property. The phishing document is created based on the creation property if this requirement is met. It is verified whether the relevance value of the creation property corresponds to a predefined target relevance value. The creation property is selected as a preparation property and used to prepare the phishing document if the assigned relevance value corresponds to the target relevance value.

Abstract: Credential phishing attack mitigation is disclosed. A URL that is associated with a suspected credential phishing web page is received. The suspected credential phishing web page is one that includes at least one element soliciting at least one credential. The URL is included in a message having at least one intended recipient. An artificial credential is provided to the suspected credential phishing web page. An indication is received that, subsequent to providing the artificial credential to the suspected credential phishing web page, an attempted use of the artificial credential to access a resource was made. In response to receiving the indication that the attempted use of the artificial credential to access the resource has been made, at least one remedial action is taken with respect to the suspected credential phishing web page.

Abstract: Embodiments as disclosed herein may provide systems and methods for component integration and security. In particular, in one embodiment, a native component that presents a network based interface may be on a device, where that native component may expose a network based interface for access by other components. This native component can then be accessed through the network based interface. To address security concerns and other issues, the native component may be configured to determine if a received request is associated with the same user space and only respond to requests originating from the same user space.

Abstract: An inline malicious traffic detector captures handshake messages in a session with a security protocol. The inline malicious traffic detector comprises a classifier that generates a verdict for the session indicating malicious or benign. The classifier is trained on labelled sessions using custom features generated from handshake messages. Based on determining that the session is malicious using features of the handshake messages, the inline malicious traffic detector blocks the session.

Abstract: Detection of phishing messages in network communications is performed by receiving a transmitted message and detecting characteristics of the message. A determination is made if the message matches a pattern of a phishing message in a database, and classifies the message as a phishing or spam message accordingly. If the message does not match a known phishing message pattern, the message is checked for common signs of phishing or spam by determining the severity of a threat embodied by the message, and the message is categorized as having phishing characteristics and according to the severity of threat. In response the user responses to determinations of threats, criteria for detection of phishing characteristics is adjusted, thereby automatically revising criteria for future decisions as to whether the message represents suspected phishing.

Abstract: A method and apparatus for providing IP address filtering. The method identifies one or more suspicious Uniform Resource Locators (URLs) and resolves the one or more suspicious URLs to one or more suspicious IP addresses. A suspicious IP address list is created containing the one or more suspicious IP addresses. The suspicious IP address list may be used to facilitate a security response to filter one or more of the IP addresses in the suspicious IP address list.

Abstract: A vehicle surveillance device for an in-vehicle network system that includes one or more electronic control units includes: a frame transmitter and receiver that receives a frame flowing over the in-vehicle network system; and a score calculator that detects a suspicious behavior different from a normal driving behavior based on the frame received by the frame transmitter and receiver and vehicle data including information on one or more frames received by the frame transmitter and receiver prior to receiving the frame, and calculates, based on a detection result, a score indicating a likelihood that reverse engineering has been performed on a vehicle provided with the in-vehicle network system.

Abstract: A method for detecting patterns using statistical analysis is provided. The method includes receiving a subset of structured data having a plurality of fields. A plurality of value combinations is generated for the plurality of fields using a statistical combination function. Each combination of the generated plurality of value combinations is stored as a separate entry in a results table. The entry in the results table includes a counter associated with the stored combination. A value of the counter is incremented for every occurrence of the stored combination in the generated plurality of value combinations. The results table is sorted based on the counters' values and based on a number of fields in each combination. One or more entries having highest counter values are identified in the results table.

Abstract: A method and system for mitigating against side channel attacks (SCA) that exploit speculative store-to-load forwarding is described. The method comprises conditioning store-to-load forwarding on the memory dependence predictor (MDP) being trained for that load instruction. Training involves identifying situations in which store-to-load forwarding could have been performed, but wasn't, and obversely, identifying situations in which store-to-load forwarding was performed but resulted in an error.

Abstract: A method for packet filtering in a network switch includes: utilizing an access control list circuit to filter received packets, wherein the access control list circuit compares header information of the received packets with an access control list to filter the received packets, where the access control list has at least one entry, and rule information in the entry includes only a portion of an IP address; and utilizing a routing circuit to further filter packets that pass the access control list circuit, wherein the routing circuit compares header information of the packets that pass the access control list circuit with a routing table to filter the packets, wherein the routing table has at least one entry, and rule information in the entry includes an entire IP address.

Abstract: Detecting anomalous behavior of a device, including: generating, using information describing historical activity associated with a user device, a trained model for detecting normal activity for the user device; gathering information describing current activity associated with the user device; and determining, by using the information describing current activity associated with the user device as input to the trained model, whether the user device has deviated from normal activity.