Abstract: Techniques for selectively remediating vulnerabilities for assets of a computing system is disclosed. The vulnerability management system identifies “active” vulnerabilities associated with “active” computing assets that have been determined to be currently running, or to have been recently run, on the system using system call data. By limiting remediation to vulnerabilities associated with software packages of active computing assets, remediation/mediation efforts can be focused on vulnerabilities that may be currently exploited for the system. The list of active vulnerabilities identified for a system may be updated in real time based on continued monitoring of runtime operations of the system. Additional context metadata may be associated with the active vulnerabilities to allow for further prioritization of vulnerability management activities.

Abstract: A device may receive, from a network device in near-real time, a packet of data associated with network traffic of a network, wherein the packet includes privacy-related data and network-related data. The device may read the privacy-related data from the packet. The device may generate anonymous data based on the privacy-related data, wherein the anonymous data obscures the privacy-related data. The device may generate a mapping between the anonymous data and the privacy-related data. The device may combine the anonymous data and the network-related data to generate a masked packet. The device may provide the masked packet to a server device. The device may receive, from the server device, data identifying a recommendation that is generated by processing the masked packet with an artificial intelligence model. The device may perform one or more actions based on the recommendation.

Abstract: There are disclosed a method and computing device for detecting malicious domain names in network traffic. The method comprises: receiving the network traffic from a data network, extracting a plurality of data packets from the network traffic, analyzing the plurality of data packets in order to extract at least one domain name from the plurality of data packets; generating, for a given one of the at least one domain names, a given numerical value representative of a suspiciousness of the given one of the at least one domain name, the given numeric value being based on a given set of features of domain name suspiciousness corresponding to one of the given set of analysis methods; classifying the at least one domain name as malicious domain names, in response to an analysis being indicative the given domain name being a malicious domain name.

Abstract: A container isolation method for a netlink resource includes receiving, by a kernel executed by a processor, a trigger instruction from an application program. The method also includes creating, by the kernel according to the trigger instruction, a container corresponding to the application program, creating a netlink namespace for the container, and sending a notification to the application program indicating that the netlink namespace is created. The method further includes receiving, by the kernel, a netlink message from the container, wherein the netlink message comprises entries generated when the container runs. The method additionally includes storing, by the kernel, the entries based on an identifier of the netlink namespace for the container, to send an entry required by the container to user space of the container.

Abstract: Disclosed herein is a system for predicting, given a pattern of triggered alerts, a next alert in order to identify malicious activity that is about to occur on resource(s) being monitored by a security operations center. A resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. Accordingly, the next alert is speculatively triggered in advance and a security analyst can be notified of a pattern of activity that is likely to be malicious. The security analyst can then investigate the pattern of triggered alerts and the speculatively triggered alert to determine whether steps to mitigate the malicious activity before it occurs should be taken.

Abstract: Embodiments of the present disclosure relate to a data analysis system that may automatically generate memory-efficient clustered data structures, automatically analyze those clustered data structures, automatically tag and group those clustered data structures, and provide results of the automated analysis and grouping in an optimized way to an analyst. The automated analysis of the clustered data structures (also referred to herein as data clusters) may include an automated application of various criteria, rules, indicators, or scenarios so as to generate scores, reports, alerts, or conclusions that the analyst may quickly and efficiently use to evaluate the groups of data clusters.

Abstract: Systems and methods for inspection of traffic between UE and the core network to mitigate DDoS attacks on mobile networks are provided. According to one embodiment, the method involves parsing SCTP packets and monitoring header anomalies to block anomalous packet floods. According to another embodiment, a memory table maintains requesting S1AP-IDs which have sent certain monitored commands and then blocking those which are sending these messages at abnormally high rates. According to yet another embodiment, a packet classifier parses the GTP-U protocol, unwraps the encapsulated IP packet and then monitors layer 3, 4 and 7 rate-based attacks such as UDP, ICMP, SYN, HTTP GET floods and drops them to protect the targeted Internet server as well as mobile infrastructure (e.g., the MME, the SGW, the PGW, and the PDN) downstream from the DDoS mitigation system.

Abstract: An inspection control unit (210) checks a communication status of a communication network (101, 102) to which one or more nodes are connected and determines, based on the communication status, whether inspection of the communication network is possible. When it is determined that inspection of the communication network is possible, the inspection control unit outputs a basic signal, which is a pulse signal for inspecting the communication network, to the communication network. An inspecting unit (220) accepts an inspection signal, which is a basic signal with a waveform changed by flowing through the communication network, and determines, based on the waveform of the inspection signal, whether a new node connected to the communication network is present.

Abstract: Natural language processing is enhanced by linguistically extracting intelligence about a user. A history of user queries is analyzed by a natural language classifier to determine various user intents, and these intents are combined to form a user intent profile. The profile includes elements of sentiment, emotion and tone. The profile can be used in various ways including restricting access to documents in a collection, or refining a cognitive analysis of a query. For access restriction, a determination is made that the user intent is inconsistent with a document, and the user is denied access to the document. This determination involves a user intent score which is compared to a score of the document. For cognitive analysis, searching of reference documents is filtered by excluding documents based on the user intent. The searching includes a comparison of meta-data tags of the documents to the user intent.

Abstract: Systems and methods are disclosed for utilizing sender-recipient pair data to establish sender-level trust in future communication. One method comprises receiving raw communication data over a network and testing the received raw communication data against trained machine learning data to predict whether the raw communication data is associated with expected communication data. The raw communication data is sorted for expected communication data, which is further analyzed for sender-recipient pair data and assigned an expected communication pair data score. Senders associated with an expected communication pair data score that meets or exceeds a threshold are labeled and stored in a database as trusted. As a result of the sender-recipient pair analysis, recipients at-risk for being scammed can be identified, senders misidentified as spammers can be properly classified, and machine learning techniques utilized for analyzing raw communication data can be fine-tuned.

Abstract: Disclosed are a network traffic analysis method and a device based on multi-source network traffic data. The method includes: deploying a pre-training classifier pool in a network stream data source; receiving multi-source network stream data at a current moment for each data source, classifying the multi-source network stream data through an online classifier, performing feature processing and transformation on data collected by each network stream data source at each preset time interval, and transmitting processed traffic data features and a feature transformation matrix to a traffic drift detection module. The traffic drift detection module contains historical concept data to detect a concept drift according to the traffic data features, the feature transformation matrix and the historical concept data; if the concept drift is detected, the online classifier deployed by multiple sources is reset. This method is used for continuous real-time and accurate analysis of the multi-source network traffic data.

Abstract: Examples of the present disclosure describe systems and methods for identifying anomalous network behavior. In aspects, a network event may be observed network sensors. One or more characteristics may be extracted from the network event and used to construct an evidence vector. The evidence vector may be compared to a mapping of previously-identified events and/or event characteristics. The mapping may be represented as one or more clusters of expected behaviors and anomalous behaviors. The mapping may be modeled using analytic models for direction detection and magnitude detection. One or more centroids may be identified for each of the clusters. A “best fit” may be determined and scored for each of the analytic models. The scores may be fused into single binocular score and used to determine whether the evidence vector is likely to represent an anomaly.

Abstract: Packets may be received by a packet security gateway. Responsive to a determination that an overload condition has occurred in one or more networks associated with the packet security gateway, a first group of packet filtering rules may be applied to at least some of the packets. Applying the first group of packet filtering rules may include allowing at least a first portion of the packets to continue toward their respective destinations. Responsive to a determination that the overload condition has been mitigated, a second group of packet filtering rules may be applied to at least some of the packets. Applying the second group of packet filtering rules may include allowing at least a second portion of the packets to continue toward their respective destinations.

Abstract: Disclosed herein are techniques for detecting phishing websites. In one embodiment, a method is disclosed comprising receiving, at a server, a request for a webpage from a client device; generating, by the server, and inserting an encoded tracking value (ETV) into the webpage; inserting, by the server, dynamic tracking code (DTC) into the webpage, the inserting of the DTC further comprising obfuscating the DTC; and returning, by the server, the webpage including the ETV and DTC to the client device, the DTC configured to execute upon receipt at the client device and validate the ETV upon executing.

Abstract: Disclosed are systems and methods for detecting multiple malicious processes. The described techniques identify a first process and a second process launched on a computing device. The techniques receive from the first process a first execution stack indicating at least one first control point used to monitor at least one thread associated with the first process, and receive from the second process a second execution stack indicating at least one second control point used to monitor at least one thread associated with the second process. The techniques determine that both the first process and the second process are malicious using a machine learning classifier on the at least one first control point and the at least one second control point. In response, the techniques generate an indication that an execution of the first process and the second process is malicious.

Abstract: A computer system identifies malicious Uniform Resource Locator (URL) data items from a plurality of unscreened data items that have not been previously identified as associated with malicious URLs. The system can execute a number of pre-filters to identify a subset of URLs in the plurality of data items that are likely to be malicious. A scoring processor can score the subset of URLs based on a plurality of input vectors using a suitable machine learning model. Optionally, the system can execute one or more post-filters on the score data to identify data items of interest. Such data items can be fed back into the system to improve machine learning or can be used to provide a notification that a particular resource within a local network is infected with malicious software.

Abstract: A method and apparatus that provide a malicious domain emulator in a distributed cloud computing network are described. A malicious node emulator is executed as a third-party code in a compute server of the cloud computing platform to enable emulation of behavior of a malicious node. The malicious node emulator receives requests from one or multiple network devices addressed to the malicious domain and automatically emulates the behavior of the malicious domain to respond to these requests. The malicious node emulator logs information related to the requests and the network devices transmitting the requests.

Abstract: Aspects of the disclosure relate to dynamic and automated spear phishing management. A computing platform may identify users to receive a simulated spear phishing message. In some instances, the computing platform may receive a very attacked persons (VAP) list and may identify the users to receive the simulated spear phishing message based on the VAP list. Based on historical message data associated with a first user, the computing platform may identify message features associated with the first user. Using a predetermined template and for a first user account linked to the first user, the computing platform may generate a first spear phishing message based on the message features. The computing platform may then send, to the first user account, the first spear phishing message.

Abstract: A framework for security information and event management (SIEM), the framework includes a first data store; a data router; one or more parsing mechanisms; one or more correlation machines; and one or more workflow engines, wherein said framework performs SIEM on behalf of multiple subscribers to said framework.

Abstract: The present invention provides a method of monitoring a computer network, the method comprising: providing a plurality of sensors, wherein said sensors form a meshed network of sensors which monitor cyber-event(s); detecting, by the plurality of sensors, cyber-event(s); linking cyber-event(s) to subsequent cyber-event(s) into branches to form/extend a cyber-event tree; comparing said cyber-event tree to a baseline cyber-event tree; determining if there is any differences in said cyber-event tree to said baseline cyber-event tree to identify a cyber-event tree or a branch thereof as anomalous and thereby identify potential anomalous event(s) and/or a cyber-attack.

Abstract: The present disclosure relates to securing workloads of a network by identifying compromised elements in communication with the network and preventing their access to network resources. In one aspect, a method includes monitoring network traffic at network elements of a network; detecting a compromised element in communication with one or more of the network elements, the compromised element being associated with at least one network threat; and based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element.

Abstract: A set of attributes of a particular asset of a computing environment is identified that are determined from data collected by one or more utilities in the computing environment. A criticality rating is automatically determined for the particular asset based at least in part on the set of attributes. A security activity is caused to be performed relating to the particular asset based on the automatically determined criticality rating of the particular asset.

Abstract: An access control device provides a secure access control mechanism for a system being remotely accessed. An embodiment of the access control device includes a front-end firewall to provide a first network port to connect a computer to remotely access the system; a bastion host connected with the front-end firewall; and a back-end firewall, connected with the bastion host, to provide a second network port to connect the system. The back-end firewall determines remotely accessible resources in the system and determines resources remotely accessible by the computer, among the remotely accessible resources in the system, according to remote access control policies. The bastion host provides the computer with information provided by the back-end firewall about the resources remotely accessible by the computer through the first network port of the front-end firewall, to permit the resources to be remotely accessible by the computer. Advantages may include security, simplicity and plug-and-play.

Abstract: Techniques are provided for detection of malicious activity using behavior data. A behavior model is trained with behavior data generated in association with a plurality of requests. Data is received that describes a particular request from a particular client device to a server system hosting a website. The data includes particular behavior data generated at the particular client device in association with the particular request. The particular behavior data is analyzed using the behavior model to generate a behavior model result. An automation determination for the particular request is generated based on the behavior model result. The particular request is handled based on the automation determination for the particular request.

Abstract: A system for comprehensive cybersecurity analysis and rating based on heterogeneous data and reconnaissance is provided, comprising a multidimensional time-series data server configured to create a dataset with at least time-series data gathered from passive network reconnaissance of a client; and a cybersecurity scoring engine configured to retrieve the dataset from the multidimensional time-series data server, process the dataset using at least computational graph analysis, and generate an aggregated cybersecurity score based at least on results of processing the dataset.

Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to receive network session information from network monitoring devices distributed throughout an enterprise network. The network session information characterizes communications between a client device within the enterprise network and a server external to the enterprise network. The network session information is transformed into vectors of network communication session parameters. The vectors are combined into different time series of data. A similarity measure is computed between the different time series of data to detect unique sessions between the client device and a middlebox network device within the enterprise network or unique sessions between a middle box network device within the enterprise network and the server. The unique sessions are evaluated to infer relationships between networked devices within the enterprise network.

Abstract: The present disclosure provides for systems and methods for generating an image of a web resource to detect a modification of the web resource. An exemplary method includes selecting one or more objects of the web resource based on one or more object attributes; identifying a plurality of tokens for each selected object based on contents of the selected object; calculating a hash signature for each selected object of the web resource using the identified plurality of tokens; identifying potentially malicious calls within the identified plurality of tokens; generating an image of the web resource based on the plurality of hash signatures and based on the identified potentially malicious calls, wherein the image of the web resource comprises a vector representation of the contents of the web resource; and detecting whether the web resource is modified based on the image of the web resource.

Abstract: Systems for the detection of and/or protection from suspicious or malicious activities in a network, for example, an Internet of Things environment, are provided.

Abstract: A method of training a malicious code detection model and a method of detecting a malicious code. The method includes acquiring application programming interface (API) call information of called functions from a result log of performing dynamic analysis of a malicious code, calculating time intervals between timestamps using the timestamps which indicate API call times extracted from the API call information, determining a feature value of the malicious code on the basis of the time intervals, and training the malicious code detection model using an API call sequence included in the API call information and the feature value.

Abstract: A system includes a hypervisor, a memory, and boot firmware stored in the memory. The boot firmware is configured to execute on a processor to load a trusted code that includes a condition checker from the hypervisor, check a signature of the trusted code, and verify the signature is trusted by a guest. The boot firmware is also configured to load the trusted code into an encrypted memory at a known guest address. The hypervisor is configured to protect the known guest address. The trusted code includes a first instruction, one or more intermediate instructions, and a final instruction. The first instruction and the final instruction are exits to the hypervisor. The hypervisor is also configured to execute the condition checker and detect an inconsistency in guest memory.

Abstract: A computer-implemented method includes scanning changed computer instructions to detect vulnerabilities when the changed computer instructions are committed to a version control repository wherein the changed computer instructions comprise changes to a previous version of computer instructions. A vulnerability associated with an open issue for the previous version of computer instructions is determined to not be present in the vulnerabilities detected in the changed computer instructions and computer instructions are sent to close the open issue automatically based on the determination that the vulnerability is not present in the changed computer instructions.

Abstract: A firewall rule evaluation service scores firewall rules based on characteristics of logical objects that fall within ranges of Internet Protocol (IP) addresses corresponding to the firewall rules. Firewall rule scoring criteria may cause scores to be assigned to individual firewall rules based on an inverse relationship to quantities of discrete Autonomous Systems as well as aggregate numbers of and/or severity scores for threat intelligence flagged IP addresses granted access by individual firewall rules. The firewall rule evaluation service may further determine firewall rule recommendations for replacing firewall rules spanning multiple IP prefixes for different Autonomous Systems with more narrowly defined firewall rules that precisely encompass IP prefixes corresponding to single autonomous systems or multiple related Autonomous Systems (e.g., Autonomous Systems operated by a single trustworthy entity).

Abstract: A computer-implemented method is provided for identifying words likely to be used in new combo-squatted domains of a target domain. The method includes selecting the target domain. The method further includes storing, in a memory device, a sequence of previously detected combo-squatted domains from period [t-W, t-1]. The sequence includes a set of words W. The method also includes obtaining trends associated with the target domain at time t. The method additionally includes obtaining, by a hardware processor responsive to the trends, a trend distribution associated with the target domain at time t. The method further includes ranking, by a likelihood, a set of words E that have been extracted from the trend distribution and are expected to be used in the future in the new combo-squatting domains, responsive to the set of words W.

Abstract: The present disclosure relates to analyzing a firmware or a finite state machine, decomposing the same into a plurality of routines or states, individuating significative instructions or states, associating each significative instruction or state with a watchpoint, calculating first HASH values of the watchpoints using a HASH function before running the firmware or finite state machine for all allowable paths in the firmware or finite state machine corresponding to a correct working of the same, storing the set of first HASH values as calculated, calculating second HASH values of the watchpoints using a HASH function when running of the firmware or finite state machine, comparing the second HASH value of each watchpoint as calculated with the stored set of first HASH values, and validating the instruction or state of a watchpoint as correct if its second HASH value is comprised in the first HASH values of the allowed paths.

Abstract: A method may include obtaining, from a user device, a first feedback from a first predetermined party regarding a data loss prevention (DLP) event through a graphical user interface (GUI). The method may further include determining whether the DLP event is authorized using the first feedback. The method may further include transmitting, automatically in response to determining that the DLP event is not authorized, a request for a second feedback by a second predetermined party using the GUI. The second predetermined party may be selected for the request automatically according to a routing queue. The method may further include obtaining, in response to transmitting the request for the second feedback, a selection of a security action regarding the DLP event using the GUI. The method may further include transmitting, automatically in response to the selection of the security action, a command that initiates the security action.

Abstract: Some embodiments are directed to a compiling device (100) configured for selecting of protective transformations to improve security of a computer program. The compiling device is configured to assign protective transformations to parts of the data flow graph, and obtain a compilation of the computer program representation from at least the data flow graph and the assigned protective transformations which satisfy the security and/or the performance target.

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract: A method by one or more electronic devices for identifying and classifying community attacks. The method includes determining, for each of a plurality of enterprise networks, one or more incidents occurring in that enterprise network based on analyzing security alerts generated by a web application layer attack detector used to protect a web application hosted in that enterprise network, where each incident represents a group of security alerts that have been determined as being associated with the same security event, grouping incidents occurring across the plurality of enterprise networks into groups of incidents, where incidents that are determined as having similar features are grouped into the same group of incidents, and classifying each of one or more of the groups of incidents as being an industry-based attack or a spray-and-pray attack based on industry classifications of incidents within that group of incidents.

Abstract: Machine learning based methods for the analysis and reporting of suspicious email are disclosed. In one aspect, there is a method that includes displaying a user-selectable icon to report a suspicious electronic message. The method further includes receiving selections of the electronic message and the user-selectable icon. The method further includes quarantining the electronic message in response to the selections. The method further includes electronically communicating the electronic message to a processor for performing threat analysis in response to the selections. The method further includes receiving a response message in response to the performed threat analysis, the response message indicating a threat status of the electronic message.

Abstract: Aspects of the disclosure relate to dynamically controlling access to linked content in electronic communications. A computing platform may receive, from a user computing device, a request for a uniform resource locator associated with an email message and may evaluate the request using one or more isolation criteria. Based on evaluating the request, the computing platform may identify that the request meets at least one isolation condition associated with the one or more isolation criteria. In response to identifying that the request meets the at least one isolation condition associated with the one or more isolation criteria, the computing platform may initiate a browser mirroring session with the user computing device to provide the user computing device with limited access to a resource corresponding to the uniform resource locator associated with the email message.

Abstract: A cyber security protection system includes a plurality of threat information updating devices; and a proactive suspicious domain alert system, which including: a domain information monitoring device, arranged to operably inspect domain ages of suspect domains; a domain information storage device; and a security threat analysis device, arranged to operably communicate data with the plurality of threat information updating devices through a network. Before the domain age of a suspect domain reaches a first threshold value, if the plurality of threat information updating devices discovers that an member device within a plurality of client network systems is trying to access the suspect domain, the security threat analysis device adds the suspect domain into an alert list to render the plurality of threat information updating devices to block member devices within the plurality of client network systems from accessing the suspect domain.

Abstract: A computing device including a memory and a processor is provided. The memory stores processor executable instructions for an entity engine. The processor is coupled to the memory. The processor executes the entity engine to cause the computing device to model entities, which hold or classify data. The processor executes the entity engine to cause the computing device to store in the memory a list identifying each of the entities and the entities themselves in correspondence with the list. The processor executes the entity engine to cause the computing device to provide, in response to a selection input from an external system, access to the entities based on the list. The access includes providing the list to the external system, receiving the selection input identifying a first entity of the entities, and exporting the first entity from the memory to the external system.

Abstract: A first set of records and a second set of records different from the first set of records are obtained. A score that indicates indicating confidence that the first set of records and the second set of records correspond to a same individual is computed. As a result of the score reaching a value relative to a threshold, a device of an individual associated with the second set of records is caused to prompt the individual to confirm control of a first asset identified by first data within the first set of records. A message to a destination associated with the first asset is provided. As a result of a response to the message indicating that the individual is the same individual, an association between the second set of records and the first asset is stored and the device is caused to display details about the first and second sets of records.

Abstract: A computing device that includes at least one processor core for executing a first computer program, the computing device being designed to access a memory device, in particular in order to load the first computer program. The computing device is designed to transmit a first control command, which characterizes the first computer program and/or a memory area of the memory device associated with the first computer program, to at least one cryptography module. The cryptography module is designed in particular to check the computer program, or the memory area of the memory device associated with the first computer program, characterized by the first control command, and the computing device is designed to execute the first computer program.

Abstract: In representative embodiments, systems and methods to calculate the likelihood that presented cryptographic key material is untrustworthy are disclosed. A predictive model based on a debasing condition and a dataset is created by evaluating the dataset relative to the debasing condition. For example, if certificate revocation is selected as the debasing condition, the dataset is analyzed to produce a predictive model that determines the likelihood that a presented certificate is untrustworthy based on similarity to already revoked certificates. The predictive model can include a supervised learning model like a logistic regression model or a deep neural network model. The system can be used in conjunction with existing security infrastructures or can be used as a separate infrastructure. Based on the likelihood score calculated by the model, a relying system can reject the cryptographic key material, accept the cryptographic key material or take other further action.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a network interface; and a security agent including instructions encoded within the memory to instruct the processor to: identify an unknown software object; query, via the network interface, a global reputation store for a global reputation for the unknown software object; receive a response from the global reputation store and determine that the unknown software object does not have a reliable global reputation; compute a local reputation for the unknown software object; and share the local reputation for the unknown software object with the global security cache.

Abstract: Embodiments are directed to protection of communications between a trusted execution environment and a hardware accelerator utilizing enhanced end-to-end encryption and inter-context security. An embodiment of an apparatus includes one or more processors having one or more trusted execution environments (TEEs) including a first TEE to include a first trusted application; an interface with a hardware accelerator, the hardware accelerator including trusted embedded software or firmware; and a computer memory to store an untrusted kernel mode driver for the hardware accelerator, the one or more processors to establish an encrypted tunnel between the first trusted application in the first TEE and the trusted software or firmware, generate a call for a first command from the first trusted application, generate an integrity tag for the first command, and transfer command parameters for the first command and the integrity tag to the kernel mode driver to generate the first command.

Abstract: A cyber threat defense system can autonomously gather research data about external hosts visited by a network entity and present that information in a format integrated with a threat-tracking graphical user interface. A collation module can collect input data from the network entity. A cyber threat module can identify a cyber threat from the input data. A host module can determine at least one host metric for an external host in the input data based on the identified cyber threat. A researcher module can collect host research data describing the external host. A scoring module can analyze the host research data using the at least one host metric. The scoring module can generate an automatic threat score describing a threat level presented by the external host. A user interface module can present a threat-tracking graphical user interface displaying the automatic threat score.

Abstract: A device may receive a command associated with identifying a merchant for a virtual card swap procedure wherein the virtual card swap procedure is to replace a credit card of a user with a virtual card corresponding to the credit card. The device may identify the merchant for the virtual card swap procedure based on the command. The device may obtain the virtual card for the user. The device may determine a virtual card swap procedure template for the merchant. The device may perform the virtual card swap procedure based on the virtual card swap procedure template.

Abstract: The utility usage of a particular individual occupying a residence may give insight into the individual's current cognitive health and/or to enable provision of various services within the facility for the individual, particularly when monitoring patterns in utility usage over time. To enable accurate and non-invasive utility monitoring, a single-point utility sensor may be secured relative to a utility supply line, and generated signals may be utilized to monitor utility usage and to distinguish between utility fixtures. A centralized computing entity may identify frequency characteristics within the generated data, and may automatically generate one or more machine-learning algorithms to distinguish between utility usage events, without requiring substantial user input.