Abstract: Techniques for providing flow meta data exchanges between network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing flow meta data exchanges between network and security functions for a security service includes receiving a flow at a network gateway of a security service from a software-defined wide area network (SD-WAN) device; inspecting the flow to determine meta information associated with the flow; and communicating the meta information associated with the flow to the SD-WAN device.

Abstract: Anomalous control and data flow paths in a program are determined by machine learning the program's normal control flow paths and data flow paths. A subset of those paths also may be determined to involve sensitive data and/or computation. Learning involves collecting events as the program executes, and associating those event with metadata related to the flows. This information is used to train the system about normal paths versus anomalous paths, and sensitive paths versus non-sensitive paths. Training leads to development of a baseline “provenance” graph, which is evaluated to determine “sensitive” control or data flows in the “normal” operation. This process is enhanced by analyzing log data collected during runtime execution of the program against a policy to assign confidence values to the control and data flows. Using these confidence values, anomalous edges and/or paths with respect to the policy are identified to generate a “program execution” provenance graph associated with the policy.

Abstract: Implementations include receiving an AAG that at least partially defines a digital twin of an enterprise network and includes rule nodes each representing an attack tactic that can be used to move along a path, determining security controls each mitigating at least one rule node, executing an iteration of a simulation of a sub-set of security controls in the enterprise network, the iteration including: for each security control in the set of security controls, determining, an influence score that represents a change in a security risk from implementing the security control and a rule distribution, defining the sub-set of security controls based on the first influence scores, and reducing the AAG based on the sub-set of security controls to provide a residual AAG, determining a decrease in a graph risk value and the first AAG, and selectively implementing the sub-set of security controls in the enterprise network.

Abstract: Some embodiments of the invention provide a forwarding element that has a data-plane circuit (data plane) that can be configured to implement a DDoS (distributed denial of service) attack detector. The data plane has several stages of configurable data processing circuits, which are typically configured to process data tuples associated with data messages received by the forwarding element in order to forward the data messages within a network. In some embodiments, the configurable data processing circuits of the data plane can also be configured to implement a DDoS attack detector (DDoS detector) in the data plane. In some embodiments, the forwarding element has a control-plane circuit (control plane) that configures the configurable data processing circuits of the data plane, while in other embodiments, a remote controller configures these data processing circuits.

Abstract: A method for assessing a regular expression for vulnerability to ReDoS attacks includes receiving a regular expression for evaluating a string defined by ordered set of characters from an alphanumeric input device, and evaluating the regular expression for determining if a parsing operation of the string according to the regular expression results in a disproportionate resource consumption. The evaluation determines if the resource consumption constitutes a Regular expression Denial of Service (ReDoS) attack by providing a vulnerability indication of a single valid attack string, rather than attempting to find all possible attack strings. The valid attack string is defined by an input string for which evaluation based on the regular expression would result in disproportionate resource consumption.

Abstract: Systems and methods for fraud management are provided. A fraud management system can include a data gatherer operable with a plurality of agent computers for collecting agent activity data from the plurality of agent computers. System can include a fraud rules database containing fraud rules and a fraud management computing system. The fraud management computing system can be in communication with the data gatherer and the fraud rules database. The fraud management computing system can also include, processors and memory devices. The memory devices store instructions that when executed by the processors cause the processors to perform operations. The operations include obtaining the agent activity data using the data gatherer pursuant to collection rules, comparing the agent activity data to the fraud rules, determining whether agent fraud event(s) have occurred based on the comparison and providing fraud alert data based upon the agent fraud event(s).

Abstract: Dynamically generating monitoring tools for software applications, including: inspecting, using static code analysis, a non-executable representation of the application to identify one or more points in an application for monitoring; and for each of the one or more points in the application: generating a monitoring program; and inserting, into an executable representation of the application, the monitoring program at a location in the executable representation of the application that corresponds to the identified point in the application.

Abstract: Presented herein are system and methods for detecting anomalies in microservices. A server may receive a first plurality of metrics from a microservice of a plurality of microservices. Each of the microservices may provide a respective function for an application independently from other microservices. The server may apply the first plurality of metrics to an ensemble of anomaly detection models to generate classifications. Each of the classifications may indicate the first plurality of metrics as one of anomalous or normal from a respective model of the ensemble. The ensemble may be trained using a second plurality of metrics from the microservice. The server may identify a majority of the plurality of classifications as indicating the first plurality of metrics as anomalous. The server may determine that at least one of the first plurality of metrics satisfies a threshold. The server may generate an alert to indicate an anomaly event.

Abstract: A cyber security system includes a plurality of event sensors to detect events, a plurality of inference servers, and a server in communication with the plurality of inference servers. Each inference server of the plurality is in communication with a subset of event sensors of the plurality of event sensors. Each inference server has a portion of an event lattice and is to compare the event detected by the subset of event sensors to the event lattice. Each inference server is to identify an originator having a behavior pattern indicative of an attack and communicating an identifier associated with the originator. The server is to provide an interface indicating the behavior pattern indicative of an attack and the identifier of the originator.

Abstract: Malware signature generation through combination rule mining is disclosed. A set of properties associated, collectively, with a plurality of data samples is received. A first data sample has a first set of properties and a second data sample has a second set of properties. A combination signature comprising at least a first property included in the first set of properties and a second property included in the second set of properties is generated.

Abstract: A method for performing biometric authentication is disclosed. In one example, the method includes obtaining first and second biometric templates and comparing them to determine if they match. The method also includes determining if a biometric certification token is valid. A computing device or other device may communicate with a verification system to determine the validity of the biometric certification token.

Abstract: A snooping invalidation module is implemented at the network interface for a given core, or processing element, of a multicore or manycore device, e.g., NoC device, to discard packets with invalid header flits (e.g., duplicate packets) from being injected into the device, e.g., by a malicious hardware trojan implemented in the network interface. In some embodiments, a data-snooping detection circuit is implemented to detect a source of an on-going attack.

Abstract: A surveillance system connectable to a network, comprising a communication module and a management module; said system being configured to, during an initialization phase: a. intercept a first message being sent to a first device; b. intercept a second message said second message being a response from the first device to the first message; c. calculate a time interval between the interception of the first message and the second message; d. repeat the steps a. to c. to determine further time intervals; e. determine a distribution of said time intervals; f. store the distribution and during a surveillance phase, intercept a third message said message being sent to the first device; intercept a fourth message said fourth message being a response to the third message; calculate a new time interval between the interception of the third and fourth messages; and verify that the new time interval is within the distribution.

Abstract: Techniques for performing operation-based event suppression are described. In an example, a determination may be performed as to whether an event is to be suppressed if the event is received in response to performance of an operation. The determination may be performed based on at least one of number of actions triggered by the event, frequency of occurrence of the event in an event stream in response to performance of the operation, and frequency of occurrence of the event in the event stream without performance of the first operation.

Abstract: An anomaly detection system that includes a database and a server. The server is connected to the database. The server is configured to identify anomalous web traffic for a certain time period based on one or more client keys from the certain time period. The client key(s) includes at least two characteristics related to web traffic data. The server includes a processing unit and a memory. The server is configured to receive the web traffic data from the database, calculate a z-score metric for the client key, calculate a change rate metric for the client key, calculate a failure metric for the client key, determine an anomaly score based on the z-score metric, the change rate metric, and the failure metric, and determine that the certain time period is an anomalous time period based on the anomaly score.

Abstract: In an embodiment, a process for automatic model monitoring for data streams includes receiving an input dataset, using a machine learning model to determine a model score for each data record of at least a portion of the input dataset, and determining monitoring values. Each monitoring value is associated with a measure of similarity between model scores for those data records of the input dataset within a corresponding moving reference window and model scores for those data records of the input dataset within a corresponding moving target window. The process includes outputting the determined monitoring values.

Abstract: Methods, systems, and computer-readable media for efficiently detecting threat incidents for cyber threat analysis are described herein. In various embodiments, a computing device, which may be located at a boundary between a protected network associated with the enterprise and an unprotected network, may combine one or more threat indicators received from one or more threat intelligence providers; may generate one or more packet capture and packet filtering rules based on the combined threat indicators; and, may capture or filter, on a packet-by-packet basis, at least one packet based on the generated rules. In other embodiments, a computing device may generate a packet capture file comprising raw packet content and corresponding threat context information, wherein the threat context information may comprise a filtering rule and an associated threat indicator that caused the packet to be captured.

Abstract: Systems are provided for managing access to a log of dataset that is generated when the dataset is accessed. A system stores, with respect to each of a log producer and a log accessor, an encrypted symmetric key for dataset that is encrypted using a corresponding public key. The system returns the encrypted symmetric key for the log producer, such that the log producer can decrypt the dataset that is encrypted using the symmetric key. A log of the dataset is generated when the log producer accesses the dataset.

Abstract: An information processing apparatus includes a processor configured to detect unauthorized access from a subject terminal to a subject host as a result of inputting subject input data into an autoencoder, an Internet protocol address of the subject terminal and an Internet protocol address of the subject host being used as at least part of the subject input data, the autoencoder having performed learning by using learning data, an Internet protocol address of a terminal and an Internet protocol address of a host to which the terminal has connected being used as at least part of the learning data.

Abstract: Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.

Abstract: A method is disclosed. The method includes providing, by an SDK and a first application in a mobile device, first and second security values to a security value verification module in the mobile device. If the mobile device confirms that the first and second security values match, then a second application can proceed with interaction processing.

Abstract: The present invention relates to a method and an apparatus for detecting anomalies of a DNS traffic in a network comprising analysing, through a network analyser connected to said network, each data packets exchanged in the network, isolating, through the network analyser, from each of the analysed data packets the related DNS packet, evaluating, through a computerized data processing unit, each of the DNS packets generating a DNS packet status, signaling, through the computerized data processing unit, an anomaly of the DNS traffic when the DNS packet status defines a critical state, wherein the evaluating further comprises assessing, through the computerized data processing unit, each of the DNS packet by a plurality of evaluating algorithms generating a DNS packet classification for each of the evaluating algorithms, aggregating, through the computerized data processing unit, the DNS packet classifications generating the DNS packet status, and wherein the critical state is identified when the DNS packet sta

Abstract: A method of monitoring execution of computer instructions includes receiving data items representing real-time measurements of side-channel information emanating from execution of computer instructions, each data item forming a value of a corresponding dimension of a side-channel information vector, receiving, for two or more of the dimensions of the side-channel vector, classifiers that assign the corresponding values of a side-channel vector to classes, and classifying the data items in accordance with the received classifiers, wherein an orthogonal distance of the data item from the classifier indicates a confidence value of the classification, generating a combined a confidence value for the side-channel information vector a, and outputting a signal if a confidence value indicates affiliation to a selected one of the two classes with a predetermined probability. The method conducts a self-test by generating a combined confidence value based to ensure correct outputting of the confidence value.

Abstract: Systems and methods are provided for protecting a plurality of electronic devices via a control server. The control server, for example, can receive one or more indications that a first electronic device is considered malicious and add it to a security threat list. Then the control server can communicate the security threat list to others of the electronic devices, networked for communication with each other, such that the other electronic devices reject all communication from any device listed on the security threat list. Next, upon receiving indication from an approved security patch-providing source that a security patch has been applied to the first electronic device, the control server can remove the first electronic device from the security threat list and communicate the updated security threat list to the other electronic devices indicating that it is safe for these electronic devices to again receive communication from the first electronic device.

Abstract: Solution management systems and methods are presently disclosed that enable receiving, compiling, and analyzing vendor solutions, determining the vendor solutions that address a target vulnerability of a client network and/or client devices, determining additional vulnerabilities of the client network and/or client devices that the vendor solutions address, and selecting a vendor solution to remediate the target vulnerability. The presently disclosed systems and methods also enable scoring, risk evaluation, and additional metrics to facilitate determining the vendor solution(s) that have the largest impact and/or benefit to the various vulnerabilities of the client network and/or client devices.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums for applications that detect indicators of data exfiltration through applications such as browser-based interfaces. The disclosed system monitors file system element events related to one or more target applications (such as browsers) through operating system interfaces. Once an event of interest is detected, the system interfaces with the browser to determine a context for the event of interest that may include a URL of a website that the user was visiting corresponding to the file system element event. If the URL is directed towards a prohibited site, a notification may be generated that may be used as a signal to alert an administrator. As used herein, a file system element may include a file, directory, folder, archive, blob, raw storage, metadata, or the like File system element events may include copying, deleting, modifying, or moving a file system element.

Abstract: A method, system, and computer program product for performing microservice-aware reference policy checking that accept stateful security policies. The method may include receiving a security policy for a container that is part of a microservice architecture. The method may also include obtaining a first effect graph of the security policy, resulting in a security model for the container. The method may also include identifying execution behavior of the container. The method may also include generating a second effect graph of the execution behavior of the container, where the generating includes summarizing operations and interactions between entities in the execution behavior and results in a behavioral model. The method may also include comparing the behavioral model to the security model. The method may also include determining whether the container has deviated from the security policy based on the comparing. The method may also include enforcing the security policy against the container.

Abstract: A method of automating emulations is provided. The method comprising collecting publicly available network data over a predefined time interval, wherein the collected network data might comprise structured and unstructured data. Any unstructured data is converted into structured data. The original and converted structured data is stored in a database and compared to known network vulnerabilities. An emulated network is created according to the collected network data and the comparison of the structured data with known vulnerabilities. Virtual machines are created to run on the emulated network. Director programs and guest actor programs are run on the virtual machines, wherein the actor programs imitate real user behavior on the emulated network. The director programs deliver task commands to the guest actor programs to imitate real user behavior. The imitated behavior is presented to a user via an interface.

Abstract: This specification generally relates to methods and systems for applying network policies to devices based on their current access network. One example method includes identifying a proxy connection request sent from a particular client device to a proxy server over a network, the proxy connection request including a hostname and configured to direct the proxy server to establish communication with the computer identified by the hostname on behalf of the client device; determining an identity of the client device based on the proxy connection request; identifying a domain name system (DNS) response to a DNS request including the hostname from the proxy connection request; and updating DNS usage information for the particular client based on the identified DNS response including the hostname from the proxy connection request.

Abstract: A system and method for detecting and preventing ransomware includes creating a number of watch files in a filesystem and adding a location and a timestamp of each to an ingest log. A number of native files are found in the filesystem and cataloged, adding the location and the timestamp of each to the ingest log. Periodically, each timestamp of each entry in the ingest log is compared to a current timestamp of a corresponding file in the filesystem and a count of watch files that have change and a count of native files that have changed is made. If the count of watch and native files that have changed indicate that a ransomware program is running on the computer, the ransomware program is suspended and reported. If a command indicates that the ransomware program is not ransomware, execution of the program is resumed.

Abstract: A base station determines a window of time for arrival of uplink signals, wherein the window of time includes a start based on a first expected time of arrival for a first uplink signal from a first UE and an end based on a second expected time of arrival for a second uplink signal from a second UE. The base station detection detects a false base station, such as a L1 man-in-the-middle false base station, based on an uplink signal being received outside of the determined window of time for the arrival of uplink signals.

Abstract: A script analysis platform may obtain a script associated with content wherein the script includes one or more functions that include one or more expressions. The script analysis platform may parse the script to generate a data structure and may traverse the data structure to determine the one or more functions and to determine properties of the one or more expressions, wherein traversing the data structure includes evaluating one or more constant sub-expressions of the one or more expressions. The script analysis platform may analyze the properties of the one or more expressions to determine whether the script exhibits malicious behavior. The script analysis platform may cause an action to be performed concerning the script or the content based on determining whether the script exhibits malicious behavior.

Abstract: A method and system for detecting illegitimate messages injected into legitimate messages of a bus, such as a Controller Area Network (CAN) bus, are provided. Legitimate messages are broadcasted over the bus with a period whereby the legitimate messages are periodic legitimate messages. A controller connected to the bus receives at a first time instant a first message from the bus and receives at a second time instant a second message from the bus. The controller compares a first difference in time between the second time instant and the first time instant with a limit. The limit is two-thirds of the period. An anomaly is detected when the first difference in time is less than the limit.

Abstract: Described are a system, method, and computer program product for user network activity anomaly detection. The method includes receiving network resource data associated with network resource activity of a plurality of users and generating a plurality of layers of a multilayer graph from the network resource data. Each layer of the plurality of layers may include a plurality of nodes, which are associated with users, connected by a plurality of edges, which are representative of node interdependency. The method also includes generating a plurality of adjacency matrices from the plurality of layers and generating a merged single layer graph based on a weighted sum of the plurality of adjacency matrices. The method further includes generating anomaly scores for each node in the merged single layer graph and determining a set of anomalous users based on the anomaly scores.

Abstract: Briefly, systems and methods for managing Internet of Things (IoT) devices provide platforms featuring an architecture for user and device authentication as well as IoT system self-healing.

Abstract: An electronic device is disclosed, which is connectable with a CAN bus or other broadcast network. The electronic device programmed to compute expected periods and period variability metrics for historical accumulations of messages for different message headers and to identify periodic message headers based on the period variability metrics, and is further programmed to detect a temporal anomaly as a deviation of a period of a most recent set of two or more messages with a periodic message header from the expected period for the periodic message header, and to generate an alert indicating the detected temporal anomaly. The electronic device may be further programmed to maintain a state machine for a vehicle (or other platform) including the CAN bus and perform state-aware anomaly detection.

Abstract: Techniques for threat scanning transplanted containers are described. A method of threat scanning transplanted containers may include generating a container map of running containers on a block storage volume mounted to a scanning instance of a threat scanning service, scanning the block storage volume by a scanning engine of the scanning instance, identifying at least one threat on the block storage volume, and identifying at least one container associated with the at least one threat using the container map.

Abstract: Cybersecurity and data categorization efficiency are enhanced by providing reliable statistics about the number and location of sensitive data of different categories in a specified environment. These data sensitivity statistics are computed while iteratively sampling a collection of blobs, files, or other stored items that hold data. The items may be divided into groups, e.g., containers or directories. Efficient sampling algorithms are described. Data sensitivity statistic gathering or updating based on the sampling activity ends when a specified threshold has been reached, e.g., a certain number of items have been sampled, a certain amount of data has been sampled, sampling has used a certain amount of computational resources, or the sensitivity statistics have stabilized to a certain extent.

Abstract: A system and computer-implemented method to monitor network traffic for a protected network using a block of IP addresses including an IP address for a server. The method includes selecting one or more green addresses, each being a different IP address from the block of IP addresses, associating the green addresses with the IP address of the server, and receiving a packet of the internet traffic from a client directed to an IP address of the block of IP addresses prior to any performance of DPI on the packet. It is determined whether the destination address matches the one or more green addresses or is a yellow address (which belongs to the block of IP addresses, but is not a green address). When determined that the destination address matches the one or more green addresses, the method the packet is sent to the IP address associated with the matching green address, bypassing any DPI.

Abstract: A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination.

Abstract: A system for detecting malware includes a processor to collect processor trace information corresponding to an application being executed by the processor (202). The processor can also detect an invalid indirect branch instruction from the processor trace information (204) and detect at least one malware instruction being executed by the application in response to analyzing modified memory values corresponding to the invalid indirect branch (206). Additionally, the processor can block the application from accessing or modifying memory (208).

Abstract: Disclosed is a device for configuring and implementing network security for a connected network node, and for shifting the network security closer to the attack point of origin. In particular, the device may activate attack protections on different Multi-Access Edge Computing (“MEC”) devices that are physically located near or at the attack point of origin. The device may detect an attack signature based on one or more received data packets, and may provide a response with an extended header field, the attack signature, and/or other attack protection instructions. The responses may be passed to an address of a suspected attacker. MEC devices along the network path may detect and receive the responses, and implement attack protections in response. The responses may also be passed to a multicast or broadcast address that the MEC device may use to receive responses.

Abstract: A method, performed by one or more processors, including receiving a plurality of system event records; processing the plurality of system event records using a set of event detectors to determine that a suspicious system event has occurred; sending, to a client device, a plurality of properties associated with the suspicious system event; receiving, from the client device, a selection indicator indicating a selected one or more properties of the plurality of properties; generating one or more new event detectors based on the selected one or more properties; and adding the one or more new event detectors to the set of event detectors.

Abstract: Methods and systems for monitoring activity on a network. The systems may include a host computer executing a non-honeypot service. The host computer may also include a control module configured to enable or disable a honeypot service on the host computer in response to at least one of computational resource availability and configured tolerance for degraded service.

Abstract: A system and method for generating event-specific handling instructions for accelerating a threat mitigation of a cybersecurity event includes identifying a cybersecurity event; generating a cybersecurity event digest based on the cybersecurity event, computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest; searching, based on the distinct cybersecurity hashing-based signature of the cybersecurity event, an n-dimensional space comprising a plurality of historical cybersecurity event hashing-based signatures; returning one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event based on the search; deriving one or more cybersecurity event-specific handling actions for the cybersecurity event based on identifying a threat handling action corresponding to each of the one or more historical cybersecurity events or historical cybersecurity alerts homogeneous to the cybersecurity event; and executi

Abstract: A technique for anomaly detection is disclosed. Event data is converted into a normalized common information model. The resulting data may be stored in an event data store database. Additionally, the resulting data may be stored in a knowledge graph representation in a knowledge graph database. The knowledge graph database efficiently stores event data to generate histograms on demand for common anomaly queries.

Abstract: Techniques for detection of algorithmically generated domains based on a dictionary are disclosed. In some embodiments, a system, process, and/or computer program product for detection of algorithmically generated domains based on a dictionary includes receiving a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; generating a graph based on the DNS data stream; and identifying a malicious dictionary based on the graph.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to analyze network traffic for malicious activity. An example apparatus includes a graph generator to, in response to obtaining one or more internet protocol addresses included within input data, generate a graph data structure based on one or more features of the one or more internet protocol addresses in the input data, a file generator to generate a first matrix using the graph data structure, the first matrix to represent nodes in the graph data structure and generate a second matrix using the graph data structure, the second matrix to represent edges in the graph data structure, and a classifier to, using the first matrix and the second matrix, classify at least one of the one or more internet protocol addresses to identify a reputation of the at least one of the one or more internet protocol addresses.

Abstract: A method and system for a deployment of deceptive decoy elements in a computerized environment to identify data leakage processes invoked by suspicious entities are presented. The method includes generating at least one deceptive decoy element; and deploying the generated at least one deceptive decoy element in a folder in a file system of the computerized environment, wherein the deployment is based on a sensitivity level of the folder, wherein the at least one deceptive decoy element is configured to provide an indication of unauthorized access upon an attempt by an unauthorized entity to access the folder.

Abstract: An attack path detection method, attack path detection system and non-transitory computer-readable medium are provided in this disclosure. The attack path detection method includes the following operations: establishing a connecting relationship among a plurality of hosts according to a host log set to generate a host association graph; labeling at least one host with an abnormal condition on the host association graph; calculating a risk value corresponding to each of the plurality of hosts; in a host without the abnormal condition, determining whether the risk value corresponding to the host without the abnormal condition is greater than a first threshold, and utilizing a host with the risk value greater than the first threshold as a high-risk host; and searching at least one host attach path from the high-risk host and the at least one host with the abnormal condition according to the connecting relationship of the host association graph.