Abstract: Embodiments are disclosed for preventing network attacks. The techniques include generating a usage profile for a computing device that accesses a network. The techniques also include determining a plurality of actual use real-time indicators for a network connection on the network. The techniques further include determining a plurality of expected use real-time indicators for the network connection. Additionally, the techniques include calculating a risk assessment value for the network connection based on the actual use real-time indicators and the expected use real-time indicators. Further, the techniques include performing a security action for the network connection based on the calculated risk assessment value.

Abstract: A global locality sensitive hash (LSH) database stores global locality sensitive hashes of files of different private computer networks. Each of the private computer networks has a corresponding local LSH database that stores local locality sensitive hashes of files of the private computer network. A target locality sensitive hash is generated for a target file of a private computer network. The global and local LSH databases are searched for a locality sensitive hash that is similar to the target locality sensitive hash. The target file is marked for further evaluation for malware or other cybersecurity threats when the target locality sensitive hash is not similar to any of the global and local locality sensitive hashes.

Abstract: An approach is provided for providing predictive classification of actionable network alerts. The approach includes receiving the plurality of alerts. Each alert of the plurality of alerts indicates an alarm condition occurring at a monitored network system, and is a data record comprising one or more data fields describing the alarm condition. The approach also includes classifying said each alert using a predictive machine learning model. The predictive machine learning model is trained to classify said each alert as actionable or non-actionable using the one or more data fields of said each alert as one or more respective classification features, and to calculate a respective probability that said each alert is actionable or non-actionable. The approach further includes presenting the plurality of alerts in a network monitoring user interface based on the respective probability of said each alert.

Abstract: A method and system for protecting a cloud computing platform against cyber-attacks are provided. The method includes gathering cloud logs from a cloud computing platform; analyzing, by a plurality of detectors, the cloud logs to detect at least one suspicious behavior, wherein each of the at least one suspicious behavior is identified by a suspect indicator; sequencing suspect indicators into attack sequences; scoring each of the attack sequences with an attack score, wherein each attack is scored using a scoring model; and alerting on each attack sequence having a score higher than a predefined threshold.

Abstract: Techniques for detecting suspicious data object access requests indicative of potential insider threats are described. A suspicious access detection module (SADM) determines, based on access data describing a access requests issued on behalf of multiple users, groups of the users having similar patterns of accesses to resource groups, a set of the resource groups accessed by each of the user groups, and ones of the user groups that are to be considered nearby others of the user groups based on having a threshold amount of resource group access similarities. The SADM causes an alert to be generated responsive to a determination that a subsequent access request is suspicious because it accesses a data object of a resource group that is not within the set of accessed resource groups of the issuing user's user group, and because the resource group is not within the sets of accessed resource groups of any nearby user groups.

Abstract: Network devices may receive a Transport Control Protocol (TCP) segment from a user device. The TCP segment includes a TCP header and a payload, and the payload includes either a Hypertext Transfer Protocol (HTTP) plaintext message or a Secure HTTP (HTTPS) encrypted message. The network devices may extract a TCP Synchronization (SYN) signature from the TCP header and determine whether the payload of the TCP segment includes a HTTP plaintext message or a HTTPS encrypted message. When the payload includes a HTTP plaintext message, the network devices may extract contents of a HTTP User-Agent field from the HTTP plaintext message, determine a device type identifier (ID) and a category ID based on the extracted contents, and update a plurality of device signatures based on the TCP signature, the device type ID, and the category ID.

Abstract: The disclosed computer-implemented method for protection of storage systems using decoy data may include identifying an original file comprising sensitive content to be protected against malicious access and protecting the sensitive content. Protecting the sensitive content may include (i) processing the original file to identify a structure of the original file and the sensitive content of the original file, (ii) generating a decoy file using the structure of the original file and using substitute content in a location corresponding to the sensitive content of the original file, and (iii) storing the decoy file with the original file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and system comprising a network gateway for monitoring a network traffic between a network client and the network gateway, and at least one network client connected to said network gateway and comprising means for applying host-based protection measures are provided, wherein the network gateway evaluates the monitored traffic for indications of undesired behaviour and has control of the means for applying host-based protection measures of the at least one network client. Optionally network-based protection measures activated at the network gateway may be combined with the host-based protection measures and/or suspicious device events observed at the network client may be accounted for when assessing suitable protection measures in addition to the traffic monitored at the network gateway.

Abstract: Embodiments include methods, network security computer systems, and computer program products for identifying deviant engineering modifications to programmable logic controllers. Aspects include: collecting, by a network traffic collection device of the network security computer, network traffic data from one or more engineering stations, and storing, by a network traffic data storage device, the network traffic data collected. Each of the engineering stations may include one or more programmable logic controllers. The method also may include: comparing, by a network traffic comparison module, the network traffic data collected, detecting, by an abnormality detection module, any deviant engineering modifications to the programmable logic controllers in the engineering stations; and generating, by an alarming and correction module, one or more reports for the deviant engineering modifications to programmable logic controllers.

Abstract: Disclosed embodiments relate to systems and methods for measuring and comparing security efficiency and importance in virtualized environments. Techniques include identifying a plurality of virtualized computing environments and calculating, for a first of the plurality of virtualized computing environments, a security-sensitivity status, the security-sensitivity status being based on at least: a size attribute of the first virtualized computing environment; an activity level of the first virtualized computing environment; a sensitivity level of the first virtualized computing environment; and a security level of the first virtualized computing environment. Further techniques include accessing a reference security-sensitivity status corresponding to the first virtualized computing environment; comparing the security-sensitivity status of the first virtualized computing environment with the reference security-sensitivity status; and identifying, based on the comparing, a security-sensitivity status gap.

Abstract: A method, system and computer-usable medium for preventing a single point of failure in accessing encrypted data. In certain embodiments passwords of multiple system administrators are encrypted with a master key to generate encrypted master keys respectively associated with each system administrator. In certain embodiments, the passwords of the multiple system administrators are also one-way hashed to generate multiple one-way hashed passwords respectively associated with each system administrator. In certain embodiments, the user identifiers and plain text passwords may be used to decrypt the master key based on the encrypted master keys and one-way hashed passwords.

Abstract: A method for determining a first integrity sum including the following steps: determining a first masked item of data by application of an “exclusive OR” operation between a first item of data and a first data mask; —determining a second item of data by application to the first masked item of data of a first cryptographic function, the second item of data being masked by a second data mask; —determining a second integrity sum associated with the second item of data by application to the second item of data of a checksum function; and determining the first integrity sum by application of an “exclusive OR” operation between the second integrity sum and a third integrity sum associated with the second data mask. A computer program and an electronic entity are also described.

Abstract: A malware analysis device 10 includes: a dynamic analysis unit 11 which performs dynamic analysis of malware; a communication determination unit 12 which determines whether communication by the malware occurs when the dynamic analysis unit 11 performs dynamic analysis; a static analysis requesting unit 13 which suspends communication when the communication determination unit 12 determines that the communication by the malware occurs to present a request to perform static analysis; and a setting changing unit 14 which sets a device as a communication destination of the malware to make a response obtained by the static analysis as being expected by the malware.

Abstract: Provided is a method for generating a one class model based on a data frequency. The method for generating a one class model based on a data frequency includes: generating, by a machine learning apparatus, a plurality of spatial coordinates by arranging a plurality of learning data in corresponding coordinates in a feature space; classifying, by the machine learning apparatus, the plurality of spatial coordinates into a plurality of internal coordinates PI and a plurality of external coordinates PO based on a frequency of the learning data arranged in the respective spatial coordinates which belong to the plurality of spatial coordinates; and generating, by the machine learning apparatus, a one class model based on the plurality of internal coordinates PI based on mutual spatial distances of the plurality of external coordinates PO and the plurality of internal coordinates PI.

Abstract: The present application relates to the handling of what are generally referred to as denial of service (DoS) attacks. More specifically, the present application relates to a method and system for protecting one or more on-line Web service application servers from DoS and/or distributed DoS (DDoS) attacks.

Abstract: A processor acquires feature information of a target email, among email that has already been transmitted from the information processing apparatus, the target email specified by an operation of a user of the information processing apparatus as email to be restricted from viewing-access by a user of a receiving-side apparatus. The processor transmits feature information of the target email to an apparatus that receives information for identifying a removal target for a security measure system. The target email is designated as a removal target by the security measure system for the receiving-side apparatus.

Abstract: This disclosure relates to method and system for managing security vulnerability in a host computer system. In an embodiment, the method may include receiving reputation data with respect to external network traffic data and receiving intrusion data with respect to host system data. The intrusion data may be generated by the host computer system based on the external network traffic data. The method may further include generating a plurality of test cases based on the reputation data and the intrusion data. The test cases, upon simulation, may provide information with respect to security vulnerability in the host computer system. The method may further include determining a set of implementable topologies for the host computer system, based on a simulation of each of the plurality of test cases, using a first artificial neural network (ANN) model to manage the security vulnerability.

Abstract: The disclosed embodiments include systems and methods for implementing least-privilege access to, control of, and/or code execution on target network resources. Operations may include identifying a prompt associated with a least-privilege requesting identity to initiate a remote session on a target network resource; executing, in response to the prompt, a first agent; retrieving, from a secure storage location, a second agent; initiating, by the first agent, execution of the second agent on the target network resource, wherein the second agent executes using a least-privilege credential or using least-privilege permissions associated with the least-privilege requesting identity; and instructing the second agent to perform an action remotely on the target network resource through the remote session using the least-privilege credential or using the least-privilege permissions.

Abstract: A system for detecting directory reconnaissance in a directory service includes a sensor and a directory reconnaissance detector, each of which is executing on one or more computing devices. The sensor determines whether a query that is submitted to a directory server is a suspicious query and, if the query is determined to be a suspicious query, transmits the suspicious query to the directory reconnaissance detector. The director reconnaissance detector includes a receiver, a context obtainer, an alert determiner and an alert transmitter. The receiver receives the suspicious query from the sensor and the context obtainer obtains context information associated with the suspicious query. The alert determiner determines whether a security alert should be generated based at least on the suspicious query and the context information. The alert transmitter generates the security alert responsive to a determination that the security alert should be generated.

Abstract: A security system autonomously secures a modular data center (MDC) from a detected external threat by disabling access to physical communication ports. Sensor(s) are monitored that detects a presence of a person in an exterior or interior of a volumetric container of an MDC. Information technology (IT) component(s) are positioned within the volumetric container and include physical communication port(s) that receive a hot pluggable device containing memory. In response to determining that a detected person is not authenticated, a controller identifies any hot pluggable device that is currently engaged to a physical communication port of the MDC. The controller selectively disables access via the physical communication port(s) that is not engaged to a hot pluggable device. The controller enables continued access to the IT component(s) by any identified hot pluggable device that was engaged to a physical communication port before detecting the presence of the unauthenticated person.

Abstract: Search results are received from an initiated free text search of log data from one or more logs, where the free text is performed using search terms entered into a free text search graphical user interface. A set of at least one search result is selected from the search results containing an event desired to be identified in a completed enterprise threat detection (ETD) pattern. A forensic lab application is rendered to complete an ETD pattern. An event filter is added for an event type based on normalized log data to a path. A relative ETD pattern time range is set and an ETD pattern is completed based on the added event filter.

Abstract: A network element health status detection method and device, where the method includes: determining sampled data of at least one key performance indicator (KPI) of a target network element in a first time window; obtaining a fluctuation score of any KPI in the at least one KPI according to sampled data of the any KPI in the first time window and a steady state value of the any KPI; and determining a health status of the target network element based on a fluctuation score of each KPI. Therefore, a network element health status is determined using single-point performance data of a network element and performance data in a network element time window.

Abstract: Example embodiments disclosed herein relate to propagating belief information about malicious and benign nodes. In one example, a domain name system (DNS) resolution graph including multiple nodes is determined. In this example, a first subset of nodes is determined based on an initial benign value or an initial unknown value associated with the respective nodes. In the example, benign belief information is propagated for the first subset based on the respective initial benign values. Moreover, in the example, a second subset of the nodes is determined based on an initial malicious value or an initial unknown value. Malicious belief information is propagated for the second subset based on the respective malicious values. The propagated belief information is copied to a DNS resolution graph.

Abstract: A sleep pattern analyzer (SPA) system for capturing and analyzing sleep data and sleep pattern data is provided. The SPA system is configured to receive sleep data associated with a user, the sleep data including a registered user identifier and at least one sleep time stamp, and store the sleep data in a sleep pattern database. The SPA system is also configured to receive transaction data for a transaction initiated by a consumer with a merchant. The SPA system is further configured to match the consumer identifier to the registered user identifier, generate a fraud notification message when the transaction time stamp overlaps with the at least one sleep time stamp, and transmit the fraud notification message to at least one of an issuer, the merchant, and the consumer associated with the consumer identifier.

Abstract: Described herein is a system that detects ransomware infection in filesystems. The system detects ransomware infection by using backup data of machines. The system detects ransomware infection in two stages. In the first stage, the system analyzes a filesystem's behavior. The filesystem's behavior can be obtained by loading the backup data and crawling the filesystem to create a filesystem metadata including information about file operations during a time interval. The filesystem determines a pattern of the file operations and compares the pattern to a normal patter to analyze the filesystem's behavior. If the filesystem's behavior is abnormal, the system proceeds to the second stage to analyze the content of the files to look for signs of encryption in the filesystem. The system combines the analysis of both stages to determine whether the filesystem is infected by ransomware.

Abstract: Methods and systems for detecting and correcting anomalies include predicting normal behavior of a monitored system based on training data that includes only sensor data collected during normal behavior of the monitored system. The predicted normal behavior is compared to recent sensor data to determine that the monitored system is behaving abnormally. A corrective action is performed responsive to the abnormal behavior to correct the abnormal behavior.

Abstract: During operation, a computer may compare values of at least one performance metric for access points in appropriate contexts to determine one or more temporal anomalies and/or one or more spatial anomalies for one or more of the access points. Then, the computer may generate one or more temporal anomaly events based at least in part on the one or more temporal anomalies and one or more spatial anomaly events based at least in part on the one or more spatial anomalies. Next, the computer may calculate one or more complex events based at least in part on two or more of the different anomalies. Moreover, the computer may evaluate the different anomalies, anomaly event and/or complex events to determine one or more insights about a problem in the network. Furthermore, the computer may perform a remedial action.

Abstract: A method and system for adaptively securing a protected entity against a potential advanced persistent threat (APT) are provided. The method includes probing a plurality of resources in a network prone to be exploited by an APT attacker; operating at least one security service configured to output signals indicative of APT related activity of each of the plurality of probed resources; generating at least one security event respective of the output signals; determining if the at least one security event satisfies at least one workflow rule; and upon determining that the at least one security event satisfies the at least one workflow rule, generating at least one action with respect to the potential APT attack.

Abstract: In one embodiment, a device disassembles an executable file into assembly instructions. The device maps each of the assembly instructions to a fixed length instruction vector using one-hot encoding and an instruction vocabulary and forms vector representations of blocks of a control flow graph for corresponding functions of the executable file by embedding and aggregating bags of the instruction vectors. The device generates, based on the vector representations of the blocks of the control flow graph, a call graph model of the functions in the executable file. The device forms a vector representation of the executable file based in part on the call graph model. The device determines, based on the vector representation of the executable file, whether the executable file is malware.

Abstract: Methods and systems for detecting malicious activity on a network. The methods described herein involve gathering data regarding a first state of a computing environment, executing an attack tool to simulate malicious activity in the computing environment, and then gathering data regarding a second state of the computing environment. The methods described herein may then involve generating a signature based on changes between the first and second states, and then using the generated signature to detect malicious activity in a target network.

Abstract: Disclosed herein are systems and method for deep dynamic analysis for protecting endpoint devices from malware. In one aspect, an exemplary method comprises launching a deep analysis process, by a deep analysis tool, the launching including: injecting a dynamically loaded component into an address space of an application code and initializing, by the dynamically loaded component, to allow an execution activity, by the injected dynamically loaded component, parsing dependencies of run-time linkages, hooking system functions, creating an application memory map with separate application and system code areas, transferring control back to the application code, and performing on-sample-execution activity, obtaining control of exception handler and monitoring attempts to use the exception handler, changing an available area, logging accesses, inspecting exception reasons and applying policies, determining whether or not the application of the sample is a malware, and sending a final verdict.

Abstract: Systems and methods are disclosed for managing the resetting of online identities or accounts of users of Internet web pages. One method includes: receiving, through an electronic device, a request to reset login information to access a web page associated with the user's online account; determining that an IP address associated with the request is not identified as being suspicious; receiving user data intrinsic to the user's request; automatically verifying two or more values of the data intrinsic to the user's request as being indicative of a level of trust of the identity of the user; and transmitting, to the user over the Internet, a subset of options to reset the login information, the subset being selected based on the level of trust.

Abstract: A non-transitory computer-readable medium having a program stored thereon that, when executed by one or more processors, directs a computing system to secure a communication network. The program comprises a traffic inspection engine, a domain generation algorithm (DGA) inspection engine, and a message bus communicationally coupling the traffic inspection engine and the DGA inspection engine. The traffic inspection engine is configured to identify if a traffic session containing a domain name system (DNS) request and/or response in a communication network includes a DGA generated domain and send information about the identified DGA generated domain to the DGA inspection engine via the message bus. The DGA inspection engine is configured to verify if the identified DGA generated domain is registered, and send information about the registered DGA domain to the traffic inspection engine via the message bus.

Abstract: System and methods are described which are useful for efficiently combining characteristic detection rules, such as may be done to efficiently and quickly assist in the dispositioning of user reported security threats.

Abstract: There is disclosed a method and system for determining web hosts receiving abnormal site visits. The method comprises generating a graph of web search history and clustering nodes in the graph. The method then comprises removing clusters that are affiliated based on user interaction data, and storing indicators that the remaining web hosts are associated with abnormal site visits.

Abstract: The disclosed embodiments provide a system for mitigating a distributed denial-of-service (DDoS) attack. During operation, the system analyzes application layer data in historical traffic to an online system to determine a historical volume of member traffic from an Internet Protocol (IP) address to the online system, wherein the member traffic is generated by members of the online system. Next, the system calculates a rate limit for a set of requests from the IP address to the online system based on the historical volume of member traffic from the IP address. During a DDoS attack, the system outputs the rate limit for use in blocking a subset of the requests from the IP address to the online system.

Abstract: A method, computer system, and a computer program product for restricting and anonymizing a graphical user interface for a remote access session is provided. The present invention may include determining a plurality of appropriate permissions for the graphical user interface of a client computer for fixing a problem. The present invention may also include determining a plurality of restricted graphical user interface panels associated with the graphical user interface, wherein the determined plurality of restricted graphical user interface panels includes a minimum access level for the third party to fix the problem.

Abstract: Systems and methods to manage operation of at least one network is provided. The system includes a processor, an input/output device coupled to the processor, and a memory coupled with the processor. The memory comprises executable instructions that when executed by the processor cause the processor to effectuate operations. The operations include identifying at least one event signature associated with an event, wherein the event signature is indicative that it is probable that at least one user of the network will experience a predefined service anomaly. Operation of the network is monitored for a presence of the at least one event signature. The presence of the at least one event signature is detected. At least one action is determined to deter the predefined service anomaly. The action is caused to be implemented on the network.

Abstract: The present invention relates to a dynamic security method and system based on multi-fusion linkage response. In the method, a site control device conducts active response and passive response through identity authentication and key management to give an alarm for abnormal behaviors. The system comprises an access authentication active response module, an access control active response module, an access control passive response module, an abnormal pretending passive response module, a key vulnerability passive response module and an abnormal state passive response mechanism module. On the basis of ensuring validity and feasibility for the security of a terminal device, the present invention can build a secure and trusted industrial control system operating environment.

Abstract: Technologies are described for selective persistence of data utilized by software containers. A configuration policy is defined that includes data that specifies one or more data stores for which data is not to be persisted following accesses to a software container and one or more data stores for which data is to be persisted following accesses to the software container. When the software container is first accessed, the data stores identified in the configuration policy are attached to the software container. Upon a subsequent access to the container, such as at the conclusion of a user session or upon destruction of the container, the data in the attached data stores is persisted or deleted based upon the configuration policy. When the software container is once again accessed, the data store containing the persisted data can be re-attached to the software container.

Abstract: A system and method for tracking data security threats within an organization is proposed. A threat aggregator process executing on an analysis computer system within the organization receives events indicating possible threats observed by and sent from different user devices and aggregates related events into threats. This enables the threats to be analyzed and acted upon at a level of the organization (e.g., across user devices) rather than at the level of the individual user devices. An endpoint telemetry system analyzes threats sent from the aggregator and provides security policies for responding to the threats. In examples, the system can identify attacks of related threats and act upon the related threats of the attack collectively, and can characterize false positive threats sent from multiple user devices as a single extraneous threat. This has advantages over the per-user device focus for responding to threats provided by current systems and methods.

Abstract: Early-warning decision method, node and system are provided in the present disclosure. The method includes obtaining a flow analysis result of a portion of service requests that are targeted at a same server; calculating a flow of all the service requests that are targeted at the server based on a flow indicated by the flow analysis result and a weight of a current distributed node, the weight being a weight or proportion of all the service requests targeted at the server that accounts for the flow indicated by the flow analysis result that is obtained by the current distributed node; comparing a flow of all the service requests that are targeted at the server with an abnormal flow threshold; and determining whether to send an instruction for performing subsequent processing on the server based on a comparison result.

Abstract: A method and system for the deployment of deceptive decoy elements in a computerized environment to identify data leakage processes invoked by suspicious entities are presented. The method includes generating at least one deceptive decoy element; and deploying the generated at least one deceptive decoy element in a folder in a file system of the computerized environment, wherein the deployment is based on a sensitivity level of the folder, wherein the at least one deceptive decoy element is configured to provide an indication of unauthorized access upon an attempt by an unauthorized entity to access the folder.

Abstract: System for detecting a cyber-attack of a SCADA system managed plant. Each industrial computerized device of the system comprises a processor configured with a data validation module to determine whether data flow outputted from a SCADA-connected controller is authentic, and with an alert issuing mechanism activated following detection that the outputted data flow is indicative of a cyber-attack. The at least one dedicated industrial computerized device is operable to passively monitor in parallel data communicated between each of the controllers and the SCADA system including the outputted data at the nearest points of each of the controllers; seek mismatches between the plant state and the physical operation model; if a mismatch is detected, determine whether the mismatch is indicative of a cyber-attack perpetrated with respect to one of the controllers or an operational malfunction; and upon detecting a cyber-attack, activate the alert issuing mechanism to issue a security alert.

Abstract: Techniques for providing flow meta data exchanges between network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing flow meta data exchanges between network and security functions for a security service includes receiving a flow at a network gateway of a security service from a software-defined wide area network (SD-WAN) device; inspecting the flow to determine meta information associated with the flow; and communicating the meta information associated with the flow to the SD-WAN device.

Abstract: A mobile device receives an invitation to commence a media session. The invitation may be from a legitimate caller or from a spoofing caller. The mobile device checks parameters using templates to evaluate a consistency of the invitation with respect to a database in the mobile device. The templates include session protocol, network topology, routing, and social templates. Specific template data includes standardized protocol parameters, values from a database of the mobile device and phonebook entries of the mobile device. Examples of the parameters include capabilities, preconditions, vendor equipment identifiers, a hop counter value and originating network information. The originating network information may be obtained from the database by first querying an on-line database to determine a network identifier associated with caller identification information in the invitation.

Abstract: A nested file having a primary file and at least one secondary file embedded therein is parsed using at least one parser of a cell. The cell assigns a maliciousness score to each of the parsed primary file and each of the parsed at least one secondary file. Thereafter, the cell generates an overall maliciousness score for the nested file that indicates a level of confidence that the nested file contains malicious content. The overall maliciousness score is provided to a data consumer indicating whether to proceed with consuming the data contained within the nested file.

Abstract: A computing device is provided that is configured to obtain, from a managed network, a plurality of response times of a network-based service provided by the managed network; to train, based on the plurality of response times, a probability distribution to model the managed network; to receive an additional response time from the managed network; to use the probability distribution to determine, for the additional response time, a percentile based on the additional response time; based on the percentile, to determine that the additional response time is anomalously high with respect to the plurality of response times of the network-based service; and to transmit, to a client device associated with the managed network, an indication that the additional response time is anomalously high. The probability distribution includes a central portion based on a plurality of bins and a tail portion based on a parametric distribution.

Abstract: This disclosure provides for a signal flow analysis-based exploration of security knowledge represented in a graph structure comprising nodes and edges. “Conductance” values are associated to each of a set of edges. Each node has an associated “toxicity” value representing a degree of maliciousness associated with the node. The conductance value associated with an edge is a function of at least the toxicity values of the nodes to which the edge is incident. A signal flow analysis is conducted with respect to an input node representing an observable associated with an offense. The flow analysis seeks to identify a subset of the nodes that, based on their conductance values, are reached by flow of a signal representing a threat, wherein signal flow over a path in the graph continues until a signal threshold is met. Based on the analysis, nodes within the subset are designated as hypothesis nodes for further examination.

Abstract: The invention relates to a system for protecting IoT devices from malicious code, which comprises: (a) a memory extracting module at each of said IoT devices, for extracting a copy of at least a portion of the memory content from the IoT device, and sending the same to an in-cloud server; and (b) an in-cloud server for receiving said memory content, and performing an integrity check for a possible existance of malicious code within said memory content.