Abstract: Apparatus and techniques for determining whether a domain name has been generated by a domain generation algorithm (DGA) are disclosed. A first domain name is classified as either a likely domain generation algorithm (DGA) domain name or a likely non-DGA domain name, based on one or more features of the first domain name. In addition, statistics are determined regarding requests for the first domain name. Additional domain names are identified that share an infrastructure with the first domain name. A determination is made regarding whether the first domain name and/or one or more of the additional domain names are likely to have been generated by a DGA, based on a result of one or more of the classifying, the statistics, or the identifying. A security vulnerability related to one or more of the likely DGA domain names is then mitigated.

Abstract: Systems and techniques are provided for creating sensor based rules for detecting and responding to malicious activity. Evidence corresponding to a malicious activity is received. The evidence corresponding to malicious activity is analyzed. Indicators are identified from the evidence. The indicators are extracted from the evidence. It is determined that an action to mitigate or detect a threat needs to be taken based on the indicators and evidence. A sensor to employ the prescribed action is identified. Whether a sensor based rule meets a threshold requirement is validated. A configuration file used to task the sensor based rule to the identified sensor is created. The number of sensor based rule triggers is tracked.

Abstract: Systems and methods are for segregating data and code implemented in a dynamic language, where the segregated data and code operate in an environment, where the environment and the segregated data and code are controlled using a common dynamic language. The environment is implemented in the common dynamic language, the environment including a framework, the framework including a plurality of properties. A visible framework property is identified that is visible to applications. An invisible framework property is identified that is not visible to the applications. A first application is implemented in a first sandbox within the environment, wherein the first application is implemented in the common dynamic language, wherein the first application is unable to access the invisible framework property, and wherein the first application is able to access the visible framework property.

Abstract: Systems and methods allow a user to select one or more applications that are intended to be downloaded to a device (e.g., phone, tablet, PC) and create an emulation environment for testing aspects of the one or more applications prior to download. The emulation environment can be virtual (via emulation or virtual machine) or instrumented by remotely controlling actual hardware. Metrics collected from the emulation environment can include security and usability related aspects of the applications. Interaction between the applications themselves, the applications and other resources, and the user and the applications (e.g., configuration preferences, usage patterns) can be monitored by systems facilitating hosting of the emulation environment. For example, collected metrics can be used to create a measure for security, reputation, user-preference, etc. regarding the applications. Metrics can be shared amongst other potential users to assist in their purchase or usage of the applications.

Abstract: A method is implemented by a network device in a network for monitoring a segment of the network without direct access to an internal configuration or state of the segment. The method includes receiving a request to perform a monitoring task on a monitoring zone within the network. The monitoring zone includes a subset of network devices of the network. The monitoring zone has an ingress data path that carries ingress traffic into the monitoring zone and an egress data path that carries egress traffic out of the monitoring zone. The method further includes configuring the network to mirror the ingress traffic or the egress traffic to a configurable probe in the network and configuring the configurable probe to perform the monitoring task on the monitoring zone, where the configurable probe is configured to perform the monitoring task based on analysis of the mirrored ingress traffic or the mirrored egress traffic.

Abstract: Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted untrusted processes or corporate private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth.

Abstract: Disclosed is a mechanism to process business object IDs in inbound and outbound processing. The mechanism takes into account a mapping table, matching capabilities, number ranges, inbound error and conflict handling, inbound processing, outbound processing, initial load, and data migration.

Abstract: A malware detection system and method detects changes in host behavior indicative of malware execution. The system uses linear discriminant analysis (LDA) for feature extraction, multi-channel change-point detection algorithms to infer malware execution, and a data fusion center (DFC) to combine local decisions into a host-wide diagnosis. The malware detection system includes sensors that monitor the status of a host computer being monitored for malware, a feature extractor that extracts data from the sensors corresponding to predetermined features, local detectors that perform malware detection on each stream of feature data from the feature extractor independently, and a data fusion center that uses the decisions from the local detectors to infer whether the host computer is infected by malware.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: In one aspect, the disclosure provides: A method comprising: inviting a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party; assessing reputation and skills of one or more of the researchers, and accepting a subset of the researchers who have a positive reputation and sufficient skills to perform the investigations of the computer vulnerabilities; assigning a particular computer vulnerability research project, relating to a particular network under test, to a particular researcher from among the subset of the researchers; using a computer that is logically interposed between the particular researcher and the particular network under test, monitoring communications between the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnera

Abstract: Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a proxy, implemented within a network gateway device of a private network, monitors remote file-system access protocol sessions involving client computer systems and a server computer system associated with the private network. For each file on a share of the server computer system being accessed by one or more of the client computer systems: (i) a shared holding buffer corresponding to the file is created within a shared memory of the network gateway device; (ii) data being read from or written to the file by the monitored remote file-system access protocol sessions is buffered into the shared holding buffer; and (iii) responsive to a predetermined event, content filtering is performed on the shared holding buffer to determine whether malicious, dangerous or unauthorized content is contained within the shared holding buffer.

Abstract: Embodiments of the invention provide a method a authenticating a transaction at the point of transaction. In some embodiments of the invention, a unique signature is created based at least in part on a hardware profile of the system. In some embodiments, a request is received from a user to perform a transaction using the system. In some embodiments, in response to receiving the request a key is created based on the unique signature and displayed to the user. In some embodiments, user input entered in response to the user viewing the key is received and it is determined whether to proceed with transaction payment authentication based at least on whether the received user input matches the created key.

Abstract: A method and device for monitoring virus trend abnormality are provided which may enable timely and effective monitoring of computer viruses. The method may include measuring a frequency of hits of a virus being found and/or removed. The frequency may be used for calculating an M-day moving average value of the number of hits of the virus. Method may also involve calculating a standardized residual of the number of hits of the virus. When the standardized residual is larger than a first preset threshold, the time at which the virus was encounter the last may be identified as an abnormality point on a trendline of the virus.

Abstract: Disclosed are system and method for protecting computers from unauthorized remote administration. One exemplary method comprises: intercepting events occurred in a computer system; determining parameters of each intercepted event for identifying each intercepted event as being relating to a first data transfer by an application in a computer network or a second data transfer to an application from a peripheral data input device of the computer system; determining two intercepted events as being dependent on each other; determining a rule defining a dependency of the parameters of the two intercepted events; determining a degree of similarity of the rule and a previously created rule; if the degree of similarity exceeding a selected threshold value, identifying at least one application based at least on the rule and the previously created rule; and analyzing the at least one application for detecting a remote administration application.

Abstract: An authenticating device configured for network authentication is described. The authenticating device includes a processor. The authenticating device also includes memory in electronic communication with the processor. The authenticating device further includes instructions stored in the memory. The instructions are executable to intercept an authentication request sent to an authentication application program interface (API). The instructions are also executable to send the authentication request to a central server to identify malicious activity patterns based on authentication activity of a plurality of authenticating devices in a network environment. The instructions are further executable to determine whether to block an invocation of the authentication API based on blocking rules received from the central server.

Abstract: Systems and methods for detecting and scoring anomalies. In some embodiments, a method is provided, comprising acts of: (A) identifying a plurality of values of an attribute, each value of the plurality of values corresponding respectively to a digital interaction of the plurality of digital interactions; (B) dividing the plurality of values into a plurality of buckets; (C) for at least one bucket of the plurality of buckets, determining a count of values from the plurality of values that fall within the at least one bucket; (D) comparing the count of values from the plurality of values that fall within the at least one bucket against historical information regarding the attribute; and (E) determining whether the attribute is anomalous based at least in part on a result of the act (D).

Abstract: According to one embodiment, a system features analysis circuitry and detection circuitry. The analysis circuitry features a first processing unit and a first memory that includes a filtering logic configured to produce a second plurality of objects from a received first plurality of objects. The second plurality of objects is a subset of the first plurality of objects. The detection circuitry is communicatively coupled to and remotely located from the analysis circuitry. The detection circuitry includes a second processing unit and a second memory. The second memory includes a virtual execution logic to process content within at least a first object of the second plurality of objects. The virtual execution logic is configured to monitor for behaviors, during the processing of the first object, and determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack.

Abstract: A hardware device for monitoring and intercepting data packetized data traffic at full line rate, is proved. In high bandwidth embodiments, full line rate corresponds to rates that exceed 100 Mbytes/s and in some cases 1000 Mbytes/s. Monitoring and intercepting software, alone, is not able to operate on such volumes of data in real-time. An exemplary embodiment comprises: a data delay buffer with multiple delay outputs; a search engine logic for implementing a set of basic search tools that operate in real-time on the data traffic; a programmable gate array; an interface for passing data quickly to software sub-systems; and control means for implementing software control of the operation of the search tools. The programmable gate array inserts the data packets into the delay buffer, extracts them for searching at the delay outputs and formats and schedules the operation of the search engine logic.

Abstract: A system and method for the detection of irregularities, such as fraud or malware, running on a device, is disclosed. The system comprises a monitoring program for reviewing data relating to operation of the device, a device profile including data items relating to typical operation of the device generated from messages relating to the device; and an alert module for generating an alert on detection of unusual activity relating to the device.

Abstract: According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack.

Abstract: Disclosed are an apparatus and method of verifying an application installation procedure. One example method of operation may include receiving an application at a computer device and initiating the installation of the application on the computer device. The method may also provide executing the application during the installation procedure and creating a hash value corresponding to the executed application data. The method may further provide storing the hash value in memory and comparing the hash value to a pre-stored hash value to determine whether to continue the installation of the application.

Abstract: An anti-exploit system monitors and identifies malicious behavior related to one or more protected applications or processes. The anti-exploit system intercepts API calls associated with the protected application or process including parameters passed on to the operating system functions as well as a memory address associated with the caller to the API calls. Based on the characteristics associated with the intercepted API call a Behavioral Analysis Component determines whether the API call is malicious in nature.

Abstract: Technologies are described herein for scanning machine images using a scanning service to identify potential risks. The scanning service may be associated with a service provider network. A scan request is received at the scanning service that requests machine images to be scanned. One or more scans may be performed on each of the machine images. An execution environment may host a machine image during a scan of the machine image. Scan result data associated with the scans is stored. The scan result data may be used to provide scan results to the requestor.

Abstract: An anti-malware application detects, stops, and quarantines ransomware. The anti-malware application monitors threads executing on a computing device and detects behaviors that conform to a predefined set of behaviors indicative of ransomware. Responsive to detecting these behaviors, indicators are stored to a log in a storage device. Each of the indicators in the log is associated with respective scores. A running score for each thread is generated by combining the respective scores of the indicators in the log. Responsive to determining that the running score exceeds a predefined threshold score, execution of the thread is terminated. The source ransomware file is then identified and quarantined.

Abstract: A security system and method efficiently monitors and secures a computer to defend against malicious intrusions, and includes an in-band software monitor disposed within a kernel in communication with an operating system (OS) of the computer. The monitor intercepts system calls made from an MSR (Model Specific Register), to execute monitoring operations, and subsequently returns execution to the OS. An out-of-band hypervisor communicably coupled to the OS, has read shadow means for trapping read requests to the MSR, and write mask means for trapping write requests to the MSR. The hypervisor includes means for responding to the trapped read and write requests so that presence of the monitor is obscured. Sysret monitoring means intercepts calls to a sysret instruction, executes sysret monitoring operations, and subsequently returns execution to an application running on the computer.

Abstract: Provided herein are systems and methods for behavior profiling of targets to determine malware presence. The method includes, in various embodiments, applying a domain specific language to a target, observing a set of temporal sequences and events of the target; determining presence of markers within the set of temporal sequences and events indicative of malware, and identifying the target as being associated with malware based on the markers. In some embodiments, a malware detection system is provided for creating a behavioral sandbox environment where a target is inspected for malware. The behavioral sandbox environment can include forensic collectors. Each of the collectors may be configured to apply a domain specific language to a target; observe a set of temporal sequences and events of the target; determine presence of markers within the set of temporal sequences and events indicative of malware; and detect malware presence based on the markers.

Abstract: A method and apparatus for managing a transfer of data in a data network identifies data associated with a communication session between a first node and a second node in the data network. Further processing of the communication session occurs when a portion of the communication session meets a criterion and the communication session is permitted to continue when the portion of the communication session does not meet the criterion.

Abstract: A communication network is defended using a distributed infrastructure that leverages coordination across disparate abstraction levels. At each node computing device comprising a communication network, a stored event list is used to detect at least one node event which occurs at a machine code level and is known to have the potential to interfere directly with the internal operation of the node computing device. The at least one node event is one which is exclusive of an event within a network communication domain. In response to detecting the at least one node event at one of the plurality of network nodes, an optimal network-level defensive action is automatically selectively determined by the network. The network level defensive action will involve a plurality of network nodes comprising the communication network.

Abstract: A method and system for a distributed anonymization system is disclosed. A master anonymization system is provided. A slave anonymization system is configured to communicate with the master anonymization system, wherein the master anonymization system permits the slave anonymization system to perform one or more functions. The slave anonymization system is configured receives a request from a user computer that requires slave anonymization system to perform a function. The performance of the function requires either storage of data to a data store in a destination computing device or retrieval of data from the data store in the destination computing device, wherein the data is stored or retrieved in an anonymized form. The slave anonymization system verifies if the function to be performed is a permitted function. If it is a permitted function, the function is performed.

Abstract: The present invention provides a method for scanning information to be scanned in a computer device, the information to be scanned needing multiple scans, and the method comprising the steps of: a. determining a delay duration from the end of a scan for the information to be scanned to the start of a next scan according to current performance information about the CPU of the computer device; and b. scanning the information to be scanned according to the delay duration. According to the solution of the present invention, by determining a delay duration from the end of a scan for the information to be scanned to the start of a next scan according to current performance information about the CPU of a computer device, and scanning according to the delay duration, problems such as slow running due to high occupancy ratio of CPU resources during scanning can be avoided.

Abstract: Provided is a communication apparatus in which when reception data from a transmission apparatus contains a request for an acknowledgement response, a determination as to whether or not to send an acknowledgement response from the communication apparatus to the transmission apparatus is made, if the acknowledgement response is permitted, an acknowledgement is sent to the transmission apparatus over a network, and when the acknowledgement response is not permitted, reception data containing the acknowledgement response is transferred to the external apparatus.

Abstract: A data processing system comprising: a sensor computer that is coupled to and co-located with a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; a security control computer that is coupled to the sensor computer; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform: obtaining, from the sensor computer, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages; usin

Abstract: A data processing stage is described which has a communications interface arranged to receive a plurality of input data chunks. Each input data chunk has a pointer to a validation record, where the validation records are stored at a memory accessible to the data processing stage. A processor of the data processing stage is configured to create an output validation record at the memory, and to link the output validation record to the validation records of the input chunks. The processor is configured to compute an output chunk from the input chunks in a manner which ignores data of the input chunks identified as invalid through inspection of the output validation record.

Abstract: A system for storing encrypted compressed data comprises a processor and a memory. The processor is configured to determine whether an encrypted compressed segment has been previously stored. The encrypted compressed segment was determined by breaking a data stream, a data block, or a data file into one or more segments and compressing and then encrypting each of the one or more segments. The processor is further configured to store the encrypted compressed segment in the event that the encrypted compressed segment has not been previously stored. The memory is coupled to the processor and configured to provide the processor with instructions.

Abstract: A method comprises pairing a virtual machine instance with a virtual agent that is registered with registry in an execution environment. In this regard, upon instantiating the virtual machine and the corresponding virtual agent, the virtual agent monitors for transaction(s), e.g., a specific invoked method, on that execution environment. The virtual agent is also configured for generating an event in response to detecting the transaction. The virtual agent provides a unique signature associated with the event, which identifies the origin of the virtual machine instance. Still further, the virtual agent is configured for forwarding the event to the registry for collating with other events so as to produce composite end-to-end logs of processes in a manner that enables provenance.

Abstract: Methods, systems and devices for communicating behavior analysis information using an application programming interface (API) may include receiving data/behavior models from one or more third-party network servers in a client module of a mobile device and communicating the information to a behavior observation and analysis system via a behavior API. The third-party servers may be maintained by one or more partner companies that have domain expertise in a particular area or technology that is relevant for identifying, analyzing, classifying, and/or reacting to mobile device behaviors, but that do not have access to (or knowledge of) the various mobile device sub-systems, interfaces, configurations, modules, processes, drivers, and/or hardware systems required to generate effective data/behavior models suitable for use by the mobile device. The behavior API and/or client modules allow the third-party server to quickly and efficiently access the most relevant and important information on the mobile device.

Abstract: A method of safe file transmission and reputation lookup is provided. As a part of the safe file transmission and reputation lookup methodology, a data file that is to be made available to a data file receiver is accessed and it is determined whether the data file needs to be provided a protective file. The data file is wrapped in a protective file to create a non-executing package file. Access is provided to the non-executing package file where the associated data file is prevented from being executed until data file reputation information is received.

Abstract: Methods and systems for protecting components of a linked vehicle from cyber-attack are disclosed. These methods and systems comprise elements of hardware and software for receiving a packet; tunneling the packet to a terrestrial-based security service, analyzing whether the packet is harmful to a component in the vehicle, and at least one action to protect at least one component.

Abstract: Disclosed are various embodiments for delegating security authorization to at least one application executed on a client device. A computing device is employed to send to a remote server, from an agent application, a request for a first access credential. The first access credential is received from the remote server and a determination is made by the agent application in communication with a managed application, that the managed application requires a second access credential. In response to the determination being made that the managed application requires the second access credential, the second access credential is sent to the managed application, from the agent application. An indication that the agent is authorized to be in communication with managed applications regarding a need for access credentials is stored and the agent application determines where at least one of the managed applications requires an access credential.

Abstract: A system and computer based method are provided for identifying active content in websites on a network. In one aspects, a method for classifying web content includes determining a first property associated with static content of a web page, determining a second property associated with the content of the web page based at least in part on active content associated with the web page, evaluating a logical expression relating the first property and the second property, at least in part by evaluating whether a constant value matches at least a portion of the content of the web page, associating the web page with a category based on a result of the evaluation, and determining whether to allow network access to the web page based on the category.

Abstract: In one embodiment a method comprises initiating, by a network attached storage device, a virus scan process on the network attached storage device, receiving, by the network attached storage device, a first file access request that identifies a file, and interrupting the virus scan process to respond to the first file access request.

Abstract: A computer-implemented method includes receiving a request to remove data that is associated with a protected social entity. The data maintained on one or more social networks is scanned, where scanning includes identifying data that is associated with one or more social entities. One or more characteristics of the identified data are determined, and a reference to the identified data that indicates the characteristic, is generated for each of the one or more characteristics. A match between the one or more generated references and one or more stored references is identified, where the one or more stored references each reference one or more characteristics associated with the protected social entity, and where the one or more stored references are stored in one or more social risk databases. A request to the one or more social networks to remove the identified data associated with the one or more generated references is submitted.

Abstract: The present invention provides a new method of site and user authentication. This is achieved by creating a pop-up window on the user's PC that is in communication with a security server, and where this communication channel is separate from the communication between the user's browser and whichever web site they are at. A legitimate web site embeds code in the web page which communicates to the security server from the user's desktop. The security server checks the legitimacy of the web site and then signals both the web page on the user's browser, as well as the pop-up window to which it has a separate channel. The security server also sends a random image to both the pop-up window and the browser. If user authentication is requested by the web site the user is first authenticated by the security server for instance by out of band authentication. Then the security server computes a one time password based on a secret it shares with the web site and sends it to the pop up window.

Abstract: Determining malware status of a file is disclosed. An apparatus obtains information about an unknown target file, obtains system context of the unknown target file, and determines the unknown target file as clean if the system context matches with one or more predetermined conditions indicative of cleanliness. The predetermined conditions of cleanliness include at least the target file being located in a directory which contains other clean files.

Abstract: Mitigating return-oriented programming (ROP) attacks. Program code and associated components are received and loaded into memory. From the program code and associated components, a predetermined number of sequences of machine language instructions that terminate in a return instruction are selected. The sequences of machine language instructions include: machine language instruction sequences that are equivalent to a conditional statement “if-then-else return,” sequences of machine language instructions corresponding to known malicious code sequences, and sequences of machine language instructions corresponding to machine language instructions in known toolkits for assembling malicious code sequences.

Abstract: An apparatus and method for providing virtualization services in a mobile device are provided. The virtualization service providing apparatus includes an installer module configured to receive a hypervisor image and an agent for installing the hypervisor image, from a host server, a virtualization service module configured to store the hypervisor image and the agent and to transmit a request for rebooting the mobile device, in response to determining that the hypervisor image and the agent are authenticated by an authentication server, and a power management module configured to receive the request, and to reboot the mobile device.

Abstract: Approaches for automatically managing user privileges for computer resources based on determined levels of expertise in a networked computing environment (e.g., a cloud computing environment) are provided. In a typical approach, a user profile associated with a prospective user of a set of computer resources in the networked computing environment may be accessed. The user profile may include information pertaining to a skill level of the prospective user with respect to the set of computer resources. Based on the information contained in the user profile, an expertise level of the prospective user with respect to the set of computer resources may be determined, and a corresponding score may be calculated. Based on the score, a level of user privileges for the set of computer resources may be provided.

Abstract: An intermediary isolation server receives electronic messages and isolates any viral behavior from harming its intended destination. After the intermediary receives an electronic message, it determines that the electronic message has associated executable code, and then identifies the environment in which the electronic message code would be executed if delivered. The intermediary then executes the code by emulating how it would be executed in its ultimate environment. If a viral-like behavior is detected, appropriate action is taken to prevent the execution of the code at its intended destination. The attachment is executed in a contained environment that allows for the contained environment to be easily restarted in a clean state.

Abstract: A device may detect a suspicious activity. The device may automatically obtain a suspect object from a client device that is associated with the suspicious activity and based on detecting the suspicious activity. The suspect object may be an object that is possibly associated with the suspicious activity. The device may determine that the suspect object is malicious. The device may perform an action based on determining that the suspect object is malicious.

Abstract: Systems and methods for detecting and scoring anomalies. In some embodiments, a method is provided, comprising acts of: determining whether the digital interaction is suspicious; in response to determining that the digital interaction is suspicious, deploying a security probe of a first type to collect first data from the digital interaction; analyzing first data collected from the digital interaction by the security probe of the first type to determine if the digital interaction continues to appear suspicious; and if the first data collected from the digital interaction by the security probe of the first type indicates that the digital interaction continues to appear suspicious, deploying a security probe of a second type to collect second data from the digital interaction.