Abstract: Systems, methods, and devices for tracking and managing data shared with third parties are disclosed. In one embodiment, a method including: retrieving data collection and usage policies of an entity; processing the data collection and usage policies with a natural language processing (NLP) model; generating, by the NLP model, predictive data collection and data usage attributes; generating a feature vector from the predictive data collection and data usage attributes; processing the feature vector with a graph neural network; storing data structured as a graph including the entity and the predictive data collection and data usage attributes; and processing the data structured as a graph with a classifier model that labels the entity as a first node in the data structured as a graph and predicts an edge to a second node in the data structured as a graph based on the predictive data collection and data usage attributes.

Abstract: Systems and methods mitigate aggregate exposure of identifying information using machine learning. A privacy monitoring system identifies entities and corresponding entity types by applying a set of domain-specific neural networks, each trained to recognize a particular entity type, to media data extracted from two or more content items associated with a user. The privacy monitoring system computes a privacy score indicating a cumulative privacy risk for potential exposure of identifying information associated with the user from the two or more content items by identifying connections between the identified entities. The connections between the entities are weighted according to the entity types and contribute to the privacy score. A reporting subsystem outputs an indication of a recommended action for mitigating the cumulative privacy risk.

Abstract: This disclosure describes embodiments of an improvement to the static group solution because all the administrator needs to do is specify the criteria they care about. Unlike static groups, where the administrator needs to keep track of the status of individual users and move them between static groups as their status changes, smart groups allows for automatic identification of the relevant users at the moment that action needs to be taken. This feature automates user management for the purposes of enrollment in either phishing and training campaigns. Because the smart group membership is determined as the group is about to be used for something, the smart group membership is always accurate and never outdated. The query that determines the smart group membership gets run at the time when you are about to do a campaign or perform some other action that needs to know the membership of the smart group.

Abstract: In an embodiment, a non-transitory medium stores code representing instructions to be executed by one or more processors. The instructions comprise code to cause the one or more processors to receive, at a compute device associated with a user, a message that is a simulated phishing test. The instructions further comprise code to cause the one or more processors cause, without human intervention and automatically in response to receiving the message, a link included in the simulated phishing test to be selected while not indicating that the user has failed the simulated phishing test. The instructions further comprise code to cause the one or more processors determine, after the link has been clicked, that an action indicating that the user has failed the simulated phishing test has been performed.

Abstract: A system includes buyer portal logic enabling a buyer to specify security requirements for attestation by a supplier. The system includes attestation program logic enabling the supplier to define a continuous attestation program for the security requirements through a supplier interface provided by supplier portal logic. The continuation attestation program includes an annual attestation program and a sub-annual attestation program. The system receives compliance attestation responses from the supplier for the security requirements and correlates the compliance attestation responses to the continuous attestation program for the supplier. The system enables the supplier to specify an access privilege for the buyer with regard to the supplier's sub-annual continuous attestation program data and/or annual attestation program data.

Abstract: Novel tools and techniques are provided for implementing firewall functionalities, and, more particularly, to methods, systems, and apparatuses for implementing high availability (“HA”) web application firewall (“WAF”) functionalities. In various embodiments, a first computing system might monitor network communications between a client and a server providing access to software applications, and might determine whether latency has been introduced as a result of at least one first WAF container having been launched and whether any introduced latency exceeds a predetermined threshold, each first WAF container being tuned to a corresponding software application and protecting the software application from network attacks. Based on a determination that latency has been introduced and based on a determination that the introduced latency exceeds the predetermined threshold, one or more second WAF containers may be launched, each being tuned to the corresponding software application.

Abstract: A method, system, and computer program product for identifying a malicious user obtain a plurality of service requests for a service provided by a processing system, each service request of the plurality of service requests being associated with a requesting user and a requesting system, and a plurality of service responses associated with the plurality of service requests, each service response of the plurality of service responses being associated with the processing system; and identify the requesting user as malicious based on the plurality of service requests and the plurality of service responses.

Abstract: Aspects of the disclosure relate to detecting impersonation in email body content using machine learning. Based on email data received from user accounts, a computing platform may generate user identification models that are each specific to one of the user accounts. The computing platform may intercept a message from a first user account to a second user account and may apply a user identification model, specific to the first user account, to the message, so as to calculate feature vectors for the message. The computing platform then may apply impersonation algorithms to the feature vectors and may determine that the message is impersonated. Based on results of the impersonation algorithms, the computing platform may modify delivery of the message.

Abstract: A method, a computer program product and an apparatus for online detection of command injection attacks in a computerized system. The method comprises determining that an input of a potential input provisioning event received from a network includes a command separator and an executable product and recording a suspicious record event. The method further comprises determining that an execution command configured to be executed a potential execution event correlates to the suspicious record event and in response to said determining flagging the execution command as a command injection attack. The method further comprises performing a remedial action with respect to the flagged command injection attack prior to attempting to execute the execution command.

Abstract: A computer-implemented method of identifying and mitigating information security risks may be provided. The method may involve an operator receiving control implementation inputs and historical and cyber risk intelligence control effectiveness data and combining the historical and cyber risk intelligence control effectiveness data and the operator control implementation input to determine a control effectiveness measurement for each of a plurality of risk scenarios. The determined control effectiveness measurement results may be aggregated for each of a plurality of controls for the plurality of risk scenario, a control effectiveness simulation model may be generated, and a control effectiveness simulation model summary may be outputted.

Abstract: The present disclosure provides a method, system, and device for securely updating a software release across a network. To illustrate, a server may compile a transaction log that includes information corresponding to one or more nodes in the network to which the software release has been transmitted. The server may analyze one or more files based on vulnerability information to identify at least one file of the one or more files that poses a risk. The server may also identify at least one node of the network at which the at least one file is deployed. Based on identifying the at least one node, the server may transmit a corrective action with respect to the at least one node.

Abstract: A system that detects malicious traffic flows in a network includes a computer system including a processor in communication with at least one memory device. The processor is programmed to store a plurality of context information about the network including a plurality of devices. The processor is also programmed to determine a network configuration of the network at a specific point in time. The processor is further programmed to generate one or more security policies for one or more devices of the plurality of devices in the network based on the network configuration and the plurality of context information. In addition, the processor is programmed to deploy the one or more security policies to the one or more devices in the network, wherein the one or more devices are configured to execute an algorithm to monitor communications on the network in view of a corresponding security policy of the one or more security policies.

Abstract: Data associated with performances of microservices functioning in a distributed computing environment is clustered by executing an unsupervised machine learning algorithm. A representative data is selected from a cluster, selecting performed for a plurality of the clusters. Based on time series data of the representative data associated with the plurality of the clusters, causal extraction is performed. Based on the causal extraction and the plurality of the clusters, a causal graph is constructed. The causal graph is embedded into vector space. Based on the embedded vector space, an artificial neural network model can be trained for managing the distributed computing environment.

Abstract: Computer software that assesses risks for security threat events by that performing the following operations: (i) receiving information pertaining to a managed asset; (ii) identifying, based, at least in part, on the received information: a threat to the managed asset and, one or more corresponding security controls for mitigating the threat, the security controls having associated control criteria; (iii) utilizing a risk assessment engine to calculate a risk value for the threat based, at least in part, on the received information; (iv) calculating a certainty factor for the threat based, at least in part, on a measure of belief associated with the control criteria; and (v) performing a computer-based remediation action based, at least in part, on the risk value and the certainty factor.

Abstract: Systems and methods for embodiments of artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may support the correlation of identities determined authoritative source systems with uncorrelated accounts within an enterprise using artificial intelligence techniques.

Abstract: The methods and systems disclosed herein generally relate to automated execution and evaluation of computer network training exercises, such as in a virtual environment. A server executes a first attack action by a virtual attack machine against a virtual target machine based on a cyber-attack scenario, wherein the virtual target machine is configured to be controlled by the user computer. The server receives a user response to the first attack action, determines, using a decision tree, a first proposed attack action based on the user response, and executes an artificial intelligence model to determine a second proposed attack action based on the user response. The server selects a subsequent attack action from the first proposed attack action and the second proposed attack action and executes the subsequent attack action by the virtual attack machine against the virtual target machine.

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data. The gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The VM server can use the compliance profile and security data from the user device to determine a risk profile of the user device. The virtual session can be configured at the VM server based on the risk profile so as to allow access to a subset of available applications and functions within the applications for the virtual session.

Abstract: A computer-implemented method, system and computer program product for protecting against application programming interface (API) attacks. A connection is established between an API user and an API provider. The established connection is then monitored to assess connection security and trustworthiness of the connection as well as trustworthiness of the API user and/or API provider. A score is then generated for each factor used in assessing the connection security and trustworthiness of the connection as well as the trustworthiness of the API user and/or API provider based on the monitoring. A level of risk for an API attack with respect to the API user and/or API provider is then generated based on such scores. An action (e.g., blocking traffic) is then performed with respect to the API user and/or API provider based on the level of risk for an API attack with respect to the API user and/or API provider, respectively.

Abstract: Disclosed embodiments relate to systems and methods for dynamically performing entity-specific security assessments for entities of virtualized network environments. Techniques include identifying an entity associated with a virtualized network environment, identifying a plurality of security factors, determining entity-specific weights to the plurality of security factors, and generating a composite exposure assessment for the entity.

Abstract: In general, the invention relates to a method involving allowing access to a financial application by a third-party extension based on a single license to use the financial application, where the third-party extension was developed by a third-party developer using one or more tools in a software development kit (SDK) for the financial application and where the financial application stores first transaction data obtained for a first user of the financial application, monitoring operations performed on the financial application by the third-party extension to detect operations that migrate transaction data to a competitive application, using distributed computing software adjust a risk index that is associated with the third-party extension, determining that the risk index exceeds a pre-defined threshold, and controlling future access to the financial application by the third-party extension.

Abstract: A method of building a risk management model, the method including: sampling a plurality of organization networks; assessing identified security features; ranking the identified security features based on security risk; transforming ranked features into categorized factors; building logistic model to blend the categorized factors into a likelihood of breach; and transforming the logistics model from a multiplicative model to an additive model by scaling the logistics model.

Abstract: Provisioning of Internet Protocol (IP) configuration data or other configuration related data for devices or services connected to a passive optical network (PON) is contemplated. The provisioning may be facilitated with an optical line terminal (OLT) providing the desired configuration data over the PON to an optical network unit (ONU) connected to the device or service desired for provisioning, such as to enable the ONU to provision the device or service without exchanging Dynamic Host Configuration Protocol (DHCP) messaging with a DHCP server.

Abstract: A method for a system security evaluation includes establishing, by a security evaluation device, a connection to a system associated with an entity. The method further includes obtaining an inventory of system elements of the system. The method further includes identifying one or more desired system elements from the inventory of system elements to perform the system security evaluation. The method further includes identifying one or more security elements from the one or more desired system elements. The method further includes communicating with each security element of one or more security elements to produce system security data. The method further includes analyzing the system security data in light of minimum viable data metrics established by one of more of: one or more external data sources and the entity to produce one or more system security scores indicative of security proficiency of the one or more desired system elements.

Abstract: Methods, systems, and computer-readable media for automated threat modeling using application relationships are disclosed. A graph is determined that includes nodes and edges. At least a portion of the nodes represent software components, and at least a portion of the edges represent relationships between software components. An event is received, and a sub-graph associated with the event is determined. The event is indicative of a change to one or more of the nodes or edges in the graph. Threat modeling is performed on the sub-graph using one or more analyzers. The one or more analyzers determine whether the sub-graph is in compliance with one or more policies.

Abstract: The systems and methods described herein generally relate to techniques for automated detection, aggregation, and integration of cybersecurity threats. The system ingests multiple data feeds which can be in one or numerous different formats. The system evaluates information based on defined scores to display to users threats and risks associated with them. The system also calculates decay rates for expiration of threats and indicators through various methods.

Abstract: A set of data elements is received. For each feature of a set of features, a corresponding reference distribution for the set of data elements is determined. For each feature of the set of features, one or more corresponding subset distributions for one or more subsets sampled from the set of data elements are determined. For each feature of the set of features, the corresponding reference distribution is compared with each of the one or more corresponding subset distributions to determine a corresponding distribution of divergences. At least the determined distributions of divergences for the set of features are provided for use in automated data analysis.

Abstract: Systems, methods, and storage media for determining the probability of cyber risk-related loss within one or more computing systems composed of computing elements are disclosed. Exemplary implementations may: assess vulnerability by determining an exposure window for a computing element based on the number of discrete times within a given time frame where the computing element is in a vulnerable state; determine a frequency of contact of the computing element with threat actors; normalize the exposure window and the frequency of contact; calculate a threat event frequency by dividing the normalized exposure window by the normalized frequency of contact; and repeat the steps for multiple elements. When combined with liability data that describes the loss magnitude implications of these events ,organizations can prioritize the elements based on loss exposure and take action to prevent loss exposure.

Abstract: A server comprises a communications module, a processor coupled to the communications module, and a memory coupled to the processor, the memory storing processor-executable instructions which, when executed, configure the processor to receive, via the communications module and from a monitoring application installed on a remote computing device, on-device application data, generate a risk profile for a user based at least on the on-device application data, configure a data sharing configuration option for sharing data associated with the user based on the risk profile for the user, and share the data based on the data sharing configuration option.

Abstract: A method of assessing a risk level of an enterprise using cloud-based services from one or more cloud service providers includes assessing provider risk scores associated with the one or more cloud service providers; assessing cloud service usage behavior and pattern of the enterprise; and generating a risk score for the enterprise based on the provider risk scores and on the cloud service usage behavior and pattern of the enterprise. The risk score is indicative of the risk of the enterprise relating to the use of the cloud-based services from the one or more cloud service providers.

Abstract: The present disclosure generally relates to systems, methods, and computer-readable media for identifying instances of vulnerabilities on a computing network and generating a graph representing pathways that an attacking entity may take with respect to accessing one or more sensitive assets. For example, one or more systems disclosed herein collect network information and vulnerability information to generate a graph including nodes and edges representing at least a portion of the computing network associated with different vulnerabilities. The systems described herein may use graph theory to generate or otherwise identify pathways that an attacker is likely to use in accessing the sensitive asset(s). The systems additionally may further evaluate the pathways and associated likelihoods/risks to intelligently select one or more action items associated with a reduction of risk to the networking system.

Abstract: A web content page is provided, wherein the web content page is configured to dynamically provide a new web component streamed from a server after the web content page has been initially loaded by a client. An indication associated with a desired web component is received. The desired web component among a plurality of web components developed on a platform-as-a-service environment separately from the web content page is obtained. The desired web component is streamed to the web content page.

Abstract: In some examples, a controller dynamically configures a property associated with monitoring performed by an agent. The controller stores, in a repository, metadata relating to the agent. The controller receives, from the agent, first sensor data that excludes the metadata, and uses indexing information in the first sensor data to retrieve the metadata from the repository.

Abstract: A system and method for investigating trust scores. A trust score is calculated based on peer transfers, a graphical user interface displays actuatable elements associated with a first peer transfer from the peer transfers, in response to receiving an indication the first actuatable element has been actuated, recalculating the trust score without the first peer transfer.

Abstract: A flexible security system has been created that allows for fluid security operations that adapt to the dynamic nature of user behavior while also allowing the security related operations themselves to be dynamic. This flexible system includes ongoing collection and/or updating of multi-perspective “security contexts” per actor and facilitating consumption of these multi-perspective security contexts for security related operations on the users. These security related operations can include policy-based security enforcement and inspection. A security platform component or security entity uses a multi-perspective security context for a user or actor. Aggregating and maintaining behavioral information into a data structure for an actor over time from different sources allows a security platform component or entity to have historical context for an actor from one or more security perspectives.

Abstract: A system and method detect a malware infection path in a compute environment. The method includes detecting a malware object on a first workload in a computing environment including a plurality of workloads, wherein the first workload is represented by a resource node on a security graph, the security graph including an endpoint node representing a resource which is accessible to a public network; generating a potential infection path between the resource node and the endpoint node including at least a second resource node connected to the resource node; inspecting a second workload of the plurality of workloads represented by the second resource node; determining that the potential infection path is a confirmed infection path, in response to detecting the malware on the second workload; and determining that the potential infection path is not an infection path, in response to detecting that the second workload does not include the malware.

Abstract: A communication is received from a telephone number of a sender. The communication is directed to a recipient. A trust level associated with the telephone number is determined to be other than a high trust level. Based on the trust level being other than the high trust level, a number of challenges to transmit to the sender is determined based on the trust level. Determining whether to route the communication to the recipient is based on whether respective successful responses to the challenges are received from the sender.

Abstract: An improved core network that includes a network resilience system that can detect network function virtualization (NFV)-implemented nodes that have been compromised and/or that are no longer operational, remove such nodes from the virtual network environment, and restart the removed nodes in a last-known good state is described herein. For example, the network resilience system can use health status messages provided by nodes, intrusion data provided by intrusion detection agents running on nodes, and/or operational data provided by the nodes as applied to machine learning models to identify nodes that may be compromised and/or non-operational. Once identified, the network resilience system can delete these nodes and restart or restore the nodes using the last-known good state.

Abstract: Providing an automatic mechanism of invalidating false-positive indications of certain identified portions of source code to reduce the number of errors in a security report. Certain embodiments of the present invention utilize static security scanning as a mechanism for automatically determining which portions of the identified source code contain potential vulnerabilities, and whether these identified portions of the source code are correctly or incorrectly identified with a false-positive indication.

Abstract: A method adapts network intrusion detection. The method includes: a) deploying a network traffic capture system and collecting network packet traces; b) using a network audit tool, extracting features from the collected network packet traces; c) feeding the extracted features as unlabeled data into a representation function, and, utilizing the representation function as an unsupervised feature learning algorithm, learning a new representation of the unlabeled data; d) providing a labeled training set capturing examples of malicious network traffic, and, using the learned new representation of the unlabeled data, modifying the labeled training set to obtain a new training set; and e) using the new training set, training a traffic classification machine learning model.

Abstract: A cybersecurity assessment system is provided for monitoring, assessing, and addressing the cybersecurity status of a hierarchy of target networks. The cybersecurity assessment system may scan individual target networks and produce data regarding the current state and properties of devices on the target networks. The cybersecurity assessment system may generate user interfaces to present cybersecurity information regarding individual target networks, and composite cybersecurity information regarding a hierarchy of target networks or some subset thereof. The cybersecurity assessment system can generate access configurations that specify which cybersecurity information of the hierarchy can be accessed by individual target networks of the hierarchy.

Abstract: A computer-implemented method according to one aspect includes determining and storing characteristics of a plurality of cloud vendors; dividing a workload into a plurality of logical stages; determining characteristics of each of the plurality of logical stages; and for each of the plurality of logical stages, assigning the logical stage to one of the plurality of cloud vendors, based on a comparison of the characteristics of the plurality of cloud vendors to the characteristics of the logical stage. Data migration between the cloud vendors is performed during an implementation of the workload to ensure data is located at necessary cloud vendors during the corresponding tasks of the workload.

Abstract: An adaptive risk management application retrieves data corresponding to an asset. The asset is a computing device or software application of an enterprise system. The adaptive risk management application identifies a set of vulnerabilities of the asset. The adaptive risk management application determines, for each identified vulnerability, a likelihood of a threat actor successfully exploiting the vulnerability. The adaptive risk management application determines, based on the likelihoods, a risk score for the asset. The adaptive risk management application sends the risk score for display.

Abstract: Disclosed is a new location threat monitoring solution that leverages deep learning (DL) to process data from data sources on the Internet, including social media and the dark web. Data containing textual information relating to a brand is fed to a DL model having a DL neural network trained to recognize or infer whether a piece of natural language input data from a data source references an address or location of interest to the brand, regardless of whether the piece of natural language input data actually contains the address or location. A DL module can determine, based on an outcome from the neural network, whether the data is to be classified for potential location threats. If so, the data is provided to location threat classifiers for identifying a location threat with respect to the address or location referenced in the data from the data source.

Abstract: A detection device and a detection method for a malicious HTTP request are provided. The detection method includes: receiving a HTTP request and capturing a parameter from the HTTP request; filtering the HTTP request in response to the parameter not matching a whitelist; encoding each character of the HTTP request to generate an encoded string in response to the HTTP request not being filtered; generating an estimated HTTP request according to the encoded string by using an autoencoder; and determining that the HTTP request is a malicious HTTP request in response to a similarity between the HTTP request and the estimated HTTP request being less than a similarity threshold, and outputting a determined result.

Abstract: Generally discussed herein are devices, systems, and methods for improving phishing webpage content detection. A method can include identifying first webpage content comprises phishing content, determining, using a reinforcement learning (RL) agent, at least one action, generating, based on the determined at least one action and the identified first webpage content, altered first webpage content, identifying that the altered first webpage content is benign, generating, based on the determined at least one action and second webpage content, altered second webpage content, and training, based on the altered second webpage content and a corresponding label of phishing, a phishing detector.

Abstract: Methods for securing an electronic communication is provided. Methods may include, in a registration process, creating and/or selecting an anti-phish, personalized, security token for a predetermined account. Methods may include, in the registration process, storing the token in a database. Methods may include, in an in-use process, generating an electronic communication at a channel. The database may be interposed along the channel. Methods may include, in the in-use process, forwarding the communication to a recipient. The recipient may be associated with the account. Methods may include, in the in-use process, intercepting the communication at the database. Methods may include, in the in-use process, selecting, from the database, the anti-phish, personalized, security token that is associated with the account. Methods may include, in the in-use process, injecting the selected token into the communication.

Abstract: A combination identification unit (27) identifies combinations of one or more components which constitute a target system and in each of which an intrusion detection system that detects unauthorized access can be installed. A combination reduction unit (28) extracts, from the combinations identified by the combination identification unit, a combination that satisfies an installation condition accepted by an installation condition input unit (22) and can detect unauthorized communications indicated by attack information accepted by an attack information input unit (24) at a rate higher than or equal to a threshold.

Abstract: One example method includes collecting container information concerning a container, analyzing the container information to identify a security tool needed to perform a vulnerability scan of the container, accessing the security tool from a knowledge lake, running the security tool on the container information to identify a security vulnerability of the container, based on the running of the security tool, generating an alert indicating that the container has the security vulnerability, capturing the security vulnerability and, based on the captured security vulnerability, updating a container image that was used to spawn the container.

Abstract: There is provided a computer system of runtime identification of a dynamic loading of a software module, the software module being associated with a first application framework, the system comprising a processing circuitry configured to: a) detect, in a first interposition function, an invocation of a first function, the first function being associated with loading of software-modules within a first application framework; b) identify a software-module being loaded, the identifying utilizing, at least, at least one of: i) parameter data supplied in the invocation of the first function, ii) a context of an operating system process invoking the first function, and ii) data that was stored responsive to detecting, by a respective interposition function, one or more prior invocations of respective functions associated with loading of software-modules within the first application framework; and c) add the identified software-module to a list of software-modules.

Abstract: Systems and methods are provided for implementing an adaptive machine learning platform for security penetration and risk assessment. For example, the system can receive publicly-available information associated with a client computer system, process the information to identify an input feature, and implement a machine learning model to identify the corresponding risk associated with the input feature. The system can recommend a penetration test for discovered weaknesses associated with the input feature and help make changes to the client computer system to improve security and reduce risk overall.