Abstract: Behavior report generation monitors the behavior of unknown sample files executing in a sandbox. Behaviors are encoded and feature vectors created based upon a q-gram for each sample. Prototypes extraction includes extracting prototypes from the training set of feature vectors using a clustering algorithm. Once prototypes are identified in this training process, the prototypes with unknown labels are reviewed by domain experts who add a label to each prototype. A K-Nearest Neighbor Graph is used to merge prototypes into fewer prototypes without using a fixed distance threshold and then assigning a malware family name to each remaining prototype. An input unknown sample can be classified using the remaining prototypes and using a fixed distance. For the case that no such prototype is close enough, the behavior report of a sample is rejected and tagged as an unknown sample or that of an emerging malware family.

Abstract: One embodiment of the described invention is directed to a key management module and a consumption quota monitoring module deployed within a cybersecurity system. The key management module is configured to assign a first key to a subscriber and generate one or more virtual keys, based at least in part on the first key, for distribution to the subscriber. A virtual key is included as part of a submission received from the subscriber to authenticate the subscriber and verify that the subscriber is authorized to perform a task associated with the submission. The consumption quota monitoring module is configured to monitor a number of submissions received from the subscriber.

Abstract: According to an embodiment, an information processing apparatus comprises a device interface, a network interface, a power supply part, a battery and a control part. A power supply part is configured to supply electric power from an external power supply. A control part is configured to: perform a conversion process on data from a terminal device, and transmit the data to a network; and when the power supply from the power supply part is stopped, transmit, to another information processing apparatus through the network interface, a first message indicating that a pass-through mode in which data is relayed between the terminal device and the network without being subjected to the conversion process is set, and set the pass-through mode.

Abstract: A device may receive, from a user device, a transaction request associated with a first entity and identify a distributed ledger associated with the first entity, the distributed ledger including a set of blocks recording work data associated with the first entity. The set of blocks may include: a first subset of blocks including data specifying work performed by the first entity, and a second subset of blocks including data verifying a portion of the work performed by the first entity and specified by the data included in the first subset of blocks. The device may determine that a transaction, associated with the transaction request, is associated with the first subset of blocks and the second subset of blocks. Based on predetermined instructions that correspond to the transaction and the distributed ledger, the device may perform the transaction.

Abstract: Upgrade to a Trusted Application in a Trusted Execution Environment compliant to a Trusted Execution Environment standard to an as-a-server functioning by running, inside the Trusted Execution Environment, each instance of a Multi Instance/Single Session Trusted-Server Trusted Application compliant to the TEE standard in an infinite state-full loop polling a session of a Single Instance/Multi Session Trusted-Pipe Trusted Application, the single session of each of the instance of the Trusted-Server Trusted Application being adapted to perform a task as a server, said Trusted-Pipe Trusted Application being further polled by the Customer Application and opening session depending on command coming from the Customer Application.

Abstract: A substantial learning curve is required to construct integration processes in an integration platform. This can make it difficult for novice users to construct effective integration processes, and for expert users to construct integration processes quickly and efficiently. Accordingly, embodiments for building and operating a model to predict next steps, during construction of an integration process via a graphical user interface, are disclosed. The model may comprise a Markov chain, prediction tree, or an artificial neural network (e.g., graph neural network, recurrent neural network, etc.) or other machine-learning model that predicts a next step based on a current sequence of steps. In addition, the graphical user interface may display the suggested next steps according to a priority (e.g., defined by confidence values associated with each step).

Abstract: A method, computerized apparatus and computer program product, the method comprising: obtaining user code; obtaining an indication of at least one vulnerability, the vulnerability associated with one or more sets comprising at least a first instruction type and a second instruction type; scanning the code using dependency analysis, to obtain for one set: one or more first instructions of the first instruction type, one or more second instructions of the second instruction type, and further instructions associated with entities relevant to the first instruction and the second instruction; eliminating instructions other than the first instruction, the second instruction and one of the further instructions, thereby obtaining a collection of instructions that behaves differently from the user code; and providing the collection of instructions for vulnerability detection.

Abstract: Systems and methods for a machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration and automated response (SOAR) platform are provided. The SOAR platform captures information regarding execution of a sequence of actions performed by analysts responsive to a first incident of a first type. The captured information is fed into a machine-learning model. When a second incident, observed by the SOAR platform, is similar in nature to the first incident or the first type a recommended sequence of actions is generated based on the machine-learning model for use by an analyst in connection with responding to the second incident. In response to rejection of the recommended sequence by the analyst, revising the recommended sequence based on input provided by the analyst and storing the revised recommendation sequence in a form of a revised playbook for response to subsequent incidents that are similar to the second incident.

Abstract: In an embodiment, a management system obtains a criticality rules table that includes a plurality of rules mapped to corresponding criticality scores indicative of a level of risk in the event that an associated asset of a managed network is compromised by a third party. The one embodiment, the criticality rules table is updated based upon machine learning and/or feedback from an operator of the managed network. In another embodiment, the criticality rules table is used to assign one or more criticality scores to one or more assets based on one or more attributes of one or more assets, and the criticality rules table.

Abstract: Systems and methods for providing user-induced variable identification of end-to-end computing system security impact information via a user interface are disclosed. The system receives at a graphical user interface (GUI), a user calibration of a graphical security vulnerability element. The system then determines a set of computing system components that interact with data associated with the network operation based on a transmission of the network operation associated with a computing system. The system then determines a set of security vulnerabilities associated with each computing system component of the set of computing system components using a third-party resource. The system then applies a decision engine on the set of security vulnerabilities to determine a set of impacted computing-aspects associated with the set of computing system components.

Abstract: This invention discloses a method for discovering vulnerabilities of operating system access control based on model checking. In this method, security attribute and security specifications of operating system access control module are analyzed to construct the access control model. To discover vulnerabilities in the model, security analysis is performed for access control functionality with theorem proving techniques, and consistency of abstract machine specification and correctness and completeness of the components are verified with model checking tools. This method provides theoretical and technical support for studies in the field of operating system security.

Abstract: A method for minimizing scan disruptions includes receiving a scan request requesting to scan a set of network-connected assets. Each network-connected asset is associated with corresponding network characteristics. The method includes partitioning the set of network-connected assets into a plurality of groups based on the corresponding network characteristics. For each respective group, simultaneously, the method includes determining an ordered list for scanning each network-connected asset in the respective group, scanning a first network-connected asset of the respective group based on the ordered list, and, after scanning the first network-connected asset, determining a post-scan health status of the first network-connected asset. The method includes determining, using the post-scan health status, that a health of the first network-connected asset is degraded.

Abstract: Systems and methods for determining and displaying platform-specific end-to-end security vulnerabilities via a graphical user interface (GUI) are disclosed. To provide users with visual indications of vulnerable computing aspects associated with a computing platform, the system identifies computing aspects associated with a platform. The system then obtains from a security entity, security-vulnerability descriptions that are associated with the platform. Using the security-vulnerability descriptions, the system then determines threat levels for each security-vulnerability description and then, using the determined threat levels, determines a computing aspect impact level for each computing aspect associated with the platform. The system then generates for display on a GUI, a graphical layout comprising each computing aspect impact level for each computing aspect associated with the platform.

Abstract: A deployment platform, computer-readable medium, and computer-implemented method for intelligent execution of a solution on a computer network, including receiving an instruction to execute a solution in a local runtime environment on the deployment platform, the solution including solution code written in a solution language, determining, by a helper program on the deployment platform, whether the solution is executable on the deployment platform based on the solution language and either launching, by the helper program, the solution on the deployment platform when the solution is executable on the deployment platform or launching, by the helper program, the solution on a remote platform on the computer network that is configured to execute the solution when the solution is not executable on the deployment platform, the helper program being configured to communicate with the launched solution to enable the launched solution to interface with the local runtime environment on the deployment platform.

Abstract: Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.

Abstract: An identifying device (10) includes a preprocessing (11) that extracts a communication connection pattern including a set of a communication source identifier and a communication destination identifier from traffic data, a comparing unit (131) that adds an ID to a communication connection pattern group including a new communication connection pattern not included in a whitelist when the new communication connection pattern is present in the communication connection pattern group, a graph feature amount generating unit (14) that generates a graph feature amount of the communication connection pattern group to which the ID has been added and adds this ID to the graph feature amount, an abnormality determining unit (16) that determines whether the generated graph feature amount is normal using a model (161) having learned the graph feature amount, and an identifying unit (132) that retrieves a new communication.

Abstract: Embodiments are directed to systems that attempt to establish trust in relation to operations on a customer endpoint of a computer network. The systems monitor, in real-time, operations to file systems, registries, application processes and threads, and OS kernels at the customer endpoint. The systems maintain compute components affected by the operation in a quarantine state. The systems then attempt to establish trust in the affected compute components (e.g., by applying rule-based policies). The systems remove the affected compute components from the quarantine state, if trust of the one or more affected compute components is established. The systems execute callback routines to mitigate results of the operation, if trust of the affected compute components is not established.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify a process running on the electronic device, assign a reputation to the process if the process has a known reputation, determine if the process includes executable code, determine a reputation for the executable code, and combine the reputation for the executable code with the reputation assigned to the process to create a new reputation for the process.

Abstract: Generation of a first prediction model is caused based on first training data, where the first prediction model enables determining whether an exploit to be developed for software vulnerabilities will be used in an attack. For each training instance in the first training data, the first prediction model is used to generate a score. Each training instance is added to second training data if the score is greater than a threshold value. The second training data is a subset of the first training data. Generation of a second prediction model is caused based on the second training data, where the second prediction model enables determining whether an exploit to be developed for software vulnerabilities will be used in an attack.

Abstract: The appropriate scoping of an access policy can be determined using the observed access and usage of various resources covered under that policy. Information about access requests received over a period of time can be logged, and actions represented in the log data can be mapped to the permissions of the access policy. A new access policy can be generated that includes grant permissions only for those actions that were received and/or granted during the monitored period of time. The new policy can be processed using policy logic to ensure that changes in permission comply with rules or policies for the target resources. The new policy can be at least partially implemented, or can be provided to an authorized user, who can choose to adopt or deny the new policy, or to accept some of the recommendations for modifying the current policy.

Abstract: Systems and methods are provided for the classification of identified security vulnerabilities in software applications, and their triage based on automated decision-tree triage and/or machine learning. The disclosed system may generate a report listing detected potential vulnerability issues, and automatically determine whether the potential vulnerability issues are exploitable using automated triage policies containing decision trees or by extracting vulnerability features from the report and processing the extracted vulnerability features using machine learning models.

Abstract: Techniques for detecting container threats are described. A method of detecting container threats includes receiving, by a scanning agent on a scanner container on a host in a provider network, event data from a plurality of collection agents corresponding to a plurality of customer containers on the host, determining, by the scanning agent, the event data matches at least one known threat, and generating, by the scanning agent, event findings associated with the event data.

Abstract: Apparatus, methods, and articles of manufacture or disclosed for implementing risk scoring systems used for vulnerability mitigation in a distributed computing environment. In one disclosed example, a computer-implemented method of mitigating vulnerabilities within a computing environment includes producing a risk score indicating at least one of: a vulnerability component, a security configuration component, or a file integrity component for an object within the computing environment, producing a signal score indicating a factor that contributes to risk for the object, and combining the risk score and the signal score to produce a combined risk score indicating a risk level associated with at least one vulnerability of the computing system object. In some examples, the method further includes mitigating the at least one vulnerability by changing a state of a computing object using the combined risk score.

Abstract: The use of browser context in detecting malware is disclosed. A client device requests content from a remote server. Data received by the client device from the remote server is transmitted to an external scanner for analysis by the external scanner. The external scanner is configured to use a browser executed in an instrumented virtual machine environment to analyze the data provided by the client device. The client device is configured to request the content from the remote server using a browser extension configured to retrieve data and provide the retrieved data to the external scanner without rendering the retrieved data.

Abstract: An occurrence of an infection-spreading attack and an attack source thereof are detected with high accuracy. A first feature value is calculated based on traffic information regarding a packet forwarded by a forwarding device, and M partial address spaces to be monitored are specified based on the first feature value. A second feature value is calculated for each address of a terminal in a network, based on traffic information regarding the M partial address spaces, the second feature value is learned to classify terminal addresses into a plurality of clusters, and whether or not each of the clusters is an infection-spreading attack is determined to generate cluster information. Whether or not an infection-spreading attack has occurred and an address of a terminal that is an attack source are specified based on the second feature value and the cluster information.

Abstract: Techniques are described herein are related to managing deployment of a converged infrastructure (CI). Such techniques may include receiving a request to initiate a CI deployment; obtaining a CI information set; creating a CI deployment file using the CI information set; rendering a deployment user interface (UI) screen that allows a user to select to configure network devices or a CI cluster; receiving a first selection to configure a network device; rendering network device configuration screens to obtain network device configuration information; adding the network device configuration information to the CI deployment file; receiving a second selection to configure the CI cluster; rendering CI cluster configuration screens to obtain CI cluster configuration information; adding the CI cluster configuration information to the CI deployment file; and deploying the CI using the CI deployment file.

Abstract: A method and system of applying a security vulnerability assessment of a software program. The method comprises directing, from a security assessing server, to a software program under execution, a plurality of attack vectors, diagnosing a set of results associated with the software program under execution as comprising a security vulnerability, the set of results produced based at least in part on the plurality of attack vectors, and assessing a monetary premium of a risk insurance policy merited by an enterprise based at least in part on a level of control ceded to an attacker in accordance with the set of results.

Abstract: Techniques are disclosed relate to systems, methods, and non-transitory computer readable media for improved cybersecurity intelligence using custom trigger events. One system may include a non-transitory memory configured to store at least threat model data; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising: receiving, over a communications network, the at least one custom trigger event for a threat model which identifies a cybersecurity threat; determining whether the cybersecurity threat triggers the performance of the orchestrated response based on the custom trigger event; and launching, when the cybersecurity threat triggers the performance of the orchestrated response, a first application and a second application of the plurality of applications of the orchestrated response.

Abstract: A method, an apparatus, and a system are for evaluating code design quality. The method for evaluating code design quality includes: determining, based upon a result from static scanning of code, a probability of the presence of an error-prone pattern in the code; inputting the probability into an artificial neural network, and determining, based upon the artificial neural network, a prediction result for whether the code violates a preset design rule and for a quantized degree to which the design rule is violated; and based upon the prediction result, evaluating the design quality of the code. The present method is able to improve the accuracy of code design quality evaluation. By detecting a presence of an error-prone pattern in the code, whether or not a key design rule has been violated in a design process and a quantized degree to which the key design rule is violated are predicted.

Abstract: Methods and systems for assessing a vulnerability of a network device. The systems and methods described herein combine data regarding locally discovered vulnerabilities and exposed services with data regarding what executables are provided by software installed on the network device.

Abstract: Approaches provide for securing an electronic environment. A threat analysis service can obtain data for devices, users, and threats from disparate sources and can correlate users to devices and threats to build an understanding of an electronic environment's operational, organizational, and security concerns in order to provide customized security strategies and remediations. Additionally, the threat analysis service can develop a model of an electronic environment's behavior by monitoring and analyzing various the data from the data sources. The model can be updated such that the threat analysis service can tailor its orchestration to complement existing operational processes.

Abstract: Systems and methods are disclosed for simulating a phishing attack involving an email thread. An email thread of a plurality of email threads of an entity for use in a simulated phishing attack is identified. A simulation system generates a converted reply simulated phishing email to an email of the email thread. The converted reply simulated phishing email is generated to be from a user that is one of a recipient or a sender of one or more emails of the email thread and is communicated to a target user's email account, the converted reply simulated phishing email.

Abstract: The present disclosure relates to securing networks against attacks launched via connection of peripheral devices to networked devices.

Abstract: Systems and methods for using an application control prioritization index are disclosed.

Abstract: Methods and systems for providing a cost effective and robust security solution for shared files stored by file sharing software solutions are described herein. The methods and systems for generating a ledger associated with shared files, which may include scanning data received from applications associated with a number of client devices and from a cloud based scanner. An access manager may control file permissions granted to users based on requests for scan data from each user device requesting access to a shared file. A plurality of different scanning applications may provide data that is collected for each shared file to provide a diverse analysis of a shared file to increase user confidence in a file security status.

Abstract: A network system to provide testing, resiliency, chaos and performance testing in a single tool that operates on cloud-based applications in real time. When applications are deployed on a cloud environment, the applications must be validated based on functional aspects, performance aspects, resiliency aspects, and test-code coverage ratio aspects. The system combines all these validations in a single package. The system provides a rich set of modules for functional validations, which can be combined as nodes to allow applications to be quickly validated for functionality. The extensible model of the same functional modules may also be used for performance testing. The system also provides resiliency and chaos testing mechanisms that push the applications into a constant state of perturbation. The system does so by detecting the application code and modifying the code at runtime to inject perturbation. The system monitors the recovery of the system from the testing.

Abstract: Enforcing data ownership may include receiving a request to register an application programming interface (API) endpoint. A plurality of elements of the API endpoint and a target API endpoint may be preprocessed. A distance may be computed for each of element of the API endpoint relative to at least one of the elements of the target API endpoint. A distance score for the API endpoint may be computed based on the distance scores. A term frequency-inverse document frequency (TF-IDF) value may be computed for a plurality of metadata terms of the API endpoint and the target API endpoint. A similarity score between the TF-IDF values of the metadata terms may be computed. An adjusted score may be computed for the API endpoint based on the distance score and the similarity scores. The API endpoint may be registered based on the adjusted score being below a permissions threshold.

Abstract: Provided is an analysis device with which it is possible to find information relating to the intention and purpose of an attacker. The analysis device is provided with a purpose estimating means that estimates the purpose of behavior, based on predetermined behavior in the computer and knowledge information that includes the relation between the behavior and the purpose of executing the behavior.

Abstract: A system and method for analyzing integrated operational technology and information technology systems with sufficient granularity to predict their behavior with a high degree of accuracy. The system and method involve creating high-fidelity models of the operational technology and information technology systems using one or more cyber-physical graphs, performing parametric analyses of the models to identify key components, scaling the parametric analyses of the models to analyze the key components at a greater level of granularity, and iteratively improving the models testing them against in-situ data from the real-world systems represented by the high-fidelity models.

Abstract: Systems and methods for delivering cross-site auto-play media are described herein. The server can receive, from a client device, a request for media content at a first domain embedded in a content element from a second domain. The request can include an identifier indicating that the client device is configured to restrict cross-domain redirection. The server can determine, responsive to identifying the identifier indicating that the client device is configured to restrict cross-domain redirection, that the request comprises a content type header having a first predetermined value. The server can generate, responsive to the determination, a response comprising the media content element in a body of the response. The server can transmit the response to the client device. Receipt of the response can cause the client device to extract the media content element from the body of the response and to render the media content element.

Abstract: Techniques can be implemented to provide for antivirus scanning in clustered storage where not all nodes of the cluster are connected to an antivirus server. A first computing node of computing nodes of a computing cluster can determine a status of an antivirus server. The first computing node can send a first indication of the status of the antivirus server to a group management protocol service of the computing cluster. The group management protocol service can send a second indication of whether the first computing node is available for antivirus scanning to a job engine of the computing cluster. The job engine can distribute an antivirus job among the computing nodes based on whether the first computing node is available for the antivirus scanning.

Abstract: Disclosed is a cyber threat intelligence platform configured to: a) designate a virtual machine as an attacker machine; b) designate a virtual machine as a victim machine; c) receive cyberattack data representative of a cyberattack executed by the attacker machine against the victim machine; e) receive defense action data representative of a defense action executed by the victim machine against the cyberattack; f) mark a first point in time when the cyberattack is executed, and mark a second point in time when the defense action is initiated; g) compare the first point in time with the second point in time to ascertain an attack-defense time lapse as a performance measure for computer system threat management of cyberattacks or defense actions, and h) view or analyze cyberattack and defense actions for effectiveness, including perspectives derived from the relative timing of the actions as indicated on the time lapse.

Abstract: Examples described herein provide for a system that evaluates a security level of a network system. Additionally, examples described herein evaluate a security level of a network system in order to enable a determination of components that can be used to enhance the security level of the network system.

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Abstract: An event query host can include an event processor configured to process an event stream indicating events that occurred on a computing device. The event processor can add representations of events to an event graph. If an event added to the event graph is a trigger event associated with a query, the event processor can also add an instance of the query to a query queue. The query queue can be sorted based on scheduled execution times of query instances. At a scheduled execution time of a query instance in the query queue, a query manager of the event query host can execute the query instance and attempt to find a corresponding pattern of one or more events in the event graph.

Abstract: A system, method, and computer-readable medium are disclosed for performing a type-dependent event deduplication operation. The type-dependent event deduplication operation comprising: receiving a stream of events, the stream of events comprising a plurality of events, each event of the plurality of events having an associated event type; determining an event type of the plurality of events; parsing the plurality of events based upon the associated event type, the parsing providing a plurality of parsed events; and, performing a type-dependent event deduplication operation on the plurality of parsed events, the type-dependent event deduplication operation deduplicating events based upon the event type.

Abstract: A control flow graph representing a plurality of controls is constructed, wherein each control comprises a measure taken to counter threats to an IT infrastructure. For each path through the control flow graph, a metric quantifying an efficacy of the controls along the path in countering the threats is calculated. A threat strength distribution for threats to the IT infrastructure is constructed. A visualization of an efficacy of a combination of the plurality of controls is generated, based on the metrics, the control flow graph, and the threat strength distribution. A weakness in the plurality of controls is identified, based on the visualization. The plurality of controls is modified based on the identifying.

Abstract: Mechanisms for defending a computing system from attack are provided. The mechanisms include: maintaining a round counter that tracks a round number for a local host; determining a location in a graph for each of a plurality of hosts including the local host; determining monitor hosts of the plurality of hosts that are monitoring the local host; determining monitoree hosts of the plurality of hosts that are being monitored by the local host; sending a message to each of the monitor hosts identifying a value of the round counter; forwarding a first set of heartbeat messages from previous monitoree hosts to the monitor hosts; attempting to receive messages from the monitoree hosts; determining whether any messages were not received from the monitoree hosts; and in response to determining that one or more messages were not received from the monitoree hosts, generating an alert.

Abstract: Systems, computer program products, and methods are described herein for generating responsive actions based on unauthorized access events associated with imitation networks. The present invention is configured to retrieve information associated with unauthorized access attempts associated with an imitation dataset; generate penetration test scenarios based on at least the types of unauthorized access attempts; initiate the penetration test scenarios on real datasets stored in data repositories within a network environment; determine automated network security responses to the penetration test scenarios; determine the unauthorized access attempts that were not successfully blocked and/or reported; determine actions to be executed in response to the unauthorized access attempts that were not successfully blocked and/or reported; and update the network security features with the actions.

Abstract: Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include accessing a plurality of code segments developed for execution in a network environment, automatically identifying a first code segment from the plurality of code segments for analysis, automatically performing a first code-level security risk assessment for the first code segment, and determining a first security risk level for the first code segment based on the application programming interface risk level. The first code-level security risk assessment may be performed based on at least one of an application programming interface risk level, an embedded credentials risk level, and a target resource risk level. Further techniques may include determining a second security risk level for a modified version of the first code segment; and enabling a comparison between the first security risk level and the second security risk level.