Abstract: A system and method for managing the security health of a network devices interconnected with each other in a service provided in an entity. The security health of the networked device is evaluated by determining a cyber risk score for the entity having a plurality of devices. A first set of data from individual network devices and a second set of data including risk data from an external data source are collected by a data collector. The collected data is normalized into a format which can be further correlated by a correlation engine. The correlating step enables to determine cyber risk scores for the individual network devices. The cyber risk score for the entity may further be determined by aggregating the individual cyber risk scores of the individual network devices. The risk scores are displayed by a web-based user interface which is enabled by an application programming interface.

Abstract: A network manager manages a network topology. The network manager includes storage for storing a signature of a network device of the network topology. The network manager also includes a device state manager that obtains a signature of a device that participates in the network topology, the signature indicating that the device is operating in an undesired manner; makes a determination, based on signature, that the device should be in a quarantined state; in response to making the determination: generates a quarantine state update that indicates that the device is in the quarantined state; and sends, by the network manager, the quarantine state update to the device. The quarantine state update does not indicate how the quarantined state is implemented.

Abstract: Various aspects described herein relate to presenting electronic patient data accessing information. Data related to a plurality of access events, by one or more employees, of electronic patient data can be received. A set of access events of the plurality of access events can be determined as constituting, by the one or more employees, possible breach of the electronic patient data. An alert related to the set of access events can be provided based on determining that the set of access events constitute possible breach of the electronic patient data.

Abstract: An authentication system determines a risk level for a client device impersonating a client device enrolled in authentication services by comparing device metadata for the impersonating client device to device metadata for the enrolled client device. As part of enrolling the enrolled client device, the authentication system associates one or more authentication credentials with the enrolled client device. In order to authenticate access requests associated with a client device identified as the enrolled client device, the authentication system obtains an authentication token from the client device generated using the authentication credentials and also obtains device metadata corresponding to the client device. Based on the device metadata comparison during authentication, the authentication system detects device metadata anomalies and uses detected device metadata anomalies to determine a risk level for the client device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing and accessing data in a cloud system. One of the methods includes receiving an identification of log data that records occurrences of events; receiving a specification of a plurality of different event types to be indexed; indexing the log data according to the specification and group identifiers; receiving a query specifying a reference parameter and requesting one or more predicted events; searching the indexed groups to identify a plurality of groups having events associated with the reference parameter; computing one or more predicted events, from the identified plurality of groups, that are most likely to co-occur in the indexed groups with events associated with the reference parameter; and providing the computed one or more predicted events.

Abstract: Techniques described herein relate to a method for performing telemetry services for composed information handling systems. The method includes obtaining, by a system control processor manager, a telemetry request associated with a composed information handling system from a user associated with a group; in response to obtaining the telemetry request: identifying a telemetry intent associated with the telemetry request; aggregating telemetry data based on the telemetry intent to obtain aggregated telemetry data; encrypting the aggregated telemetry data based on telemetry distribution information associated with the group to obtain encrypted aggregated telemetry data; and providing the encrypted aggregated telemetry data to the group.

Abstract: A method, apparatus and system for determining a weakness or risk for devices of an Internet-of-things (IoT) network include determining a representation of a physical environment of the IoT network and expected physical and cyber interactions between the devices of the IoT network based at least in part on operating characteristics of the devices of the IoT network, monitoring the physical environment and actual interactions between the devices to generate a network model including at least one of uncharacteristic physical or cyber interaction paths between the devices, based on the determined network model, determining at least one weakness or risk of at least one of the IoT network or of at least one of the devices, and providing a metric of security of at least one of the IoT network or of at least one of the devices based on at least one of the determined weakness or risk.

Abstract: Systems and methods are disclosed that are useful for minimizing organization risk in the case of a cybersecurity attack, through computer-based simulation of cybersecurity attacks, incident response tracking and incident response training provided responsive to the simulation outcome. A server is configured to execute a simulated cybersecurity attack on a plurality of users and their computer systems on a company network associated with a company, tracking responses such as interactions with at least one of the computer systems or network components to the simulated cybersecurity attack and validating whether one or more responses of a predetermined set of responses have occurred to minimize the impact of the simulated security attack on the entity.

Abstract: Systems and methods for computer security are provided by a processor programmed to: receive an Internet file and produce a cryptographic hash of the Internet file; compare the cryptographic hash to external malware databases and external antiviral databases for a malicious file match to determine the Internet file's status that is based upon a weighted consensus algorithm derived from the external malware databases and the external antiviral databases; check if the Internet file's status determination matches the internal malicious software database Internet file's status and update the internal malicious software database based upon the Internet file's status determination if a threshold for the weighted consensus algorithm is exceeded; and train a machine learning algorithm using the Internet file's status determination to create a labelled data set based upon the Internet file's status determination, and provide a report via the input/output device based upon the Internet file's status determination.

Abstract: An impact range estimation apparatus 10 estimates a range of impact due to infection by malware in a network system with a plurality of nodes. The impact range estimation apparatus 10 includes: a reverse propagation probability calculation unit 11 configured to, when a specific node is infected with the malware, based on scenario information that specifies a pattern of attack by the malware and a communications log in the network system before infection by the malware, for each node other than the specific node, calculate a probability that the malware propagates from that other node to the specific node; and a simulation execution unit 12 configured to, using the calculated probability, execute a plurality of times a simulation in which the malware is propagated to the specific node, and for each other node, calculate a number of times that that node becomes a propagation source of the malware.

Abstract: Embodiments include a method for vulnerability management of a computer system. The method includes collecting vulnerability information over a network from a publishing source. The vulnerability information includes a known vulnerability of a first computer asset, where at least some of the vulnerability information is a set of cybersecurity vulnerabilities and exposures (CVEs) published online. Further, at least some of the CVEs is in a human-readable format. The method further includes collecting system information of the computer system subject to the vulnerability management, where the system information includes information about a second computer asset of the computer system. The method further includes processing the collected vulnerability information and the collected system information by interpreting the human-readable CVEs and correlating the interpreted CVEs with the collected system information.

Abstract: Novel tools and techniques are provided for implementing firewall functionalities, and, more particularly, to methods, systems, and apparatuses for implementing high availability (“HA”) web application firewall (“WAF”) functionalities. In various embodiments, a first computing system might monitor network communications between a client and a server providing access to software applications, and might determine whether latency has been introduced as a result of at least one first WAF container having been launched and whether any introduced latency exceeds a predetermined threshold, each first WAF container being tuned to a corresponding software application and protecting the software application from network attacks. Based on a determination that latency has been introduced and based on a determination that the introduced latency exceeds the predetermined threshold, one or more second WAF containers may be launched, each being tuned to the corresponding software application.

Abstract: Aspects of the disclosure relate to a dynamic event securitization and neural network analysis system. A dynamic event inspection and securitization computing platform comprising at least one processor, a communication interface, and memory storing computer-readable instructions may securitize event data prior to authorizing execution of the event. A neural network event analysis computing platform comprising at least one processor, a communication interface, and memory storing computer-readable instructions may utilize a plurality of event analysis modules, a neural network, and a decision engine to analyze the risk level values of data sharing events. The dynamic event inspection and securitization computing platform may interface with the neural network event analysis computing platform by generating data securitization flags that may be utilized by the neural network event analysis computing platform to modify event analysis results generated by the event analysis modules.

Abstract: System and method for protecting a computing device of a target system against ransomware attacks employs a file system having a data structure used by an operating system of the computing device for managing files. A software or a hardware installed agent in the computing device performs one or more actions autonomously on behalf of the target system. The agent autonomously creates one or more trap files in the data structure of the filing system. A trap file is a file access to which indicates a probability of ransomware attack. The agent monitors access to the one or more trap files. Upon detecting access to a trap file, remedial action is performed by the target system against the probability of ransomware attack.

Abstract: Systems, methods, and computer-readable media for managing cybersecurity risk for an entity are disclosed. An example method includes receiving device connectivity data for the entity; determining vulnerability data based on the device connectivity data; generating a security risk profile of the entity; retrieving an external contact; generating a vulnerability notification; transmitting the vulnerability notification; providing a content portal to a user, wherein the content portal is configured to display the security risk profile via a dynamically generated graphical user interface (GUI); receiving, via the dynamically generated GUI, an input from the user, the input comprising a selection of a component identified in the security risk profile and a response parameter; initiating a targeted scan of the selected component; determining a result of the targeted scan; updating the security risk profile; and providing, via the dynamically generated GUI, the updated security risk profile to the user.

Abstract: A measure of influence of a sender entity is determined for a message receiving entity based at least in part on an analysis of previous electronic messages sent by the sender entity. An electronic message associated with the sender entity is received. The measure of influence of the sender entity is utilized to determine a security risk associated with the received electronic message.

Abstract: A method, system and product for command injection identification. An input hook function is configured to be executed in response to a potential input provisioning event. The input hook function is configured to perform: analyzing a potential input of the potential input provisioning event to identify whether the potential input comprises a command separator and an executable product; and in response to identifying the command separator and the executable product, recording a suspicious input event indicating the command separator and the executable product. An execution hook function is configured to be executed in response to a potential execution event. The execution hook function is configured to perform: in response to a determination that an execution command of the potential execution event comprises the command separator and the executable product of the suspicious input event, flagging the execution command as a command injection attack.

Abstract: Techniques and solutions are described for detecting malicious database activity, such as SQL injection attempts. A first machine learning classifier can be trained by comparing processed and unprocessed user input, where a difference between the two can indicate suspicious or malicious activity. The trained classifier can be used to analyze user input before query execution. A second machine learning classifier is trained with a data set that includes call stack information for an application requesting execution of a dynamic query and query statistics associated with processing of the query at the database. The query of the application can be correlated with a corresponding database query by hashing the application query and the database query and comparing the hash values, where matching hash value indicate a common query. The trained classifier can monitor execution of future queries to identify queries having anomalous patterns, which may indicate malicious or suspicious activity.

Abstract: Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.

Abstract: A document of written content may be obtained. The document may be a candidate for inclusion in a corpus. A first entity associated with the document may be identified. A first discrete entity associated with the first entity may be identified. The relationship associated with the first entity and the first discrete entity may be analyzed. Based on the analyzing, a likelihood that the document contains content that would be detrimental for inclusion in the corpus may be determined.

Abstract: The invention relates to an industrial system comprising machines, systems for controlling machines connected by a first communication network, and a gateway intended to connect the first communication network to a second communication network. The gateway comprises a memory and comprises a processor configured to copy to the memory first data transmitted over the second communication network and relating to the operation of the machines.

Abstract: A system and method detect a malware infection path in a compute environment. The method includes detecting a malware object on a first workload in a computing environment including a plurality of workloads, wherein the first workload is represented by a resource node on a security graph, the security graph including an endpoint node representing a resource which is accessible to a public network; generating a potential infection path between the resource node and the endpoint node including at least a second resource node connected to the resource node; inspecting a second workload of the plurality of workloads represented by the second resource node; determining that the potential infection path is a confirmed infection path, in response to detecting the malware on the second workload; and determining that the potential infection path is not an infection path, in response to detecting that the second workload does not include the malware.

Abstract: Methods and systems for scanning an endpoint terminal across an open computer network are disclosed. An exemplary method includes providing a scanner engine in a computer server in communication with an open computer network, and establishing a secure connection across the open computer network between the scanner engine and a scanner agent installed on the endpoint terminal in communication with the open computer network. Commands for collecting data regarding the endpoint terminal are sent from the scanner engine across the secure connection to the scanner agent. The scanner engine then receives the collected data from the scanner agent across the secure connection, analyzes the data to assess a current posture of the endpoint terminal, and determines any updates for the endpoint terminal from the analysis. Updates are sent across the secure connection to the scanner agent for installation on the endpoint terminal, and the secure connection may then be terminated.

Abstract: Systems and methods are provided for data security. A server system provides data security using one or more processor devices, one or more communication interfaces, and one or more memory devices including computer-executable instructions.

Abstract: Techniques for detecting instances of external fraud by monitoring digital activities that are performed with accounts associated with an enterprise are disclosed. In one example, a threat detection platform determines the likelihood that an incoming email is indicative of external fraud based on the context and content of the incoming email. To understand the risk posed by an incoming email, the threat detection platform may seek to determine not only whether the sender normally communicates with the recipient, but also whether the topic is one normally discussed by the sender and recipient. In this way, the threat detection platform can establish whether the incoming email deviates from past emails exchanged between the sender and recipient.

Abstract: Techniques for user behavior anomaly detection. At least one low-variance characteristic is compared to an expected result for the corresponding low-variance characteristics to determine if the low-variance characteristic(s) is/are within a pre-selected range of the expected results. A security response action is taken in response to the low-variance characteristic not being within the first pre-selected range of the expected results. At least one high-variance characteristic is compared to an expected result for the corresponding high-variance characteristics to determine if the high-variance characteristic(s) is/are within a pre-selected range of the expected results. A security response action is taken in response to the high-variance characteristic not being within the first pre-selected range of the expected results. Access is provided if the low-variance and the high-variance characteristics are within the respective expected ranges.

Abstract: A method for managing vulnerability data may include: (1) ingesting, by a data ingestion engine, vulnerability data from a plurality of sources; (2) normalizing, by a data normalizer module, the vulnerability data into a plurality of data records; (3) generating, by a data processing module, a dynamic risk score for each data record; (4) storing, by a risk record register, a risk record for each data record, wherein the risk record may include the dynamic risk score, a priority level, an identifier for a software application, and a software dependency; (5) selecting, by a control policy selection engine, a control policy based on one of the dynamic risk scores; (6) implementing, by the risk record register, the selected control policy; (7) monitoring, by the risk record register, implementation of the control policy; and (8) updating, by the risk record register, the control policy selection engine based on the monitoring.

Abstract: A computer-implemented method for computing or modeling the risk of a cyber security breach to an asset begins by gathering coverage information from network sensors, endpoint agents, and decoys related to the asset, as well as gathering importance information related to the asset, alerts and anomalies from an enterprise and vulnerability information related to the asset. From this, a threat-score is computed for the asset. Connections or coupling information is gathered between users and assets, users and data, and assets and data, which is fused to generate a 3-dimensional vector representation of coverage, importance, and threat-score of the assets, users and data. From this 3-dimensional vector, an asset risk score is computed to provide the asset risk score.

Abstract: A testing and verification system for an equivalent physical configuration of an in-flight entertainment and communications system with one or more hardware components includes a virtual machine manager. One or more virtual machines each including a hardware abstraction layer is instantiated by the virtual machine manager according to simulated hardware component definitions corresponding to the equivalent physical configuration of the hardware components. The virtual machines are in communication with each other over virtual network connections. A test interface to the one or more virtual machines generate test inputs to target software applications installed on the virtual machines. A display interface is connected to the virtual machines, with results from the execution of the target software applications responsive to the test inputs are output thereto.

Abstract: A method detects intrusions in an audit log including records of user sessions with activity features and a user label of a claimed user of the user session. Probabilities that a user session belongs to a user are predicted. A probability is predicted for each combination of a user and a user session of the audit log based on the activity features of the user sessions. A user group including users with similar activity features is constructed based on the predicted probabilities. An anomaly score for a user session of the audit log and a claimed user of the user session belonging to the user group is determined based on a probability that the user session belongs to the user group. An intrusion is detected if the anomaly score of the user session and the claimed user exceeds a predetermined threshold.

Abstract: An electronic device includes a narrowband internet of things (NB-IoT) circuit; a shared central processor to control the narrowband internet of things circuit; a shared memory to store data or code from the shared central processor; and a communicator controlled by the shared central processor. The communicator stores the data or the code in the shared memory.

Abstract: A method and/or computer software for estimating the probability that a software weakness will be used in an exploit and/or malware and the probability that the developed exploit and/or malware will result in a compromise.

Abstract: Systems and methods for authenticating requests to use an Application Programming Interface (“API”) are described. In some embodiments, a request to use an API is received. Based on a comparison of the request to use the API with a pattern of activity associated with the client, a determination is made whether the client deviates from an expected behavior. Once a determination that the client deviates from the expected behavior is made, an authentication challenge is generated and issued. In some embodiments, the comparison of the request to use the API with a pattern of activity involves comparing transactional attributes of the request to use the API with past client behavior.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Abstract: A file vulnerability detection method includes: translating a binary file into an intermediate file; analyzing the intermediate file to obtain multiple functions to be tested; establishing function characteristic data of each of the functions to be tested; and comparing correlations between the function characteristic data of each of the functions to be tested and at least one pair of characteristic data with vulnerability of at least one vulnerability function and characteristic data without vulnerability of the at least one vulnerability function in a vulnerability database based on a characteristic model to determine whether each of the functions to be tested corresponding to each function characteristic data has a vulnerability, wherein the characteristic model has information representing multiple back-end binary files generated by multiple back-end platforms, wherein the characteristic data with vulnerability has the vulnerability, and the characteristic data without vulnerability does not have the vuln

Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

Abstract: The disclosure provides an approach for controlling application self-replication in a network. Embodiments include determining, by a self-replicating application, one or more parameters related to a networking environment. Embodiments include applying, by the self-replicating application, one or more rules to the one or more parameters related to the networking environment. Embodiments include determining, by the self-replicating application, whether to replicate within the networking environment based on the applying of the one or more rules to the one or more parameters related to the networking environment.

Abstract: Described are implementations that analyze the unencrypted messages of a cryptographic protocol handshake between two devices and/or the receipt or absence of encrypted messages of the handshake to detect security vulnerabilities of one or both of those devices. For example, the unencrypted messages of a TLS handshake between a client device and a server may be analyzed to determine security vulnerabilities of the client device. Because the disclosed implementations utilize the unencrypted messages of a handshake and/or detection of the receipt or absence of encrypted messages of the handshake, involvement in the handshake or decryption of encrypted messages of the handshake is not necessary. The requirement is that the disclosed implementations are able to observe the messages of a handshake that are used to establish a secure communication between the devices.

Abstract: Various embodiments disclosed herein are related to a non-transitory computer readable storage medium. In some embodiments, the medium includes instructions stored thereon that, when executed by a processor, cause the processor to identify, at an edge network, resource consumption data including a status that indicates whether a service hosted on a cluster of nodes on the edge network is powered on, a type of a resource being consumed by the service, a quantity of the resource being consumed by the service, and a time stamp associated with the resource being consumed by the service and provide, to a remote server in communication with the edge network, the resource consumption data. In some embodiments, the remote server meters resource consumption based on the resource consumption data.

Abstract: Methods and systems for identifying a network vulnerability. The system may gather data regarding a new or previously unknown network device, and compare the gathered data to one or more known devices that are scanned by a vulnerability assessment device. The vulnerability assessment device may then scan the previously unknown device upon a processor determining the previously unknown device shares at least one feature with a known device that is scanned.

Abstract: A cyber threat defense system can incorporate data from a Software-as-a-Service (SaaS) application hosted by a third-party operator platform to identify cyber threats related to that SaaS application. The cyber threat defense module can have a SaaS module to collect third-party event data from the third-party operator platform. The cyber threat defense system can have a comparison module to compare third-party event data for a network entity to at least one machine-learning model of a network entity using a normal behavior benchmark to spot behavior deviating from normal benign behavior. The comparison module can identify whether the network entity is in a breach state. The cyber threat defense system can have a cyber threat module to identify whether the breach state and a chain of relevant behavioral parameters correspond to a cyber threat. An autonomous response module can execute an autonomous response in response to the cyber threat.

Abstract: A security analysis of software includes analyzing security risks at each level of the hierarchy of the software and aggregating identified risks within the hierarchy levels. Weights applied during aggregation assist in homogenizing risk scores originating from different types of identified security risks and provide for the ability to communicate a meaningful risk score at each level of the hierarchy.

Abstract: Systems and methods automating the process of application code vulnerability remediation. Implementations include building a repository of code revisions as software is checked for security vulnerabilities using or more software analysis tools. In certain implementations, historical code revisions are cataloged and stored in the repository. The revisions may be tokenized and utilized to detect and automatically remediate similar issues when new software packages are submitted to the system.

Abstract: Methods, systems, and computer readable media for providing and managing security rules and policies are described. In some implementations, a method may include receiving, at a crowdsourcing security policy server, a security policy from a first user account, and providing a crowdsourced security policy user interface including a section corresponding to the security policy configured to make the security policy available for use by other user accounts. The method may also include receiving from one or more of the other user accounts, a security policy rating corresponding to the security policy, and receiving, from one or more of the other user accounts, a user account rating corresponding to the first user account.

Abstract: Methods, devices, and systems disclosed herein measure endpoint user security event susceptibility (e.g., a malware infection) and provide information for endpoint/user posture evaluation. A relatively small software application may be installed using, for example, a systems management push system where the software runs on each endpoint system and reports back to a central repository or base system. The software runs on machines that it is pushed to and generates a score for that endpoint. That score is a quantification of endpoint user security risk, i.e., the likelihood that a particular endpoint is likely to be the source of a security event at some point in the future. This information may be used to generate a Relative Score for each endpoint so that the endpoints can be ranked from most secure to least secure and an Absolute Score so that a given distributed system can be compared to other distributed systems.

Abstract: An improved core network that includes a network resilience system that can detect network function virtualization (NFV)-implemented nodes that have been compromised and/or that are no longer operational, remove such nodes from the virtual network environment, and restart the removed nodes in a last-known good state is described herein. For example, the network resilience system can use health status messages provided by nodes, intrusion data provided by intrusion detection agents running on nodes, and/or operational data provided by the nodes as applied to machine learning models to identify nodes that may be compromised and/or non-operational. Once identified, the network resilience system can delete these nodes and restart or restore the nodes using the last-known good state.

Abstract: A computing system may identify packets received by a network device from a host located in a first network and may generate log entries corresponding to the packets received by the network device. The computing system may identify packets transmitted by the network device to a host located in a second network and may generate log entries corresponding to the packets transmitted by the network device. Utilizing the log entries corresponding to the packets received by the network device and the log entries corresponding to the packets transmitted by the network device, the computing system may correlate the packets transmitted by the network device with the packets received by the network device.

Abstract: Systems, devices, computer-implemented methods, and/or computer program products that facilitate software vulnerability analysis using relationship data extracted from disparate package-related sources. In one example, a system can comprise a processor that executes computer executable components stored in memory. The computer executable components can comprise a knowledge induction component and a vulnerability component. The knowledge induction component can populate a package ontology for a range of packages with relationship data extracted from a plurality of disparate package-related sources. The vulnerability component can identify an implicit vulnerability impacting the range of packages using the package ontology and a vulnerability record regarding an explicit vulnerability for a package within the range of packages.

Abstract: An example network security and threat assessment system is configured to determine, based on one or more events that have occurred during execution of one or more applications, a potential security vulnerability of a target computing system, where the one or more events correspond to a node represented in the hierarchical risk model. The system is further configured to identify, based on a mapping of the node represented in the hierarchical risk model to a node represented in a hierarchical game tree model, one or more actions that are associated with the potential security vulnerability and that correspond to the node represented in the hierarchical game tree model, and to output, for display in a graphical user interface, a graphical representation of the potential security vulnerability and the one or more actions associated with the potential security vulnerability.

Abstract: Disclosed herein are methods, systems, and processes to facilitate and perform dynamic best path determination for penetration testing. An action path that includes a kill chain that involves performance of exploit actions for a phase of a penetration test is generated by identifying the exploit actions based on a penetration parameter, a detection parameter, and/or a time parameter associated with the exploit actions. Performance of the identified exploit actions permits successful completion of the phase of the penetration test and designates the action path for inclusion as part of a best path for the penetration test.