Abstract: A computer-implemented method, system and computer program product for protecting against application programming interface (API) attacks. A connection is established between an API user and an API provider. The established connection is then monitored to assess connection security and trustworthiness of the connection as well as trustworthiness of the API user and/or API provider. A score is then generated for each factor used in assessing the connection security and trustworthiness of the connection as well as the trustworthiness of the API user and/or API provider based on the monitoring. A level of risk for an API attack with respect to the API user and/or API provider is then generated based on such scores. An action (e.g., blocking traffic) is then performed with respect to the API user and/or API provider based on the level of risk for an API attack with respect to the API user and/or API provider, respectively.

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data. The gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The VM server can use the compliance profile and security data from the user device to determine a risk profile of the user device. The virtual session can be configured at the VM server based on the risk profile so as to allow access to a subset of available applications and functions within the applications for the virtual session.

Abstract: Disclosed embodiments relate to systems and methods for dynamically performing entity-specific security assessments for entities of virtualized network environments. Techniques include identifying an entity associated with a virtualized network environment, identifying a plurality of security factors, determining entity-specific weights to the plurality of security factors, and generating a composite exposure assessment for the entity.

Abstract: Provisioning of Internet Protocol (IP) configuration data or other configuration related data for devices or services connected to a passive optical network (PON) is contemplated. The provisioning may be facilitated with an optical line terminal (OLT) providing the desired configuration data over the PON to an optical network unit (ONU) connected to the device or service desired for provisioning, such as to enable the ONU to provision the device or service without exchanging Dynamic Host Configuration Protocol (DHCP) messaging with a DHCP server.

Abstract: A method for a system security evaluation includes establishing, by a security evaluation device, a connection to a system associated with an entity. The method further includes obtaining an inventory of system elements of the system. The method further includes identifying one or more desired system elements from the inventory of system elements to perform the system security evaluation. The method further includes identifying one or more security elements from the one or more desired system elements. The method further includes communicating with each security element of one or more security elements to produce system security data. The method further includes analyzing the system security data in light of minimum viable data metrics established by one of more of: one or more external data sources and the entity to produce one or more system security scores indicative of security proficiency of the one or more desired system elements.

Abstract: A server comprises a communications module, a processor coupled to the communications module, and a memory coupled to the processor, the memory storing processor-executable instructions which, when executed, configure the processor to receive, via the communications module and from a monitoring application installed on a remote computing device, on-device application data, generate a risk profile for a user based at least on the on-device application data, configure a data sharing configuration option for sharing data associated with the user based on the risk profile for the user, and share the data based on the data sharing configuration option.

Abstract: Methods, systems, and computer-readable media for automated threat modeling using application relationships are disclosed. A graph is determined that includes nodes and edges. At least a portion of the nodes represent software components, and at least a portion of the edges represent relationships between software components. An event is received, and a sub-graph associated with the event is determined. The event is indicative of a change to one or more of the nodes or edges in the graph. Threat modeling is performed on the sub-graph using one or more analyzers. The one or more analyzers determine whether the sub-graph is in compliance with one or more policies.

Abstract: The systems and methods described herein generally relate to techniques for automated detection, aggregation, and integration of cybersecurity threats. The system ingests multiple data feeds which can be in one or numerous different formats. The system evaluates information based on defined scores to display to users threats and risks associated with them. The system also calculates decay rates for expiration of threats and indicators through various methods.

Abstract: Systems, methods, and storage media for determining the probability of cyber risk-related loss within one or more computing systems composed of computing elements are disclosed. Exemplary implementations may: assess vulnerability by determining an exposure window for a computing element based on the number of discrete times within a given time frame where the computing element is in a vulnerable state; determine a frequency of contact of the computing element with threat actors; normalize the exposure window and the frequency of contact; calculate a threat event frequency by dividing the normalized exposure window by the normalized frequency of contact; and repeat the steps for multiple elements. When combined with liability data that describes the loss magnitude implications of these events ,organizations can prioritize the elements based on loss exposure and take action to prevent loss exposure.

Abstract: A set of data elements is received. For each feature of a set of features, a corresponding reference distribution for the set of data elements is determined. For each feature of the set of features, one or more corresponding subset distributions for one or more subsets sampled from the set of data elements are determined. For each feature of the set of features, the corresponding reference distribution is compared with each of the one or more corresponding subset distributions to determine a corresponding distribution of divergences. At least the determined distributions of divergences for the set of features are provided for use in automated data analysis.

Abstract: A web content page is provided, wherein the web content page is configured to dynamically provide a new web component streamed from a server after the web content page has been initially loaded by a client. An indication associated with a desired web component is received. The desired web component among a plurality of web components developed on a platform-as-a-service environment separately from the web content page is obtained. The desired web component is streamed to the web content page.

Abstract: The present disclosure generally relates to systems, methods, and computer-readable media for identifying instances of vulnerabilities on a computing network and generating a graph representing pathways that an attacking entity may take with respect to accessing one or more sensitive assets. For example, one or more systems disclosed herein collect network information and vulnerability information to generate a graph including nodes and edges representing at least a portion of the computing network associated with different vulnerabilities. The systems described herein may use graph theory to generate or otherwise identify pathways that an attacker is likely to use in accessing the sensitive asset(s). The systems additionally may further evaluate the pathways and associated likelihoods/risks to intelligently select one or more action items associated with a reduction of risk to the networking system.

Abstract: A method of assessing a risk level of an enterprise using cloud-based services from one or more cloud service providers includes assessing provider risk scores associated with the one or more cloud service providers; assessing cloud service usage behavior and pattern of the enterprise; and generating a risk score for the enterprise based on the provider risk scores and on the cloud service usage behavior and pattern of the enterprise. The risk score is indicative of the risk of the enterprise relating to the use of the cloud-based services from the one or more cloud service providers.

Abstract: A system and method for investigating trust scores. A trust score is calculated based on peer transfers, a graphical user interface displays actuatable elements associated with a first peer transfer from the peer transfers, in response to receiving an indication the first actuatable element has been actuated, recalculating the trust score without the first peer transfer.

Abstract: A flexible security system has been created that allows for fluid security operations that adapt to the dynamic nature of user behavior while also allowing the security related operations themselves to be dynamic. This flexible system includes ongoing collection and/or updating of multi-perspective “security contexts” per actor and facilitating consumption of these multi-perspective security contexts for security related operations on the users. These security related operations can include policy-based security enforcement and inspection. A security platform component or security entity uses a multi-perspective security context for a user or actor. Aggregating and maintaining behavioral information into a data structure for an actor over time from different sources allows a security platform component or entity to have historical context for an actor from one or more security perspectives.

Abstract: A system and method detect a malware infection path in a compute environment. The method includes detecting a malware object on a first workload in a computing environment including a plurality of workloads, wherein the first workload is represented by a resource node on a security graph, the security graph including an endpoint node representing a resource which is accessible to a public network; generating a potential infection path between the resource node and the endpoint node including at least a second resource node connected to the resource node; inspecting a second workload of the plurality of workloads represented by the second resource node; determining that the potential infection path is a confirmed infection path, in response to detecting the malware on the second workload; and determining that the potential infection path is not an infection path, in response to detecting that the second workload does not include the malware.

Abstract: In some examples, a controller dynamically configures a property associated with monitoring performed by an agent. The controller stores, in a repository, metadata relating to the agent. The controller receives, from the agent, first sensor data that excludes the metadata, and uses indexing information in the first sensor data to retrieve the metadata from the repository.

Abstract: An improved core network that includes a network resilience system that can detect network function virtualization (NFV)-implemented nodes that have been compromised and/or that are no longer operational, remove such nodes from the virtual network environment, and restart the removed nodes in a last-known good state is described herein. For example, the network resilience system can use health status messages provided by nodes, intrusion data provided by intrusion detection agents running on nodes, and/or operational data provided by the nodes as applied to machine learning models to identify nodes that may be compromised and/or non-operational. Once identified, the network resilience system can delete these nodes and restart or restore the nodes using the last-known good state.

Abstract: A method adapts network intrusion detection. The method includes: a) deploying a network traffic capture system and collecting network packet traces; b) using a network audit tool, extracting features from the collected network packet traces; c) feeding the extracted features as unlabeled data into a representation function, and, utilizing the representation function as an unsupervised feature learning algorithm, learning a new representation of the unlabeled data; d) providing a labeled training set capturing examples of malicious network traffic, and, using the learned new representation of the unlabeled data, modifying the labeled training set to obtain a new training set; and e) using the new training set, training a traffic classification machine learning model.

Abstract: A cybersecurity assessment system is provided for monitoring, assessing, and addressing the cybersecurity status of a hierarchy of target networks. The cybersecurity assessment system may scan individual target networks and produce data regarding the current state and properties of devices on the target networks. The cybersecurity assessment system may generate user interfaces to present cybersecurity information regarding individual target networks, and composite cybersecurity information regarding a hierarchy of target networks or some subset thereof. The cybersecurity assessment system can generate access configurations that specify which cybersecurity information of the hierarchy can be accessed by individual target networks of the hierarchy.

Abstract: A communication is received from a telephone number of a sender. The communication is directed to a recipient. A trust level associated with the telephone number is determined to be other than a high trust level. Based on the trust level being other than the high trust level, a number of challenges to transmit to the sender is determined based on the trust level. Determining whether to route the communication to the recipient is based on whether respective successful responses to the challenges are received from the sender.

Abstract: Providing an automatic mechanism of invalidating false-positive indications of certain identified portions of source code to reduce the number of errors in a security report. Certain embodiments of the present invention utilize static security scanning as a mechanism for automatically determining which portions of the identified source code contain potential vulnerabilities, and whether these identified portions of the source code are correctly or incorrectly identified with a false-positive indication.

Abstract: An adaptive risk management application retrieves data corresponding to an asset. The asset is a computing device or software application of an enterprise system. The adaptive risk management application identifies a set of vulnerabilities of the asset. The adaptive risk management application determines, for each identified vulnerability, a likelihood of a threat actor successfully exploiting the vulnerability. The adaptive risk management application determines, based on the likelihoods, a risk score for the asset. The adaptive risk management application sends the risk score for display.

Abstract: A detection device and a detection method for a malicious HTTP request are provided. The detection method includes: receiving a HTTP request and capturing a parameter from the HTTP request; filtering the HTTP request in response to the parameter not matching a whitelist; encoding each character of the HTTP request to generate an encoded string in response to the HTTP request not being filtered; generating an estimated HTTP request according to the encoded string by using an autoencoder; and determining that the HTTP request is a malicious HTTP request in response to a similarity between the HTTP request and the estimated HTTP request being less than a similarity threshold, and outputting a determined result.

Abstract: Disclosed is a new location threat monitoring solution that leverages deep learning (DL) to process data from data sources on the Internet, including social media and the dark web. Data containing textual information relating to a brand is fed to a DL model having a DL neural network trained to recognize or infer whether a piece of natural language input data from a data source references an address or location of interest to the brand, regardless of whether the piece of natural language input data actually contains the address or location. A DL module can determine, based on an outcome from the neural network, whether the data is to be classified for potential location threats. If so, the data is provided to location threat classifiers for identifying a location threat with respect to the address or location referenced in the data from the data source.

Abstract: A computer-implemented method according to one aspect includes determining and storing characteristics of a plurality of cloud vendors; dividing a workload into a plurality of logical stages; determining characteristics of each of the plurality of logical stages; and for each of the plurality of logical stages, assigning the logical stage to one of the plurality of cloud vendors, based on a comparison of the characteristics of the plurality of cloud vendors to the characteristics of the logical stage. Data migration between the cloud vendors is performed during an implementation of the workload to ensure data is located at necessary cloud vendors during the corresponding tasks of the workload.

Abstract: Generally discussed herein are devices, systems, and methods for improving phishing webpage content detection. A method can include identifying first webpage content comprises phishing content, determining, using a reinforcement learning (RL) agent, at least one action, generating, based on the determined at least one action and the identified first webpage content, altered first webpage content, identifying that the altered first webpage content is benign, generating, based on the determined at least one action and second webpage content, altered second webpage content, and training, based on the altered second webpage content and a corresponding label of phishing, a phishing detector.

Abstract: Methods for securing an electronic communication is provided. Methods may include, in a registration process, creating and/or selecting an anti-phish, personalized, security token for a predetermined account. Methods may include, in the registration process, storing the token in a database. Methods may include, in an in-use process, generating an electronic communication at a channel. The database may be interposed along the channel. Methods may include, in the in-use process, forwarding the communication to a recipient. The recipient may be associated with the account. Methods may include, in the in-use process, intercepting the communication at the database. Methods may include, in the in-use process, selecting, from the database, the anti-phish, personalized, security token that is associated with the account. Methods may include, in the in-use process, injecting the selected token into the communication.

Abstract: One example method includes collecting container information concerning a container, analyzing the container information to identify a security tool needed to perform a vulnerability scan of the container, accessing the security tool from a knowledge lake, running the security tool on the container information to identify a security vulnerability of the container, based on the running of the security tool, generating an alert indicating that the container has the security vulnerability, capturing the security vulnerability and, based on the captured security vulnerability, updating a container image that was used to spawn the container.

Abstract: A combination identification unit (27) identifies combinations of one or more components which constitute a target system and in each of which an intrusion detection system that detects unauthorized access can be installed. A combination reduction unit (28) extracts, from the combinations identified by the combination identification unit, a combination that satisfies an installation condition accepted by an installation condition input unit (22) and can detect unauthorized communications indicated by attack information accepted by an attack information input unit (24) at a rate higher than or equal to a threshold.

Abstract: There is provided a computer system of runtime identification of a dynamic loading of a software module, the software module being associated with a first application framework, the system comprising a processing circuitry configured to: a) detect, in a first interposition function, an invocation of a first function, the first function being associated with loading of software-modules within a first application framework; b) identify a software-module being loaded, the identifying utilizing, at least, at least one of: i) parameter data supplied in the invocation of the first function, ii) a context of an operating system process invoking the first function, and ii) data that was stored responsive to detecting, by a respective interposition function, one or more prior invocations of respective functions associated with loading of software-modules within the first application framework; and c) add the identified software-module to a list of software-modules.

Abstract: In some examples, an electronic device includes a processor to allow installation of an untrusted executable code to a virtual machine, monitor the installation and execution of the untrusted executable code, and, responsive to a determination that an executed amount of the untrusted executable code is less than a threshold amount, prompt a user to continue the execution of the untrusted executable code.

Abstract: Interactive interfaces and data structures representing physical and/or visual information are provided using smart pins (also called “pins” herein). Pins representing vectors of information may be provided. For instance, in the context of cybersecurity, each pin may represent an attack vector that an adversary can use to attack a system. Each pin may have a depth meter and may move up or down according to its value in an operating range. Each pin may also have a color, a number, or both, representing its current value in the operating range. Such pins may provide both a three-dimensional representation of data that is intuitive to users.

Abstract: Systems and methods are provided for implementing an adaptive machine learning platform for security penetration and risk assessment. For example, the system can receive publicly-available information associated with a client computer system, process the information to identify an input feature, and implement a machine learning model to identify the corresponding risk associated with the input feature. The system can recommend a penetration test for discovered weaknesses associated with the input feature and help make changes to the client computer system to improve security and reduce risk overall.

Abstract: A system, method, and computer-readable medium are disclosed for performing a human factors risk operation. The human factors risk operation includes: monitoring an entity, the monitoring observing an electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity, the security related activity being based upon the observable from the electronic data source; analyzing the security related activity, the analyzing the security related activity using a human factors framework; and, performing a human factors risk operation in response to the analyzing the security related activity.

Abstract: A system and method for predicting and acting on computer network vulnerabilities before they are actually breached or tampered with by malicious external actors. A monitoring computing device assesses the different components within a network and based on a ranking of the devices, a perceived threat analysis and weaknesses within the network, can take appropriate remediation actions for one or more of the devices within the network. Depending on the ranking of a particular computing device within the network and the determined risk, a remediation can include delaying the implementation of a fix for a weakness because the computing device cannot be taken offline at that particular time.

Abstract: Systems and methods are disclosed to implement a network data interpretation pipeline to recognize machine operations (MOs) and machine activities (MAs) from network traffic data observed in a monitored network. In embodiments, a MO recognition engine is implemented in the network to recognize MOs from network sensor events (NSEs) based on defined recognition patterns. The MOs and any unrecognized NSEs are uploaded to a network monitoring system, where they are further analyzed by a MA recognition engine to recognize higher-level machine activities performed by machines. The NSEs, MOs, and MAs are used by the network monitoring system to implement a variety of security threat detection processes. Advantageously, the pipeline may be used to add rich contextual information about the raw network data to facilitate security threat detection processes.

Abstract: Program products, methods, and systems for simulating and/or preventing the dissemination of sensitive information over the internet are disclosed. Preventing dissemination of user-specific sensitive information over the internet may include analyzing content included in media posts, calculating a danger score for the media post, and determining if the calculated danger score exceeds a danger score threshold. Where the calculated danger score does not exceed the threshold, the media post has no or a low risk of disseminating sensitive information over the internet. However, if the calculated danger score does exceed the threshold, the user is alerted that the media post may undesirably disseminate sensitive information. The danger score may represent a sensitive information exposure risk for the media post is based on a variety of factors and/or characteristics of the media post and/or the user creating and attempting to disseminate the media post.

Abstract: A risk knowledge graph is created from information on risk events involving network entities of a private computer network. Each of the risk events is represented as a node in the risk knowledge graph. The nodes are connected by edges that represent the risk events. The nodes are grouped into communities of related nodes. A response action is performed against a community to mitigate a cybersecurity risk posed by the community.

Abstract: Disclosed is an improved method, system, and computer program product for identifying malicious payloads. The disclosed approach identifies potentially malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.

Abstract: The present disclosure provides a stability criterion for time-delay of cyber-physical power systems under distributed control, which relates to a field of cyber-physical power systems technologies.

Abstract: A multitenant infrastructure server (MTIS) is configured to provide an environment to execute a computer routine of an arbitrary application. The MTIS receives a request from a webtask server to execute the computer routine in a webtask container. The computer routine is executed in the webtask container at the MTIS. Upon successful execution of the computer routine, a result set is returned to the webtask server. If the execution of the computer routine is unsuccessful, an error notification is returned to the webtask server. The resources consumed during the execution of the computer routine are determined. The webtask container is destroyed to prevent persistent storage of the computer routine on the MTIS.

Abstract: Systems and methods for automatically managing and utilizing the uniform labeling of data packages are disclosed. Specification information can describe many aspects of a data package, and can be analyzed to automatically identify various product attributes and service attributes usable to define the data package. Each of the individual product attributes and service attributes can be encoded into an alphanumeric code, which can be concatenated together to form a single uniform package identifier (UPID) usable to describe the associated data product. Systems and methods can automatically generate UPIDs, automatically find data packages based on search UPIDs, automatically process invoices based on UPIDs, and otherwise leverage the UPIDs to automate the collection, creation, selling, purchasing, trading, redistribution, and/or using of data packages.

Abstract: A method includes receiving, by a computer system, information related to device health of an electronic device, determining, by the computer system, a health status of the electronic device based at least in part on the received information related to the device health of the electronic device, requesting, by a switch having a port connected to the electronic device, the health status of the electronic device from the computer system, receiving, by the computer system, the request for the health status of the electronic device from the switch, transmitting, by the computer system, the health status of the electronic device to the switch, evaluating, by the switch, the transmitted health status of the electronic device using network access rules associated corresponding to health statuses, and applying, by the switch, a network access control configuration to the port of the switch based on the evaluating the transmitted health status.

Abstract: Methods, systems, and computer-readable storage media for receiving, by an operation guard system executed within a cloud platform, session information representative of a session of a user within the cloud platform, the session information including user information and operation information, determining, by the operation guard system, that the user is signed into a technical group for execution of an operation represented in the operation information, and in response, providing, by the operation guard system, a risk score associated with the operation, and determining, by the operation guard system and at least partially based on the risk score, that the operation is a risk-oriented operation based on the risk score, and in response, preventing execution of the operation and transmitting an alert.

Abstract: Systems and methods for network security testing of target computer networks using AI neural networks. A command and control server controls a number of geographically separated processors running a number of neural networks. A central data hive is accessible to all the processors. The processors are organizable into logical hemisphere groupings for specific tasks and/or projects. For security testing, hemisphere groupings are created for the project. Based on data for the target system on the data hive, attacks are formulated by a hemisphere grouping and these potential attacks are tested against known characteristics of the target network. Validated potential attacks and, in some cases, random attacks, are executed and data generated by the executed attacks are stored in the data hive for use in formulating and executing other further attacks. Potential attacks may involve mining social media networks for data on users of the target system.

Abstract: Methods, systems, and apparatuses for risk analysis of web pages using a machine learning model are described herein. A computing device may receive a risk detection machine learning model trained to receive input corresponding to a web page and output an indication of risk associated with the web page. The computing device may execute a web browser application and collect user activity data by monitoring user activity associated with the web browser application. The computing device may access, via the web browser application, a first web page, and collect page data associated with the first web page. The computing device may calculate a risk level of the first web page. The risk level may be calculated by processing, using the risk detection machine learning model, both the user activity data and the page data. A security recommendation may be output based on the risk level.

Abstract: A scenario generation device (100) generates an attack scenario (32). An attack means storage unit (130) has stored therein attack means data (131) including a precondition and an attack effect of attack means. An edit screen display unit (110) arranges attack means to be included in the attack scenario (32) on a scenario edit screen (200). By using the attack means data (131), an attack scenario generation unit (20) extracts, from the attack means storage unit (130), another attack means whose attack effect is a precondition of attack means arranged on the scenario edit screen (200). The attack scenario generation unit (20) generates the attack scenario (32) by complementing the attack means arranged on the scenario edit screen (200) with the other attack means.

Abstract: Systems and methods for side-channel monitoring a local network are disclosed. The methods involve generating a program trace signal from at least one of power consumption, electromagnetic emission, or acoustic emanation of a control processor connected to the local network and operating a monitoring processor to detect a communication of a message on the local network; identify at least one purported control processor related to the communication; analyze the program trace signal of the at least one purported control processor relative to the communication; and at least one of an authenticate or verify one or more purported control processors of the at least one purported control processor based on the program trace signal of the at least one purported control processor.

Abstract: A blockchain-enhanced open Internet of Things (IoT) access architecture includes an access point, a number of IoT devices, a hash access mechanism, a blockchain mining network, and a blockchain enabling mechanism that manages network access of the IoT device. The blockchain-enhanced open IoT access architecture provided in the present invention provides a secure, reliable, fair, and short-packet access service for a plurality of devices in an IoT network by using features of a blockchain such as distributed storage, tamper-proofing, and traceability, thereby promoting the trust and cooperation between the devices and ensuring the security and efficiency of the network in the large-scale untrustworthy IoT network. The blockchain-enhanced open IoT access architecture in the present invention can provide secure and reliable IoT access with low latency and a high value in practice.